Abstract: Techniques for processing transactional application events are described herein. In one embodiment, a database transaction record is retrieved from a database transaction log, where the database transaction record includes information of a database transaction and an application event associated with the database transaction. In response, a database operation specified in the database transaction is performed, where the database operation is configured to update one or more records of a database. The application event is extracted from the database transaction record retrieved from the database transaction log. An event operation associated with the application event that is associated with the database transaction is performed, such that when the event operation is performed, the updated one or more records of the database are readily available. Other methods and apparatuses are also described.

Abstract: Techniques for providing extensibility framework for processing network packets are described herein. In one embodiment, in response to a packet received at a network element, the packet is processed using a generic process for performing a first type of operations required by the packet, wherein the first type of operations is common to a type of the packet. An extended process is invoked, via an extensibility application programming interface (API), to perform a custom operation that is not common to the generic process and is not statically known to the generic process, in order to determine whether the packet is eligible to access a resource of at least one of a plurality of application servers of a datacenter, including a layer-7 access control process. The network element operates as an application service gateway for the datacenter. Other methods and apparatuses are also described.

Abstract: Techniques for building and managing network policies for accessing resources of a datacenter are described herein. In one embodiment, events are captured within a network element pertaining to certain activities of accessing certain resources of a datacenter, wherein the network element operates as an application service gateway to the datacenter. A new rule/policy is provisioned based on attributes extracted from the captured events, where the attributes includes at least one of user attribute, environment attribute, and a resource attribute. A simulation is performed on the new rule/policy under a real time network traffic condition, generating a simulation result. The new rule/policy is committed if the simulation result satisfies a predetermined condition, wherein the new rule/policy is enforced within the network element to determine whether a particular client is eligible to access a particular resource of the datacenter. Other methods and apparatuses are also described.

Abstract: Techniques for highly parallel evaluation of XACML policies are described herein. In one embodiment, attributes are extracted from a request for accessing a resource including at least one of a user attribute and an environment attribute. Multiple individual searches are concurrently performed, one for each of the extracted attributes, in a policy store having stored therein rules and policies written in XACML, where the rules and policies are optimally stored using a bit vector algorithm. The individual search results associated with the attributes are then combined to generate a single final result using a predetermined policy combination algorithm. It is then determined whether the client is eligible to access the requested resource of the datacenter based on the single final result, including performing a layer-7 access control process, where the network element operates as an application service gateway to the datacenter. Other methods and apparatuses are also described.

Abstract: Techniques for multi-stage multi-core processing of network packets are described herein. In one embodiment, work units are received within a network element, each work unit representing a packet of different flows to be processed in multiple processing stages. Each work unit is identified by a work unit identifier that uniquely identifies a flow in which the associated packet belongs and a processing stage that the associated packet is to be processed. The work units are then dispatched to multiple core logic, such that packets of different flows can be processed concurrently by multiple core logic and packets of an identical flow in different processing stages can be processed concurrently by multiple core logic, in order to determine whether the packets should be transmitted to one or more application servers of a datacenter. Other methods and apparatuses are also described.

Abstract: A highly scalable application layer service appliance is described herein. According to one embodiment, a network element includes a plurality of application service modules (ASMs), each providing one or more application services to network traffic, including layer 5-7 services, a lossless data transport fabric (LDTF), a network service module (NSM) coupled to each of the ASMs over the LDTF. In response to a packet of a network transaction received from a client over for accessing a server of a datacenter, the NSM is configured to perform layer 2-5 processes on the packet, generating a data stream. The NSM is configured to route the data stream to at least two ASMs over the LDTF to allow the ASMs to perform layer 5-7 services on the packet. Other methods and apparatuses are also described.

Abstract: A network element having centralized TCP termination with multi-service chaining is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second and a third service modules coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network for access a server of a data center having multiple servers over a second network, the first service module is configured to terminate a TCP connection of the packets. The TCP terminated packets are transmitted to the second and third service modules over the switch fabric. The second and third service modules are configured to perform different application network services on the TCP terminated packets without having to perform a TCP process again. Other methods and apparatuses are also described.

