System and method for redirected firewall discovery in a network environment
First Claim
Patent Images
1. A method for redirected firewall discovery, the method comprising:
- transmitting a network flow from a source node to a first firewall;
transmitting, from the source node to a second firewall, metadata associated with the network flow;
receiving, from the first firewall at the source node, a discovery redirect including information identifying the first firewall; and
in response to receiving the discovery redirect, transmitting the metadata from the source node to the first firewall, the metadata associated with a network policy applicable to the network flow at the first firewall.
9 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow.
-
Citations
20 Claims
-
1. A method for redirected firewall discovery, the method comprising:
-
transmitting a network flow from a source node to a first firewall; transmitting, from the source node to a second firewall, metadata associated with the network flow; receiving, from the first firewall at the source node, a discovery redirect including information identifying the first firewall; and in response to receiving the discovery redirect, transmitting the metadata from the source node to the first firewall, the metadata associated with a network policy applicable to the network flow at the first firewall. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A source node for redirected firewall discovery, the source node comprising:
-
an interface that transmits a network flow to a first firewall and transmits, to a second firewall, metadata associated with the network flow, wherein the interface receives, from the first firewall, a discovery redirect including information identifying the first firewall, and the interface is configured to transmit, in response to receiving the discovery redirect, the metadata to the first firewall, the metadata associated with a network policy applicable to the network flow at the first firewall. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A method implemented by a firewall, the method comprising:
-
intercepting, at the firewall, a connection establishing packet of a network flow received over a network environment from a source node; determining whether the firewall has metadata associated with the network flow in a metadata cache of the firewall; in response to determining that the firewall does not have the metadata, transmitting, from the firewall to the source node, a discovery redirect including information to allow the source node to identify the firewall; and receiving, at the firewall from the source node, the metadata, after the transmitting the discovery redirect to the source node. - View Dependent Claims (12, 13, 14, 15)
-
-
16. An apparatus that implements a firewall, the apparatus comprising:
-
an interface that intercepts a connection establishing packet of a network flow received over a network environment from a source node; and a processor that determines whether the firewall has metadata associated with the network flow in a metadata cache of the firewall, wherein the interface transmits, in response to a determination that the firewall does not have the metadata, a discovery redirect to the source node, the discovery redirect including information to allow the source node to identify the firewall, and the interface receives, from the source node, the metadata, after transmitting the discovery redirect to the source node. - View Dependent Claims (17, 18, 19, 20)
-
Specification