Abstract: Exemplary embodiments for enabling planned network changes such as an upgrade or downgrade of a network device are disclosed. The systems and methods provide for planned upgrades and downgrades for network devices without impacting existing network sessions, by utilizing two network devices simultaneously, and creating a redirect network session for a predetermined period of time. In so doing, all network traffic may be gradually transferred to the second network device, until the sessions processed by the first network device time out. The first network device can then be taken offline for upgrade or downgrade, without any disruption to the network service or loss of network traffic.

Abstract: Network access control systems and methods are provided herein. A method includes receiving at a network device a SYN packet from a client device over a network, determining if the client device is a trusted source for the network using the SYN packet, if the client device is a trusted resource, receiving an acknowledgement (ACK) packet from the client device that includes identifying information for the client device plus an additional value, and identifying information for the network device, and establishing a connection with the network for the client device.

Abstract: Hardware-based packet editor receives a packet editing script which includes script entries indicating modifications to a data packet and a data block with data for the modified data packet. For a script entry in the packet editing script, the packet editor copies data in the data block at a block location and with a block length identified in the script entry into a packet buffer. The packet editor repeats the copying for the remaining script entries for the modified data packet. The packet editor then generates the modified data packet with the data in the packet buffer. The packet editing script is generated such that a script entry is created for data to be included in the modified data packet and data to be inserted into the modified data packet. Creation of a script entry is omitted for data to be removed.

Abstract: Provided are methods and systems for intercepting encrypted data packets. A system for intercepting encrypted data packets may comprise a first device, a second device, and a monitoring device. The first device may be operable to intercept at least one encrypted data packet. The first device may be further operable to decrypt the at least one encrypted packet to produce at least one decrypted data packet. The first device may provide the at least one decrypted data packet to the monitoring device. The monitoring device may be operable to inspect the at least one decrypted data packet based on predetermined criteria. The second device may be operable to receive, from the monitoring device, the at least one decrypted data packet. The second device may be further operable to re-encrypt the at least one decrypted data packet to produce the at least one encrypted data packet.

Abstract: A method to generate name records by a service gateway includes: receiving a name service request including a name from a host; creating a name service request using the name; sending the name service request to a name service server; receiving a response from the name service server, the response including a service server name record with one or more service server name entries corresponding to the name; generating and storing service gateway name records using the name and the name entries; and sending a selected service gateway name record to the host as a response to the name service request. When a subsequent name service request including the name is received, the service gateway compares the name against the stored service gateway name records, and in response to finding a match, sending the given service gateway name record as a response to the subsequent name service request.

Abstract: Facilitation of secure network traffic by an application delivery controller is provided herein. In some examples, a method includes: (a) receiving a data packet with information from a client indicating that the client is a trusted source; (b) embedding in the data packet a transmission control protocol (TCP) options header, the TCP options header comprising information including at least a sequence number for a protocol connection; and (c) forwarding the embedded data packet to a server.

Abstract: Facilitation of secure network traffic over an application session by an application delivery controller is provided herein. In some examples, a network device receives a TCP SYN packet from a client device, to establish a TCP connection. The network device transmits a SYN/ACK packet to the client device, including a SYN cookie with identifying information to authenticate the client device to the application as a trusted source for the network. The client device then returns an ACK packet directly to the application server to establish the TCP connection.

Abstract: Provided are methods and systems for allocating resources in a multi-core computing environment. The method comprises selecting, by one or more processors, at least one dedicated core for execution of a resource allocation algorithm. After selection of the dedicated core, the dedicated core allocates, based on the resource allocation algorithm, a network resource to a client. Furthermore, the dedicated core assigns the network resource to network packets associated with the client for processing by data cores. After the assigning of the network resource, the data cores process the network packets according to the allocated network resource.

Abstract: Provided are methods and systems for distributing service sessions from a client device in a service data network. A packet of the service session is received by a forwarding node. The forwarding node determines whether the packet matches a service address associated with the service session. Responsive to the determining, a servicing node associated with the service address is selected based on a forwarding policy. The packet is sent to the selected servicing node. The servicing node determines whether the packet is a service request packet. A server is selected based on a service policy, wherein the server is configured to serve the service session. The packet is sent to the server. Before being received by a forwarding node, the packet is received by a gateway node. The gateway node determines whether the packet matches the service address and selects the forwarding node based on a notification.

Abstract: Provided are methods and systems for implementing a distributed database in a data network. The method comprises receiving node data associated with one or more nodes of a plurality of nodes, updating the distributed database and replicating the distributed database to each of the plurality of nodes. The plurality of nodes comprises one or more cluster device, a cluster master, a traffic classification engine, a service node, and an orchestrator. The node data comprises node health, a number of total connections, node processing unit utilization, node memory status, destination server address, destination server capacity, destination server network connectivity, node dynamic state, node responsiveness. The distributed database comprises tables containing traffic map, node health information, traffic classification mapping, and service policy.

