Abstract: A station initiates fast BSS transition by a station from the source access point to the target access point. The target access point detects a failure by the Wi-Fi controller to retrieve a PMK-RO key for a requested PMKROName is detected. The PMKROName is parsed from an authentication request of the station. The failure can result in requiring a fresh BSS connection by the station. Responsive to the failure detection, a PMK-RO key is generated in cooperation with the Wi-Fi controller, to prevent requiring the fresh BSS connection. The PMK-R0 key further helps to support fast transition between access points.
Abstract: Real-time statistics of station RU needs are received. Additionally, real-time statistics of access point RU allocation are received. Real-time statistics for stations and access point history are stored. An artificial intelligence (AI) predictive model is generated for each station based on historical traffic needs. AI model to allocate access point RUs for specific stations in real-time.
Abstract: Scan reports are received by a Wi-Fi controller from a plurality of access points. Each scan report identifies neighboring BSSIDs with associated BSS-color within radio range and corresponding RSSI measurements. An OBSS can be detected by cross referencing scan reports. BSS color us modified to avoid a potential BSS collision. A station associated the potential BSS collision reports actual color collisions. An indication of the BSS color change is transmitted to one or more access points for local implementation.
Abstract: During an initial bootup in a bootloader of an SOC, a random number that is unique to the device is stored in secured storage. During a first bootup, a two-dimensional random key is stored in secure storage for encoding the ENV parameters. During a second (subsequent) bootup, the ENV parameters that are current in unsecured storage are compared against the ENV parameters that previously existed in order to identify a mismatch. A remediation security action can be taken responsive to a mismatch between the baseline digest and a dynamic digest.
Abstract: Multiple types of lines are made simultaneously available, including a Wi-Fi link, a cell link and a wired link. A list of running cloud applications is identified by monitoring A quality of each available link for each running cloud application is periodically tested, including measurements of latency, jitter and packet loss. A first link is selected for a first application and a second link is selected for a second application. Data packets related to the first application are transmitted over a first link and data packets related to the second application over the second link.
Type:
Application
Filed:
March 7, 2024
Publication date:
April 3, 2025
Applicant:
Fortinet, Inc.
Inventors:
Emilio Borbolla Galindo, Juan Ernesto Lopez Silva
Abstract: An uplink utilization is monitored for each station connected to an access point over a wireless network, including jitter, latency, and dropped packets. Uplink utilization is monitored for access points that are neighbors to the access point, as determined from neighbor reports. An AI model is generated from monitoring data. When an uplink threshold of the access point has been exceeded at the access point. A new access point is selected from the AI model for at least one of the stations based at least on a least used uplink in addition to RF parameters.
Abstract: Techniques relate generally to computer networks, and more specifically, for a web browser having a web browser extension for evaluating web requests using internal coordination to make asynchronous information synchronously available, prior to dispatching the web requests.
Type:
Application
Filed:
September 30, 2023
Publication date:
April 3, 2025
Applicant:
Fortinet, Inc.
Inventors:
Jeremy Allen Wildsmith, Mounir Elgharabawy
Abstract: A secure connection is established between an IAM server on a data communication network and an on-premises active directory using a zero trust tunnel based on TCP forwarding. An authentication request is received from a gateway device, for the user to access a service provider hosting applications, responsive to a user request for access to the service provider hosting applications. Responsive to recognizing the user of the authentication request being associated with the established SSO session, an assertion is returned to the gateway that the user is authenticated to access the service provider. An authentication request is received from the service provider, for access to a specific application. Responsive to the group information associated with the user, an assertion is returned to the service provider that user is authenticated for use of the specific application.
Abstract: Native Browser Isolation (NBI) distributes resource requirements over the network of clients that will be hosting a web browser. This works over the assumption that modern machines have the spare resources to run an isolated browser environment themselves, thus, not requiring a central mainframe to run the browser isolation (BI) system. The framework will provide means to run the browser in a separate environment from the host OS, provide graphic rendering for the isolated environment, as well as a mean to display the isolated graphics to the user as if it was a native application of the host OS.
Abstract: A processor has hardware acceleration enabled during passive link quality measurement. The processor comprises a forwarding engine to passively gather link quality details from existing network sessions concerning a plurality of links. The link quality details comprise latency, jitter and packet loss. An SD-WAN path selection module identifies a link from the plurality of links for data packets of a current session using the link quality details.
Type:
Application
Filed:
September 30, 2023
Publication date:
April 3, 2025
Applicant:
Fortinet, Inc.
Inventors:
Juan Ruiz Sanchez, Jorge Garcia Alvarez
Abstract: A specific container is spawned by a docker module responsive to Kebernetes control instruction. Network connectivity is provided for the specific container to a data communication network through a networking bridge and a security policy is configured. After configuration, inbound or outbound data packets concerning the specific container are received and forwarded to a security policy KVM for scanning against security policies. Those that pass security scanning are forwarded to containers and external destinations.
