Policy enforcement in a virtualized environment

US 9,619,260 B2
Filed: 04/02/2015
Issued: 04/11/2017
Est. Priority Date: 06/20/2012
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

receive a rule to be applied to network traffic associated with members of a dynamic address group;

receive virtual machine information associated with a first virtual machine instance executing on a host machine;

determine, based at least in part on at least a portion of the received virtual machine information, that the first virtual machine instance belongs to the dynamic address group;

in response to the determination, apply the rule to network traffic associated with the first virtual machine instance;

at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determine that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic address group, wherein the change to membership includes at least one of;

(1) an addition of an additional virtual machine instance to the dynamic address group; and

(2) a removal of the first virtual machine instance from the dynamic address group; and

in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual machine instance; and

in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine instance; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Policy enforcement in an environment that includes virtualized systems is disclosed. Virtual machine information associated with a first virtual machine instance executing on a host machine is received. The information can be received from a variety of sources, including an agent, a log server, and a management infrastructure associated with the host machine. A policy is applied based at least in part on the received virtual machine information.

Citations

19 Claims

1. A system, comprising:
- a processor configured to;
  
  receive a rule to be applied to network traffic associated with members of a dynamic address group;
  
  receive virtual machine information associated with a first virtual machine instance executing on a host machine;
  
  determine, based at least in part on at least a portion of the received virtual machine information, that the first virtual machine instance belongs to the dynamic address group;
  
  in response to the determination, apply the rule to network traffic associated with the first virtual machine instance;
  
  at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determine that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic address group, wherein the change to membership includes at least one of;
  
  (1) an addition of an additional virtual machine instance to the dynamic address group; and
  
  (2) a removal of the first virtual machine instance from the dynamic address group; and
  
  in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual machine instance; and
  
  in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine instance; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1 wherein the virtual machine information is received from an agent.
  - 3. The system of claim 1 wherein the virtual machine information is received from a log server.
  - 4. The system of claim 1 wherein the virtual machine information is received from a management infrastructure associated with the host machine.
  - 5. The system of claim 1 wherein the virtual machine information is received indirectly from the host machine.
  - 6. The system of claim 1 wherein the processor is further configured to compile the rule at least in part by substituting a dynamic group address object with an IP address of the first virtual machine instance.
  - 7. The system of claim 1 wherein the processor is further configured to compile the rule at least in part by substituting a dynamic group address object with a set of IP addresses, wherein the set of IP addresses includes an IP address of the first virtual machine instance.
  - 8. The system of claim 1 wherein the processor is further configured to compile the rule at least in part by substituting a dynamic group address object with a range of IP addresses, wherein the range of IP addresses encompasses an IP address of the first virtual machine instance.
  - 9. The system of claim 1 wherein the processor is further configured to determine that the first virtual machine instance is implicated in the policy at least in part by applying a filter.
  - 10. The system of claim 9 wherein the filter comprises an attribute included in the virtual machine information.
  - 11. The system of claim 1 wherein the processor is further configured to receive updated virtual machine information and determine that a change associated with the first virtual machine instance has occurred.
  - 12. The system of claim 11 wherein the host machine is a first host machine and wherein the updated information indicates that the first virtual machine instance has migrated from executing on the first host machine to executing on a second host machine.
  - 13. The system of claim 11 wherein the updated information indicates that an IP address of the first virtual machine instance has changed.

14. A method, comprising:
- receiving a rule to be applied to network traffic associated with members of a dynamic address object group;
  
  receiving virtual machine information associated with a first virtual machine instance executing on a host machine;
  
  determining, based at least in part on at least a portion of the received virtual machine information, that the first virtual machine instance belongs to the dynamic address group;
  
  in response to the determination, applying the rule to network traffic associated with the first virtual machine instance;
  
  at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determining that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic address group, wherein the change to membership includes at least one of;
  
  (1) an addition of an additional virtual machine instance to the dynamic address group; and
  
  (2) a removal of the first virtual machine instance from the dynamic address group; and
  
  in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual machine instance; and
  
  in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine instance.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14 wherein compiling the rule includes substituting a dynamic group address object with a set of IP addresses, wherein the set of IP addresses includes an IP address of the first virtual machine instance.
  - 16. The method of claim 14 further comprising determining whether a rule associated with the first virtual machine instance should be recompiled.
  - 17. The method of claim 14 further comprising receiving updated virtual machine information and determining that a change associated with the first virtual machine instance has occurred.
  - 18. The method of claim 17 wherein the host machine is a first host machine and wherein the updated information indicates that the first virtual machine instance has migrated from executing on the first host machine to executing on a second host machine.

19. A computer program product embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
- receiving a rule to be applied to network traffic associated with members of a dynamic address object group;
  
  receiving virtual machine information associated with a first virtual machine instance executing on a host machine;
  
  determining, based at least in part on at least a portion of the received virtual machine information, that the first virtual machine instance belongs to the dynamic address group; and
  
  in response to the determination, applying the rule to network traffic associated with the first virtual machine instance;
  
  at a time subsequent to applying the rule to network traffic associated with the first virtual machine instance, determining that the rule should be recompiled into a recompiled rule, at least in part based on a change to membership in the dynamic address group, wherein the change to membership includes at least one of;
  
  (1) an addition of an additional virtual machine instance to the dynamic address group; and
  
  (2) a removal of the first virtual machine instance from the dynamic address group; and
  
  in the event the change to the membership in the dynamic address group includes the addition of the additional virtual machine instance to the dynamic address group, applying the recompiled rule to network traffic associated with additional virtual machine instance; and
  
  in the event the change to the membership in the dynamic address group includes removal of the first virtual machine instance from the dynamic address group, not applying the recompiled rule to network traffic associated with the first virtual machine instance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Wang, Song, Walter, Martin, Jin, Zhipu, Xu, Wilson
Primary Examiner(s)
Tang, Kenneth

Application Number

US14/677,858
Publication Number

US 20150277943A1
Time in Patent Office

740 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

Policy enforcement in a virtualized environment

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Policy enforcement in a virtualized environment

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links