System and method for redirected firewall discovery in a network environment
First Claim
Patent Images
1. A method implemented by a firewall, the method comprising:
- receiving a network flow of data including an initial connection packet;
determining whether the firewall has metadata associated with the network flow in a metadata cache of the firewall;
blocking the network flow and sending a discovery redirect, if the firewall does not have metadata associated with the network flow in a metadata cache of the firewall, wherein the discovery redirect includes information identifying the firewall;
receiving, in response to the discovery redirect, the metadata that associates the firewall with the network flow; and
releasing a connection to a server, responsive to the metadata being received.
2 Assignments
0 Petitions
Accused Products
Abstract
A method is provided in one example embodiment that includes receiving metadata from a host over a metadata channel. The metadata may be correlated with a network flow and a network policy may be applied to the connection. In other embodiments, a network flow may be received from a host without metadata associated with the flow, and a discovery redirect may be sent to the host. Metadata may then be received and correlated with the flow to identify a network policy action to apply to the flow.
403 Citations
20 Claims
-
1. A method implemented by a firewall, the method comprising:
-
receiving a network flow of data including an initial connection packet; determining whether the firewall has metadata associated with the network flow in a metadata cache of the firewall; blocking the network flow and sending a discovery redirect, if the firewall does not have metadata associated with the network flow in a metadata cache of the firewall, wherein the discovery redirect includes information identifying the firewall; receiving, in response to the discovery redirect, the metadata that associates the firewall with the network flow; and releasing a connection to a server, responsive to the metadata being received. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An apparatus that implements a firewall, the apparatus comprising:
-
an interface that receives a network flow of data including an initial connection packet, determines whether the firewall has metadata associated with the network flow in a metadata cache of the firewall, sends a discovery redirect, if the firewall does not have metadata associated with the network flow in the metadata cache of the firewall, wherein the discovery redirect includes information identifying the firewall, and receives, in response to the discovery redirect, the metadata that associates the firewall with the network flow; and a processor configured to block the network flow, if the firewall does not have metadata about the network flow in the metadata cache of the firewall, and release a connection to a server, responsive to the metadata being received. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A non-transitory medium including logic that implements operations for a firewall, the operations comprising:
-
receiving a network flow of data including an initial connection packet; determining whether the firewall has metadata associated with the network flow in a metadata cache of the firewall; blocking the network flow and sending a discovery redirect, if the firewall does not have metadata associated with the network flow in a metadata cache of the firewall, wherein the discovery redirect includes information identifying the firewall; receiving, in response to the discovery redirect, the metadata that associates the firewall with the network flow; and releasing a connection to a server, responsive to the metadata being received. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification