Abstract: The present application is directed towards sharing data link layer information of network traffic distributed across a cluster of intermediary devices. A method for sharing data link layer information across a cluster includes receiving a request packet at a first intermediary device. The first intermediary device identifies a first set of data link layer information from a data link layer of the request packet. The first intermediary device modifies the request packet for transmission on a common data backplane of the cluster to include the first set of data link layer information in the request packet. The modified request packet includes a second set of data link layer information that differs from the first set of data link layer information at the data link layer. The first intermediary device transmits the modified request packet on the common data backplane of the cluster to other devices of the cluster.

Abstract: An efficient method for parsing HTML pages identifies pages containing a mix of static and dynamic content. The pages are parsed to form abstract syntax trees (ASTs), which are then cached along with the pages. When a later version of a page is retrieved, it is compared against the cached version, and only those portions of the AST that contain different content are reparsed.

Abstract: The present disclosure presents systems and methods for controlling network traffic traversing an intermediary device based on a license or a permit granted for the intermediary device. The systems and methods control a rate of a traffic of a device in accordance with a rate limit identified by a rate limiting license. A rate limiting manager of an intermediary device that processes network traffic between a plurality of clients and a plurality of servers, may identify presence of a rate limiting license that further identifies a performance level. The rate limiting manager may establish a rate limit based on the performance level of the rate limiting license. A throttler of the intermediary may control a rate of receiving network packets in accordance with the rate limit.

Abstract: The present disclosure is directed to systems and method for providing a virtual appliance. One or more application delivery controller appliances intermediary to a plurality of clients and a plurality of servers perform a plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers. A virtual application delivery controller is deployed on a device intermediary to the plurality of clients and the plurality of servers. The virtual application delivery controller executing on the device performs one or more of the plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers.

Abstract: The present application is directed towards systems and methods for distributing traffic across nodes of a cluster of intermediary devices through distributed flow distribution (DFD). Upon receipt of network traffic, a cluster node, such as an intermediary computing device or appliance, may internally steer a portion of the traffic via an inter-node communications backplane to one or more other nodes in the cluster so that the load is equally handled by all of the nodes in the cluster. A cluster node may determine whether to process the traffic steered via the backplane by computing a hash of packet parameters of the network traffic. Hash keys may be selected such that uniformity is assured, and the key used in hash computation may be synchronized across all of the nodes so that only one node determines that it should process the particular packets or traffic flow.

Abstract: The present disclosure is directed to systems and method for providing a virtual appliance. One or more application delivery controller appliances intermediary to a plurality of clients and a plurality of servers perform a plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers. A virtual application delivery controller is deployed on a device intermediary to the plurality of clients and the plurality of servers. The virtual application delivery controller executing on the device performs one or more of the plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers.

Abstract: The present application is directed towards systems and methods of hunting for a hash table entry in a hash table distributed over a multi-node system. More specifically, when entries are created in an ASDR table, the owner node of the entry may replicate the entry onto a non-owner node. The replica can act as a backup of the ASDR table entry in the event the node leaves the multi-mode system. When the node returns to the multi-node system, the node may no longer have the most up to date ASDR table entries, and may hunt to find the existence of the value associated with the entry. Responsive to receiving a request for an entry that may be outdated on the node, the node sends a request down a replication chain for an updated copy of the ASDR table entry from one of the replicas. Responsive to receiving the replica copy of the entry, the node responds to the client's request for the entry.

Abstract: The present application is directed towards using a distributed hash table to track the use of resources and/or maintain the persistency of resources across the plurality of nodes in the multi-node system. More specifically, the systems and methods can maintain the persistency of resources across the plurality of nodes by the use of a global table. A global table may be maintained on each node. Each node's global table enables efficient storage and retrieval of distributed hash table entries. Each global table may contain a linked list of the cached distributed hash table entries that are currently stored on a node.

Abstract: The present application is directed towards ASDR table contract renewal. In some embodiments, a core may cache an ASDR table entry received from an owner core such that when the entry is needed again the core does not need to re-request the entry from the owner core. As storing a cached copy of the entry allows the non-owner core to use an ASDR table entry without requesting the entry from the owner core, the owner core may be unaware of an ASDR table entry's use by a non-owner core. To ensure the owner core keeps the ASDR table entry alive, which the non-owner core has cached, the non-owner core may perform contract renewal for each of its recently used cached entries. The contract renewal method may include sending a message to the owner core that indicates which cached ASDR table entries the non-owner core has recently used or accessed. Responsive to receiving the message the owner core may reset a timeout period associated with the ASDR table entry.

Abstract: A security gateway receives messages, such as URL requests, rejected by a message filter based on a set of rules. The security gateway maintains frequencies with which the messages were rejected by the rules. The security gateway finds rejected messages having a high frequency of occurrence. Since messages having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow similar messages to pass through the gateway.