Type:
Grant
Filed:
September 30, 2021
Date of Patent:
April 1, 2025
Assignee:
Fortinet, Inc.
Inventor:
Sérgio Henrique Marcelino Castro da Rosa
Abstract: Using user feedback for attack path analysis in an anomaly detection framework, including: performing an attack path analysis for a cloud deployment; receiving, from a user, user feedback for an attack vector of the attack path analysis; and initiating, based on the user feedback, a workflow for modifying one or more parameters for generating the attack path analysis.
Type:
Grant
Filed:
May 24, 2023
Date of Patent:
April 1, 2025
Assignee:
Fortinet, Inc.
Inventors:
Úlfar Erlingsson, Jay Parikh, Yijou Chen
Abstract: A Wi-Fi controller receives notification of a probe request of a station that was received from each at least two of the at least two of the two or more Wi-Fi 7 access points of a multiple access point coordination group. The probe requests are each sourced from the station while within the at least partially overlapped radio signal coverage area. The Wi-Fi controller selects one of the at least two of the two or more access points to respond to the probe request with a probe response with a single probe response to the station, in response to the multiple probe requests, by notifying the selected access point to send the single probe response including an RNR (reduced neighbor report) data providing connection information for the at least two access points. The other of the at least two Wi-Fi 7 access points refrain from sending additional probe responses to the station.
Abstract: A method is disclosed. The method comprises receiving data for a virtual private cloud (VPC), receiving, via a graphical user interface (GUI), a request to access the VPC data and displaying, at the GUI, a resource page providing a filter view of VPC resources including in the VPC data.
Type:
Application
Filed:
September 24, 2024
Publication date:
March 27, 2025
Applicant:
Fortinet, Inc.
Inventors:
Yifeng Wang, Urmila V. Kashyap, Jayati Ambekar, Alexandra Christensen, Joshua L. Vertes, Lindsey A. Poli, Liwei Dai, Matthew M. Park, Yizhou Guo, Sowmya A. Karmali, Yijou Chen
Abstract: Systems, devices, and methods are discussed for automatically determining a risk-based focus in determining zero trust network access policy on one or more network elements.
Type:
Grant
Filed:
March 29, 2024
Date of Patent:
March 25, 2025
Assignee:
Fortinet, Inc.
Inventors:
Rajiv Sreedhar, Manuel Nedbal, Manoj Ahluwalia, Latha Krishnamurthi, Rajeshwari Rao, Damodar K. Hegde, Jitendra B. Gaitonde, Dave Karp, Mark Lubeck
Abstract: Time series anomaly detection, including: gathering data associated with a particular event type and a particular user; generating, based on the data, a time series analysis; detecting an anomaly based on the time series analysis; and generating information describing the anomaly.
Type:
Grant
Filed:
August 10, 2022
Date of Patent:
March 25, 2025
Assignee:
Fortinet, Inc.
Inventors:
Ting-Fang Yen, Isha Singhal, Andrew D. Twigg, Yijou Chen
Abstract: A rogue Wi-Fi 6E access points are identified by on-wire data traffic of authorized Wi-Fi 6E access points. Data traffic is monitored across all access points for the rogue Wi-Fi 6E access points according to an SSID/BSSID scan table. In response, modified CSA values are sent from spoofed action frames that have a source BSSID of the rogue access points rather than the authenticated access point that transmits.
Abstract: Responsive to matching a site prefix to IPV6 network traffic from clients, the traffic as intended, and responsive to not matching the site prefix, classifying the corresponding traffic as unintended. An initial rate of packet occurrence and predict load caused by intended traffic and predicting load caused by unintended traffic is calculated, based on an initial rate of packet occurrence. The predicted traffic loads are fed back by configuring behavior of network modules according to the predictions of intended traffic load and unintended traffic load. Packet processing traffic at the network modules is based on traffic classification from the outcome of the AI-neuron.
Abstract: The DHCP requests can be sent by endpoints to get first IP addresses. SSO data concerning the endpoints is collected using an identity service. A DHCP fingerprint is generated for of the each endpoints, including the first IP addresses. DHCP fingerprints are stored to an SSO unification database along with corresponding SSO data for the endpoints at the first IP addresses, including a specific endpoint at a first IP address on the wired network. While tracking, the specific endpoint is subsequently detected at a second IP address on the wireless network. The new IP address can be responsive to a transition by the specific endpoint from the wired network to the wireless network, or visa versa. The detection is based on matching a DHCP fingerprint of the specific endpoint to a record of the SSO unification database, and checked to see if the IP addresses are consistent. An SSO authentication transaction is performed to reauthenticate the specific endpoint.