Abstract: Application protection architecture with triangulated authorization is described herein. According to one embodiment, a packet of a network transaction is received at a network element from a client system over a first network for accessing a destined server of a datacenter over a second network, where network element operates as a security gateway to the datacenter. In response to the packet, one or more user attributes associated with a user of the client system are obtained from an identity store, where the user attributes include a user identifier that identifies the user and a machine identifier that identifies the client system. Authentication and/or authorization are performed on the packet using the user attributes to determine whether the user of the client system is eligible to access the destined server of the datacenter. Other methods and apparatuses are also described.

Abstract: Techniques for providing layer 4 transparent secure transport for end-to-end application protection are described herein. According to one embodiment, a packet of a network transaction is received from a client over a first network, where the packet is destined to a server of a data center having a plurality of servers over a second network. The packet includes a payload encrypted without encrypting information needed for a layer 4 of OSI (open system interconnection) layers of network processes. The layer 4 process is performed on the packet without having to decrypting the payload to determine whether the packet is eligible to access the destined server over the second network based on the unencrypted layer 4 information. Other methods and apparatuses are also described.

Abstract: Layer 4 gateway for a converged datacenter fabric is described herein. According to one embodiment, a packet of a network transaction is received from a client over a first network for accessing a server of a datacenter having a plurality of servers over a second network. One or more network services are performed on the packet including terminating a TCP (transport control protocol) connection associated with the network transaction and generating a data stream. The data stream without TCP information is routed to the server via a converged I/O interface over the second network if the second network is a converged fabric network. The data stream with TCP information is routed via a TCP connection to the server if the second network is an Ethernet. Other methods and apparatuses are also described.

Abstract: An application network appliance having inter-module communication using a universal serial bus (USB) is described herein. According to one embodiment, a network element includes a lossless data transport fabric (LDTF), multiple service modules coupled to each other over the LDTF, and a service control module (SCM) coupled to each of the service modules over the LDTF for routing network data between the SCM and the service modules. The SCM is also coupled to each of the service modules via a universal serial bus (USB) for managing the service modules, where the network element operates as a security gateway to a datacenter having multiple servers. Other methods and apparatuses are also described.

Abstract: Redundant application network appliances using a low latency lossless interconnect link are described herein. According to one embodiment, in response to receiving at a first network element a packet of a network transaction from a client over a first network for accessing a server of a datacenter, a layer 2 network process is performed on the packet and a data stream is generated. The data stream is then replicated to a second network element via a layer 2 interconnect link to enable the second network element to perform higher layer processes on the data stream to obtain connection states of the network transaction. In response to a failure of the first network element, the second network element is configured to take over processes of the network transaction from the first network element using the obtained connection states without user interaction of the client. Other methods and apparatuses are also described.

Abstract: An application network appliance with virtualized services is described herein. According to one embodiment, a packet of a network transaction is received from a client for accessing an application server of a datacenter, where the network element operates as an application services gateway of the datacenter. A context associated with the application server is identified based on the packet, including information that identifies application services to be performed on the packet and resources to be allocated for performing the application services. A context includes information representing a logical instance of physical resources of the network element shared by multiple contexts. One or more application services are performed on the packet using the resources identified by the context. Other methods and apparatuses are also described.

Abstract: An application network appliance with a built-in virtual directory interface is described herein. According to one embodiment, a network element includes a virtual directory interface (VDI) coupled to multiple directory servers, and an authentication and authorization unit coupled to the VDI. In response to a packet of a network transaction received from a client over a first network for accessing a server of a datacenter over a second network, the authentication and authorization unit obtains user attributes from the directory servers via the VDI and performs authentication and authorization using the user attributes to determine whether a user of the client is eligible to access the server of the datacenter, where the network element operates as a security gateway to the datacenter. Other methods and apparatuses are also described.

Abstract: A highly scalable application network appliance is described herein. According to one embodiment, a network element includes a switch fabric, a first service module coupled to the switch fabric, and a second service module coupled to the first service module over the switch fabric. In response to packets of a network transaction received from a client over a first network to access a server of a data center having multiple servers over a second network, the first service module is configured to perform a first portion of OSI (open system interconnection) compatible layers of network processes on the packets while the second service module is configured to perform a second portion of the OSI compatible layers of network processes on the packets. The first portion includes at least one OSI compatible layer that is not included in the second portion. Other methods and apparatuses are also described.