Abstract: Provided are methods and systems for graceful scaling of data networks. In one example, an indication of removal of a node from a plurality of nodes of the data network is received. A service policy is generated to reassign service requests associated with the node to another node in the plurality of nodes. The service policy is then sent to each of the plurality of nodes of the data network. To scale out a data network, an indication of presence of a further node in the data network is received, and a further node service policy is generated and sent to each of the plurality of nodes of the data network and to the further node. Additional actions can be taken in order to prevent interruption of an existing heavy-duty connection while scaling the data network.

Abstract: Provided are methods and systems for distributing application traffic. A method for distributing application traffic may commence with relaying a first service request for a first service session from a service gateway to a server. The first service request may be received from a host and may be associated with a service request time. The method may further include receiving, from the server, a service response. The service response may be associated with a service response time. The method may continue with calculating a service processing time based on the service request time and the service response time and comparing the service processing time with an expected service processing time. The method may further include receiving, from the host, a second service request for a second service session. The method may continue with selectively relaying the second server request to the server based on the service processing time.

Abstract: Provided are a method and a system for exchanging control information between secure socket layer (SSL) gateways. The method may commence with intercepting, by a client facing node, a client request including session-specific information and a session request to establish an SSL communication session between a client and a server. The method may continue with generating an SSL extension based on the session-specific information and adding the SSL extension to the session request to obtain an extended session request. The extended session request may be sent to a server facing node in communication with the client facing node. The method may further include identifying the session-specific information contained in the SSL extension of the extended session request and generating a further session request for establishing the SSL communication session between the server facing node and the server. The method may further include sending the further session request to the server.

Abstract: Methods and systems for dynamic threat protection are disclosed. An example method for dynamic threat protection may commence with receiving real-time contextual data from at least one data source associated with a client. The method may further include analyzing the real-time contextual data to determine a security threat score associated with the client. The method may continue with assigning, based on the analysis, the security threat score to the client. The method may further include automatically applying a security policy to the client. The security policy may be applied based on the security threat score assigned to the client.

Abstract: Provided are methods and systems for load distribution in a data network. A method for load distribution in the data network comprises retrieving network data associated with the data network and service node data associated with one or more service nodes. The method further comprises analyzing the retrieved network data and service node data. Based on the analysis, a service policy is generated. Upon receiving one or more service requests, the one or more service requests are distributed among the service nodes according to the service policy.

Abstract: The processing of data packets sent over a communication session between a host and a server by a service gateway includes processing a data packet using a current hybrid-stateful or hybrid-stateless processing method. The processing then checks whether a hybrid-stateless or hybrid-stateful condition is satisfied. When one of the sets of conditions is satisfied, the process includes changing from a hybrid-stateful to a hybrid-stateless processing method, or vice versa, for a subsequently received data packet. If the conditions are not satisfied, the process continues as originally structured.

Abstract: Provided are methods and systems for inspecting secure data. A system for inspecting secure data comprises a server facing module, and a client facing module in communication with the server facing module. The client facing module is operable to intercept a client request associated with the secure data to establish a secure connection with a server, establish a data traffic channel via the server facing module, and provide a control message to the server facing module via the data traffic channel. The control message includes an instruction to the server facing module to obtain a security certificate from the server. The security certificate is received from the server facing module via the data traffic channel. The security certificate is forged to establish the secure connection between the client and the client facing module. The client facing module sends unencrypted data to the server facing module via the data traffic channel.

Abstract: A method for dynamic allocating of a resource capacity in a cloud computing deployment is disclosed. According to the method, a resource capacity allocation of a network instance is determined and a resource capacity demand of the network instance is monitored. If the resource capacity demand exceeds a first threshold value, the resource capacity allocation of the network instance is increased by allocating additional resource capacity of a shared pool of network instances. However, if the resource capacity demand falls below a second threshold value, the resource capacity allocation of the network instance is decreased by deallocating the additional resource capacity back to the shared pool of network instances.

Abstract: Provided are methods and systems for balancing servers based on a server load status. A method for balancing servers based on a server load status may commence with receiving, from a server of a plurality of servers, a service response to a service request. The service response may include a computing load of the server. The method may continue with receiving a next service request from a host. The method may further include determining, based on the computing load of the server, whether the server is available to process the next service request. The method may include selectively sending the next service request to the server based on the determination that the server is available to process the next service request.

Abstract: Provided are methods and systems for enabling a planned upgrade or a planned downgrade of a first network device. A method may commence with receiving a request for a virtual service via a Transmission Control Protocol (TCP) session between the first network device and the client device. The method may further include creating, by a second network device being a standby device for the first network device, a redirect network session for the TCP session. The method may continue with delivering, by the first network device, the request for the virtual service to a server. Upon a change designating the second network device as an active device for the virtual service, the second network device may receive, from the server, a server response associated with the virtual service and redirect the server response to the first network device for further sending of the server response to the client device.