Abstract: A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components.

Abstract: Described herein is a method and system for distributing whole and fragmented requests and responses across a multi-core system. Each core executes a packet engine that further processes data packets and data packet fragments allocated to that core. A flow distributor executing within the multi-core system forwards client requests to a packet engine on a core that is selected based on a value generated when a hash is applied to a tuple comprising a client IP address, a client port, a server IP address and a server port identified in the request. The packet engine maintains each element of the tuple and forwards the request to the selected core. The packet engine can also process data packet fragments by assembling the fragments prior to transmitting them to the selected core, or by transmitting the data packet fragments to the selected core.

Abstract: The present application is directed towards systems and methods for distributing traffic across nodes of a cluster of intermediary devices through distributed flow distribution (DFD). Upon receipt of network traffic, a cluster node, such as an intermediary computing device or appliance, may internally steer a portion of the traffic via an inter-node communications backplane to one or more other nodes in the cluster so that the load is equally handled by all of the nodes in the cluster. A cluster node may determine whether to process the traffic steered via the backplane by computing a hash of packet parameters of the network traffic. Hash keys may be selected such that uniformity is assured, and the key used in hash computation may be synchronized across all of the nodes so that only one node determines that it should process the particular packets or traffic flow.

Abstract: While each node in a cluster of nodes sources connections with the same IP if each node allocates a port on this IP independently, there may be port clashes. Also, the return traffic is not guaranteed to hit the originating node. These issues are addressed by allocating a port in such a way that the response traffic hashes back to the originating node. A good hash is chosen such that the ports are equally divided among the nodes. When a node leaves, the other nodes take over the port range used by this node. When a node joins, the node takes back its share of ports.

Abstract: In the present solution, when a cluster node sends an ARP request for an external IP, the node sends a message to all the other nodes, which are part of the CLAG to expect an ARP reply for the IP. When a node in the cluster receives the ARP reply, the node informs the other nodes which are part of the same CLAG to update the MAC address. Also when an ARP entry is learned/updated over a CLAG link as part of an ARP request/Gratuitous ARP, the node learning/updating the ARP entry will inform other nodes which are part of the same CLAG about the learned/updated ARP entry. Nodes in a cluster may communicate between with each other over a dedicated backplane, which may be a separate physical medium.

Abstract: In the present solution, when a cluster node sends an ARP request for an external IP, the node sends a message to all the other nodes, which are part of the CLAG to expect an ARP reply for the IP. When a node in the cluster receives the ARP reply, the node informs the other nodes which are part of the same CLAG to update the MAC address. Also when an ARP entry is learned/updated over a CLAG link as part of an ARP request/Gratuitous ARP, the node learning/updating the ARP entry will inform other nodes which are part of the same CLAG about the learned/updated ARP entry. Nodes in a cluster may communicate between with each other over a dedicated backplane, which may be a separate physical medium.

Abstract: The present invention is directed towards forwarding network packets in a cluster network. A predetermined identifier may be inserted into a Media Access Control (MAC) ID field of an Ethernet header of a packet to distinguish various types of traffic. Newly received packets may be identified due to the absence of the identifier. The identifier may be added to the source MAC ID field of the Ethernet header of the packet, and the packet may be distributed to cluster nodes for processing via an inter-node communication bus. Thus, received packets with the identifier in the source MAC ID field may be identified as steered for processing by an internal node of the cluster. After processing the packet, the internal node may transmit the processed packets via the inter-node bus with a destination MAC ID including the identifier.

Abstract: The present application is directed towards sharing data link layer information of network traffic distributed across a cluster of intermediary devices. A method for sharing data link layer information across a cluster includes receiving a request packet at a first intermediary device. The first intermediary device identifies a first set of data link layer information from a data link layer of the request packet. The first intermediary device modifies the request packet for transmission on a common data backplane of the cluster to include the first set of data link layer information in the request packet. The modified request packet includes a second set of data link layer information that differs from the first set of data link layer information at the data link layer. The first intermediary device transmits the modified request packet on the common data backplane of the cluster to other devices of the cluster.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: The present solution is related to a method for distributing flows of network traffic across a plurality of packet processing engines executing on a corresponding core of a multi-core device. The method includes receiving, by a multi-core device intermediary to clients and servers, a packet of a first flow of network traffic between a client and server. The method also includes assigning, by a flow distributor of the multi-core device, the first flow of network traffic to a first core executing a packet processing engine and distributing the packet to this core. The flow distributor may distribute packets of another or second flow of traffic between another client and server to a second core executing a second packet processing engine. When a packet for the flow of traffic assigned to the first core is received, such as a third packet, the flow distributor distributes this packet to the first core.