Abstract: A method for load sharing and high availability in a cluster of computers. The cluster includes a first computer and a second computer which perform a task An active application runs in the first computer and a standby application is installed in the second computer. The active application and the standby application are included in an application group. A first plurality of applications is installed in the first computer; the first plurality includes the running active application. The active application performs the task and stores in memory of the first computer state parameters and a policy A synchronized copy of the state parameters and the policy pertaining to the task is maintained by storing in memory of the second computer. Preferably, the cluster is in a security gateway between data networks and performs a task related to security of one or more of the networks.

Abstract: A method for protecting data communications using a multiple processor device in which multiple processors are operatively connected by a transport mechanism for sharing data. One or more of the processors is programmed as a dispatcher and other processors are programmed with processes. Each of the processes enforce an identical security policy and/or perform an identical or specialized security function. Data streams are transferred respectively from the dispatcher to the processes through the transport mechanism. Control information is transmitted through the transport mechanism from one or more processes to the dispatcher. The control information specifies balancing load of the data streams between the processes. The dispatcher balances load based on the control information.

Abstract: A method to manage the bandwidth of a link that is available to a cluster of servers. The method includes establishing a localized bandwidth management policy for at least one of the servers from a centralized management policy of the cluster. The localized policy and the centralized policy are based on a hierarchical policy having a plurality of rules associated with classes of connections that are routed through the link. Each of the rules has an associated rate. The plurality of rules includes a plurality of terminal rules. Establishing the localized policy is performed by prorating the rate of at least one of the terminal rules under the centralized policy according to a first measurement of a usage of the link by the at least one server for the at least one terminal rule. The method also includes operating the at least one server according to the localized policy.

Abstract: A system, a device and a method for accelerating packet filtration by supplementing a firewall with a pre-filtering module. The pre-filtering module performs a limited set of actions with regard to the packets, according to whether the packets are received from a connection which has been previously permitted by the firewall. If the packets are received from such a permitted connection, then the pre-filtering module forwards the packets to their destination, optionally performing one or more actions on the packets. Otherwise, the packets are forwarded to the firewall for handling. Preferably, once the firewall has transferred responsibility for the connection to the pre-filtering module, or “off-loaded” the connection, the firewall does not receive further packets from this connection until a timeout occurs for the connection, or a packet is received with particular session-control field values, such that the connection is closed.

Abstract: The present invention discloses a novel system for controlling the inbound and outbound data packet flow in a computer network. By controlling the packet flow in a computer network, private networks can be secured from outside attacks in addition to controlling the flow of packets from within the private network to the outside world. A user generates a rule base which is then converted into a set of filter language instruction. Each rule in the rule base includes a source, destination, service, whether to accept or reject the packet and whether to log the event. The set of filter language instructions are installed and execute on inspection engines which are placed on computers acting as firewalls. The firewalls are positioned in the computer network such that all traffic to and from the network to be protected is forced to pass through the firewall. Thus, packets are filtered as they flow into and out of the network in accordance with the rules comprising the rule base.