Abstract: Provided are methods and systems for dynamically limiting new sessions. A method for dynamically limiting new sessions may commence with initiating a dynamic session rate limiter based on predetermined criteria. The method may further include dynamically ascertaining, by the dynamic session rate limiter, a remaining session table capacity. The method may continue with dynamically limiting, by the dynamic session rate limiter, a number of new sessions according to a function selected to negatively correlate the new sessions and the remaining session table capacity.

Abstract: Described herein are methods and systems for application aware fastpath processing over a data network. In some examples, application fastpath operates to facilitate application specific fastpath processing of data packets transferred between a client device and a server device over a network session of a data network.

Abstract: Disclosed herein are systems and methods for a security gateway to process secure network sessions where there is a server certificate validation error. In various embodiments, varying security policies can be applied to the secure network sessions, including intercepting of network data, bypass of the security gateway, or termination of the secure sessions.

Abstract: Described are systems and methods for verifying server security certificates using hash codes. The system may include a client secure socket layer (SSL) node, a service gateway node, and a storage node. The client SSL node may receive a session request from a client. The service gateway node may forward the session request to a server to receive a server security certificate. The service gateway node may query a server domain name system module to receive a hash code. The hash code may include a first hash value and a hash function to obtain the server security certificate based on the first hash value. The service gateway node may calculate a second hash value by applying the hash function to the server security certificate and match the second hash value and the first hash value to determine whether the server security certificate is valid.

Abstract: Methods and systems for load balancing are disclosed. An example method for load balancing commences with receiving a data packet from a host device. The method further includes identifying a header field of the data packet. After identifying the header field of the data packet, the method proceeds with matching the data packet to a network service based on the header field. Thereafter, the method generates a header field block for the data packet based on the network service. The method further includes sending the data packet to a processor module. The data packet is processed based on the header field block.

Abstract: A security platform running on a server includes (a) protocol stacks each configured to receive and to transmit IP data packets over a network interface, wherein the protocol stacks have predetermined performance characteristics that are different from each other and wherein each protocol stack includes one or more program interfaces to allow changes to its performance characteristics; (b) application programs each configured to receive and transmit payloads of the IP data packets, wherein at least two of the application programs are customized to handle different content types in the payloads and wherein each application program accesses the program interface of at least one protocol stack to tune performance characteristics of the protocol stack; (c) classifiers configured to inspect at a given time IP data packets then received in the network interface to select one of the protocol stack and one of the application programs to service the data packets; and (d) a control program to load and run the selected

Abstract: A security network system may include a security gateway operable to establish a client session between the security gateway and a client device. The security gateway is operable to receive client session information from the client session. The client session information includes an identification of a server with which the client device needs to exchange data. The security network system may also include a Hardware Security Module (HSM) in communication with the security gateway. The HSM is operable to establish, in concert with the security gateway, a secure session between the security gateway and the server based on the client session data, a public key, a secret key, and context attributed to the secure session.

Abstract: User authentication techniques based on geographical locations associated with a client device are provided. An example method for authentication of the client device includes receiving an authentication request from the client device. The method may include establishing current geographical location of the client device. The method may further include establishing a trusted tolerance geographical area associated with the client device. After establishing the trusted tolerance geographical area, the method may proceed with determining whether the current geographical location of the client device is within the trusted tolerance geographical area. The method may further include authenticating the client device based on the determination that the current geographical location of the client device is within the trusted tolerance geographical area.

Abstract: In providing packet forwarding policies in a virtual service network that includes a network node and a pool of service load balancers serving a virtual service, the network node: receives a virtual service session request from a client device, the request including a virtual service network address for the virtual service; compares the virtual service network address in the request with the virtual service network address in each at least one packet forwarding policy; in response to finding a match between the virtual service network address in the request and a given virtual service network address in a given packet forwarding policy, determines the given destination in the given packet forwarding policy; and sends the request to a service load balancer in the pool of service load balancers associated with the given destination, where the service load balancer establishes a virtual service session with the client device.

Abstract: Data traffic splitting between computing clouds may include a first application delivery controller (ADC) and a second ADC. The first ADC can be configured to control data traffic split within a first computing cloud. The second ADC can be configured to control data traffic split within a second computing cloud. The system may include a third ADC configured to control traffic split between at least the first ADC and the second ADC. The first ADC can be associated with a first version of an application configured to run on the first computing cloud. The second ADC can be associated with a second version of the application configured to run on the second computing cloud. The third ADC is further configured to control data traffic split based on at least one blue/green policy.