Abstract: Exemplary embodiments for programming a network device using user-defined scripts are disclosed. The systems and methods provide for a servicing node to receive a request for a network session between a client device and a server, receive a user defined class and a user defined object configuration from a node controller, and use the information to instruct an object virtual machine to generate at least one user defined object. The servicing node can then apply the at least one user defined object to a data packet of the network session, where the user defined object allows a user to configure the network device with user-defined instruction scripts.

Abstract: Methods and systems are provided for processing data packets in a data network using a policy based network path. A policy enforcing point receives a data packet associated with a service session and routes it toward its destination along a network path which is determined according to data packet information and one or more packet processing criteria. The data packet information may include one or more of information associated with the packet, information associated with prior packets, and information obtained from a network computer. The network path may be selected from a database of network paths. The network path may include an order list of further policy enforcing points and corresponding network application appliances. The policy enforcing point may generate a new data packet based on the data packet and the policy based network path and send the new data packet to a next policy enforcing point.

Abstract: Exemplary embodiments for programming a network device using user-defined scripts are disclosed. The systems and methods provide for a servicing node to receive a request for a network session between a client device and a server, receive a user defined class and a user defined object configuration from a node controller, and use the information to instruct an object virtual machine to generate at least one user defined object. The servicing node can then apply the at least one user defined object to a data packet of the network session, where the user defined object allows a user to configure the network device with user-defined instruction scripts.

Abstract: In activating a service, a service gateway retrieves a service table entry using a service or server address of the service entry, where the service table entry has an association with another service entry. An association to the service entry is added and a marker value is set to indicate associations with two service entries. After a time duration, the association with the other service entry is removed, and the marker value is changed accordingly. In deactivating a service entry, the service gateway calculates a hash value for the service or server address of the service entry. After matching the hash value to a hash value of another service entry, an association with the other service entry is added. A marker value is set to indicate associations with two service entries. After a time duration, the association with the service entry is removed, and the marker value is changed accordingly.

Abstract: Reducing buffer usage for a TCP proxy session between a client and a server by a service gateway includes: determining a first round trip time (RTT) for a server side TCP session and determining a second RTT for a client side TCP session; comparing the first RTT with the second RTT; determining whether the second RTT exceeds the first RTT beyond a threshold; if so, then calculating a desired RTT based on the second RTT; and setting a timer according to the calculated desired RTT, where a TCP acknowledgement for the server side TCP session is delayed until the timer expires. The desired RTT may be calculated as a percentage of the second RTT or as the second RTT minus a predetermined value. The service gateway waits until the timer has expired before sending a TCP acknowledgement data packet to the server.

Abstract: Provided are methods and systems for processing a data packet associated with a service session. The data packet directed to a first servicing node can be received by a forwarding node. The forwarding node can determine that the first servicing node is unavailable. Based on the determination, the forwarding node can select a second servicing node from a plurality of servicing nodes. The selection can be based on a high availability policy. The forwarding node can then send the data packet to the second servicing node.

Abstract: A method and system to determine a web server based on geo-location information is disclosed. The system includes: a local DNS server coupled to a web client; a plurality of web servers; and a global load balancer coupled to the local DNS server. The global load balancer: receives a request for a web service sent by the web client, the request comprising local DNS server information; determines a geographic location for the local DNS server based on the local DNS server information; determines a web server from the plurality of web servers based on the requested web service; determines a geographic location for the determined web server; determines that the geographic location for the local DNS server matches the geographic location for the determined web server; selects the determined web server; and sends a response comprising information on the selected web server to the local DNS server.

Abstract: A method, system, and computer program product for balancing servers based on server load status, include: receiving from a server a service response to a service request, the service response including a result from a processing of the service request and a server status indicating a computing load status of the server; obtaining the server status from the service response; receiving a next service request from a host, the next service request comprising a Uniform Resource Locator (URL); determining that the server is configured to process the URL; determining whether the server status indicates that the server is available to process the next service request; and in response to determining that the server status indicates that the server is available to process the next service request, sending the next service request to the server.

Abstract: A service gateway processes a service request received from a host based on a dynamic service response time of a server. In an exemplary embodiment, the service gateway relays a service request to a server over a service session between the service gateway and the server; receives a service response from the server; calculates a dynamic service processing time for the service request from a service request time and a service response time; compares the dynamic service processing time with an expected service processing time; updates a server busy indicator for the server in response to the comparing, where the server busy indicator is maintained at the service gateway; and processes future service requests in accordance with the server busy indicator at the service gateway.

Abstract: The system includes a host, a network including a security gateway, and a public application. Established are an access session between the network and the host and an application session between the public application and the network. An application session record is created for the application session, and includes the user's public user identity used to access the public application, the user's private user identity used to access the network, a host identity, and an application session time. To determine the private user identity for the application session, the security gateway sends a query with the host identity and the application session time. These are compared with the host identity and access session time in an access session record, if they match, then the private user identity in the access session record is returned, and it is stored as the private user identity in the application session record.