Policy enforcement based on dynamically attribute-based matched network objects

US 9,537,891 B1
Filed: 12/20/2013
Issued: 01/03/2017
Est. Priority Date: 09/27/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive a policy that includes an address group object, wherein the address group object abstracts a set of computing assets;

compile the policy into a set of one or more rules, at least in part by substituting, for the address group object, a set of one or more IP addresses of computing assets determined to be members of an address group corresponding to the address group object, wherein determining the members of the address group includes querying a set of one or more repositories of computing asset information using a set of match criteria, wherein at least one criterion in the set of match criteria pertains to a characteristic of a computing asset;

determine, based at least in part on a detected change to the address group, that at least one rule included in the set of rules should be recompiled;

in response to the determination, perform a recompilation, including by substituting a first IP address in an out-of-date rule for a second IP address to create an updated rule; and

enforce the updated rule at least one rule; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A policy that includes an address group is received. The policy is compiled into a set of one or more rules. The compiling is performed at least in part by determining members of the address group. The compiling can further include substituting one or more IP addresses of the members for the address group. At least one rule included in the set of rules is enforced.

47 Citations

View as Search Results

18 Claims

1. A system, comprising:
- a processor configured to;
  
  receive a policy that includes an address group object, wherein the address group object abstracts a set of computing assets;
  
  compile the policy into a set of one or more rules, at least in part by substituting, for the address group object, a set of one or more IP addresses of computing assets determined to be members of an address group corresponding to the address group object, wherein determining the members of the address group includes querying a set of one or more repositories of computing asset information using a set of match criteria, wherein at least one criterion in the set of match criteria pertains to a characteristic of a computing asset;
  
  determine, based at least in part on a detected change to the address group, that at least one rule included in the set of rules should be recompiled;
  
  in response to the determination, perform a recompilation, including by substituting a first IP address in an out-of-date rule for a second IP address to create an updated rule; and
  
  enforce the updated rule at least one rule; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1 wherein at least one match criterion included in the set of match criteria comprises a tag associated with an asset included in the set of computing assets.
  - 3. The system of claim 2 wherein the tag is associated with a color.
  - 4. The system of claim 1 wherein at least one computing asset included in the address group is manually enumerated.
  - 5. The system of claim 1 wherein the determination is made in response to a provisioning event, in which an additional computing asset is included in the address group.
  - 6. The system of claim 1 wherein the determination is made in response to a migration event, in which an IP address of an existing member of the address group is changed.

7. A method, comprising:
- receiving a policy that includes an address group object, wherein the address group object abstracts a set of computing assets;
  
  compiling the policy into a set of one or more rules, at least in part by substituting, for the address group object, a set of one or more IP addresses of computing assets determined to be members of an address group corresponding to the address group object, wherein determining the members of the address group includes querying a set of one or more repositories of computing asset information using a set of match criteria, wherein at least one criterion in the set of match criteria pertains to a characteristic of a computing asset;
  
  determining, based at least in part on a detected change to the address group, that at least one rule included in the set of rules should be recompiled;
  
  in response to the determination, performing a recompilation, including by substituting a first IP address in an out-of-date rule for a second IP address to create an updated rule; and
  
  enforcing the updated rule.
- View Dependent Claims (8, 9, 11, 12, 13)
- - 8. The method of claim 7 wherein the determination is made in response to a provisioning event, in which an additional computing asset is included in the address group.
  - 9. The method of claim 7 wherein the determination is made in response to a migration event, in which an IP address of an existing member of the address group is changed.
  - 11. The method of claim 7 wherein at least one match criterion included in the set of match criteria comprises a tag associated with an asset included in the set of computing assets.
  - 12. The method of claim 11 wherein the tag is associated with a color.
  - 13. The method of claim 11 wherein at least one computing asset included in the address group is manually enumerated.

10. A computer program product embodied in a tangible computer readable storage medium and comprising computer instructions for:
- receiving a policy that includes an address group object, wherein the address group object abstracts a set of computing assets;
  
  compiling the policy into a set of one or more rules, at least in part by substituting, for the address group object, a set of one or more IP addresses of computing assets determined to be members of an address group corresponding to the address group object, wherein determining the members of the address group includes querying a set of one or more repositories of computing asset information using a set of match criteria, wherein at least one criterion in the set of match criteria pertains to a characteristic of a computing asset;
  
  determining, based at least in part on a detected change to the address group, that at least one rule included in the set of rules should be recompiled;
  
  in response to the determination, performing a recompilation, including by substituting a first IP address in an out-of-date rule for a second IP address to create an updated rule; and
  
  enforcing the updated rule.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product of claim 10 wherein at least one match criterion included in the set of match criteria comprises a tag associated with an asset included in the set of computing assets.
  - 15. The computer program product of claim 14 wherein the tag is associated with a color.
  - 16. The computer program product of claim 10 wherein at least one computing asset included in the address group is manually enumerated.
  - 17. The computer program product of claim 10 wherein the determination is made in response to a provisioning event, in which an additional computing asset is included in the address group.
  - 18. The computer program product of claim 10 wherein the determination is made in response to a migration event, in which an IP address of an existing member of the address group is changed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Fitz-Gerald, Jeffrey, Walter, Martin
Primary Examiner(s)
Nguyen, Dustin

Application Number

US14/137,718
Time in Patent Office

1,110 Days
Field of Search

709/229, 709/236, 709/225, 709/249, 726/1, 726/11, 726/3, 726/9, 726/25, 707/102, 705/36, 705/6.36
US Class Current

1/1
CPC Class Codes

H04L 61/45   Network directories; Name-t...

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5076   Update or notification mech...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Policy enforcement based on dynamically attribute-based matched network objects

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Policy enforcement based on dynamically attribute-based matched network objects

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links