Abstract: A personalized firewall or other network gateway is provided by a method of matching a data packet to a rule in a network gateway having a rule base. One or more identification values are determined based on the data packet and property value(s) associated with said one or more identification values are queried and received from a property server. The property value(s) describe for example allowed connections and services for an entity associated with the identification value(s). The property value(s) are compared to at least one rule in the rule base, said at least one rule comprising property value(s) and an action, and the action defined in said at least one rule is taken, if said property value(s) of the rule match corresponding property value(s) associated with said one or more identification values.

Abstract: A method of handling mobile entities in a firewall, wherein a first mobile entity table comprising identifiers of mobile entities, which are active in a firewall, and a second mobile entity table comprising identifiers of mobile entities, which are active in a predefined set of other firewalls and identifiers of corresponding other firewalls, are maintained in the firewall. A new mobile entity, which is not currently active in the firewall, is detected, after which it is found on the basis of the second mobile entity table, if the new mobile entity is currently active in another firewall. If the mobile entity is currently active in another firewall, state information related to the new mobile entity is queried from the another firewall, and stored in the firewall to be used for processing data packets from/to the new mobile entity.

Abstract: The invention provides a centralized VPN management of a plurality of VPN sites by means of a VPN Information Provider (VIP). Management of a VPN device is distributed so that at least part of the VPN configuration is centrally managed without giving away control of the firewall rulebase or other critical local configuration used in the VPN device.

Abstract: A method of filtering a tunneled data packet including an outer header and an outer payload, the outer payload including an inner data packet including an inner header and an inner payload, where the value of at least one outer header field of the tunneled data packet is matched to a first rule, and the action defined in the first rule is taken. Taking the action defined in the first rule includes detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.

Abstract: The invention provides a centralized VPN management of a plurality of VPN sites by means of a VPN Information Provider (VIP). Management of a VPN device is distributed so that at least part of the VPN configuration is centrally managed without giving away control of the firewall rulebase or other critical local configuration used in the VPN device.

Abstract: The invention provides an arrangement for managing a network security application comprising a full management user interface for conducting management operations for the network security application, and a limited management user interface for conducting a limited number of management operations of the full management user interface for the network security application over a wireless remote connection.

Abstract: A method (400, 500, 600, 700) for synchronizing state information in a security gateway cluster comprising at least two nodes comprises the following steps. Synchronizing (403) state information by sending state information from a first node of said at least two nodes, detecting (401) in said security gateway cluster a predetermined irregularly occurring action, and initiating (402) synchronization of state information as a response to said action. The state information is sent to at least a second node of said at least two nodes. Corresponding computer program, computer program product, software entities (910, 920), a node (900) of a security gateway cluster (950) and a security gateway cluster are also presented.

Abstract: A personalized firewall or other network gateway is provided by a method of matching a data packet to a rule in a network gateway having a rule base. One or more identification values are determined (302) on the basis of the data packet and property value(s) associated with said one or more identification values are queried (304) and received from a property server. The property value(s) describe for example allowed connections and services for an entity associated with the identification value(s). The property value(s) are compared (306) to at least one rule in the rule base, said at least one rule comprising property value(s) and an action, and the action defined in said at least one rule is taken (310), if said property value(s) of the rule match corresponding property value(s) associated with said one or more identification values.

Abstract: A method of handling mobile entities in a firewall, wherein a first mobile entity table comprising identifiers of mobile entities, which are active in a firewall, and a second mobile entity table comprising identifiers of mobile entities, which are active in a predefined set of other firewalls and identifiers of corresponding other firewalls, are maintained (400, 402) in the firewall. A new mobile entity, which is not currently active in the firewall, is detected (404), after which it is found on the basis of the second mobile entity table, if the new mobile entity is currently active in another firewall. If the mobile entity is currently active in another firewall, state information related to the new mobile entity is queried (408) from the another firewall, and stored (410) in the firewall to be used for processing data packets from/to the new mobile entity.

Abstract: A method of filtering a tunneled data packet comprising an outer header and an outer payload, the outer payload comprising an inner data packet comprising an inner header and an inner payload, where the value of at least one outer header field of the tunneled data packet is matched to a first rule, and the action defined in the first rule is taken. Taking the action defined in the first rule comprises detecting the inner data packet within the tunneled data packet, matching the value of at least one field of the inner data packet to a second rule, and taking the action defined in the second rule.

Abstract: The invention provides a centralized VPN management of a plurality of VPN sites by means of a VPN Information Provider (VIP). Management of a VPN device is distributed so that at least part of the VPN configuration is centrally managed without giving away control of the firewall rulebase or other critical local configuration used in the VPN device.

Abstract: The invention provides an arrangement for managing a network security application comprising a full management user interface for conducting management operations for the network security application, and a limited management user interface for conducting a limited number of management operations of the full management user interface for the network security application over a wireless remote connection.

Abstract: A method (400, 500, 600, 700) for synchronizing state information in a security gateway cluster comprising at least two nodes comprises the following steps. Synchronizing (403) state information by sending state information from a first node of said at least two nodes, detecting (401) in said security gateway cluster a predetermined irregularly occurring action, and initiating (402) synchronization of state information as a response to said action. The state information is sent to at least a second node of said at least two nodes. Corresponding computer program, computer program product, software entities (910, 920), a node (900) of a security gateway cluster (950) and a security gateway cluster are also presented.