Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: IoT adaptive threat prevention is disclosed. Network traffic received at a security platform is monitored to detect a plurality of IoT device profiles based on the monitored network traffic. A set of signatures for the security platform is received based on the detected plurality of IoT device profiles.

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

Abstract: Systems and methods provide for synergistic domain name system DNS security updates for an enterprise network operating under a Software Defined Wide Area Network (SD-WAN). A system may be configured to collect positive and/or negative unified threat defense (UTD) results, deploy a rules-based model that, when a threat or clearance is detected across several SD-WAN edge network devices, triggers an update to a local security blacklist/whitelist, wherein the update comprises a signature, and push the update to other devices that have not yet seen the threat or clearance.

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

Abstract: Systems and methods provide for synergistic domain name system DNS security updates for an enterprise network operating under a Software Defined Wide Area Network (SD-WAN). A system may be configured to collect positive and/or negative unified threat defense (UTD) results, deploy a rules-based model that, when a threat or clearance is detected across several SD-WAN edge network devices, triggers an update to a local security blacklist/whitelist, wherein the update comprises a signature, and push the update to other devices that have not yet seen the threat or clearance.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application. The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: In one embodiment, a device of a vehicle receives a packet comprising a source address, a destination address, an internet protocol (IP) encapsulated controller area network (CAN) message, and CAN message identifier information. The device compares the source address, the destination address, and the CAN message identifier information to an access control list (ACL). The device makes a determination that delivery of the CAN message to the destination address would be a policy violation based on the comparison. The device drops the packet based on the determination that delivery of the CAN message to the destination address would be a policy violation.

Abstract: According to certain embodiments, a system comprises one or more processors and one or more computer-readable non-transitory storage media comprising instructions that, when executed by the one or more processors, cause one or more components of the system to perform operations comprising: receiving location data associated with a plurality of remote users accessing one or more existing remote access gateways that are located at one or more network locations; building a heatmap of user locations based at least in part on the received location data; and identifying, from the heatmap of user locations, at least one new network location in which to generate at least one new remote access gateway, or at least one existing network location in which to remove at least one of the existing remote access gateways.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application. The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: In one embodiment, a method includes providing a first profile to a plurality of edge routers of the SD-WAN, the plurality of edge routers operable to interface a plurality of devices to the SD-WAN. The first profile enables the plurality of edge routers to discover which devices of the plurality of devices support a first application. The method includes receiving, from one or more of the edge routers, information indicating which devices of the plurality of devices support the first application and building a first application fabric based on the information indicating which devices of the plurality of devices support the first application.

Abstract: Systems and methods provide for provisioning a dynamic intent-based firewall. A network controller can generate a master route table for network segments reachable from edge network devices managed by the controller. The controller can receive zone definition information mapping the network segments into zones and Zone-based Firewall (ZFW) policies to apply to traffic between a source and destination zone specified by each ZFW policy. The controller can evaluate a ZFW policy to determine first edge network devices that can reach first network segments mapped to the source zone specified by the ZFW policy, second edge network devices that can reach second network segments mapped to the destination zone specified by the ZFW policy, and routing information (from the route table) between the first network segments, the first and second edge network devices, and the second network segments. The controller can transmit the routing information to the edge network devices.

Abstract: Systems and methods provide for synergistic domain name system DNS security updates for an enterprise network operating under a Software Defined Wide Area Network (SD-WAN). A system may be configured to collect positive and/or negative unified threat defense (UTD) results, deploy a rules-based model that, when a threat or clearance is detected across several SD-WAN edge network devices, triggers an update to a local security blacklist/whitelist, wherein the update comprises a signature, and push the update to other devices that have not yet seen the threat or clearance.

Abstract: In one embodiment, a device of a vehicle receives a packet comprising a source address, a destination address, an internet protocol (IP) encapsulated controller area network (CAN) message, and CAN message identifier information. The device compares the source address, the destination address, and the CAN message identifier information to an access control list (ACL). The device makes a determination that delivery of the CAN message to the destination address would be a policy violation based on the comparison. The device drops the packet based on the determination that delivery of the CAN message to the destination address would be a policy violation.

Abstract: In one embodiment, a method for the prioritized transmission of messages includes monitoring a network link of a mobile device to determine performance characteristics of the network link, establishing a network association between the mobile device and a routing network node, receiving a connection request from an application that is directed to a connection between the mobile device and a destination server, determining a relative priority of the connection, mapping the connection to a stream of the network association that is associated with the relative priority of the connection and identifies the destination server, and transmitting messages for the stream to the routing network node interlaced with messages of other streams of the network association based on the performance characteristics of the network link and the relative priority associated with the stream in comparison to relative priorities associated with the other streams of the network association.

Abstract: In one embodiment, a method comprises obtaining, by a client device via a wireless data link with a wireless access point, information from a network device within a data network reachable via the wireless access point, the information describing network conditions associated with a service provided to the client device via the data network; and the client device optimizing a transmission control protocol (TCP) communication, via the wireless data link, for optimization of the service provided by the client device.

Abstract: Presented herein are techniques for enabling the zero touch deployment of devices having an integrated wireless wide area network (WWAN) interface. In one example, a device with a wireless wide area network interface is initialized and attaches to the wireless wide area network. The device receives, via the integrated wireless wide area network interface, a data message that includes a configuration file for the device. The device extracts the configuration file from the data message and uses the configuration file to perform configuration operations.