Abstract: Server state objects are identified by an intermediate server among packets transmitted between an application server and a client device on a network based upon a stateless communication protocol, by monitoring and analyzing the packets transmitted between the application server and the client device. The packets are parsed into a plurality of name-value pairs. The entropy of the name-value pairs having a same name field is computed, and candidate data objects that are likely to be server state objects are selected based upon the computed entropy. Candidate data objects that were transmitted bi-directionally between the application server and the client device are identified as server state objects.

Abstract: The present solution is related to a method for distributing flows of network traffic across a plurality of packet processing engines executing on a corresponding core of a multi-core device. The method includes receiving, by a multi-core device intermediary to clients and servers, a packet of a first flow of network traffic between a client and server. The method also includes assigning, by a flow distributor of the multi-core device, the first flow of network traffic to a first core executing a packet processing engine and distributing the packet to this core. The flow distributor may distribute packets of another or second flow of traffic between another client and server to a second core executing a second packet processing engine. When a packet for the flow of traffic assigned to the first core is received, such as a third packet, the flow distributor distributes this packet to the first core.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: A security gateway receives messages transmitted between a server and a client device on a network and parses the messages into a plurality of data objects, such as strings and name-value pairs. The data objects may represent user personal identification information, such as user name, social security number, credit card number, patient code, driver's license number, and other personal identification information. The security gateway uses rules to recognize data objects and validate the data objects to determine whether the recognized data objects are appropriately included within the context. The security gateway may also perform an action on the data objects. Data objects that are not appropriately included in the context may be transformed, suppressed or disallowed.

Abstract: Described are methods and systems for managing the connections between a client, an intermediary appliance and a server, so that asynchronous messages can be transmitted over HTTP from the server to a client. When a connection is established between a client and an intermediary, and the intermediary and a server to establish a logical client-server connection, that logical client-server connection is labeled and not maintained, while the connection between the client and the intermediary is maintained. Messages generated by the server and destined for the client are transmitted to the intermediary along with the connection label. The intermediary can then use the connection label to determine which client should receive the message.

Abstract: The present invention is directed towards systems and methods for sharing session data among cores in a multi-core system. A first application firewall module executes on a core of a multi-core intermediary device which establishes a user session. The first application firewall module stores application firewall session data to memory accessible by the first core. A second application firewall module executes on a second core of the multi-core intermediary device. The second application firewall module receives a request from the user via the established user session. The request includes a session identifier identifying that the user session was established by the first core. The second application firewall module determines to perform one or more security checks on the request and communicates a portion of the request the first core. The second application firewall module receives and processes the security check results and instructions from the first core.

Abstract: The present invention is directed towards systems and methods for efficiently an intermediary device processing strings in web pages across a plurality of user sessions. A device intermediary to a plurality of clients and a server identifies a plurality of strings in forms and uniform resource locators (URLs) of web pages traversing the device across a plurality of user sessions. The device stores each string of the plurality of strings to one or more allocation arenas shared among a plurality of user session. Each string is indexed using a hash key generated from the string. The device recognizes that a received string transmitted from a webpage of a session of a user is eligible to be shared among the plurality of user sessions. The device determines that a copy of the received string is stored in an allocation arena using a hash generated from the received string.

Abstract: The present invention is directed towards systems and methods for determining failure in and controlling access to a shared resource in a multi-core system. In some embodiments of a multi-core system, individual cores may share the same resource. Additionally, the resource may occasionally fail or need to be reset, and the period during which the resource is being reset may be non-instantaneous. In an embodiment without coordination between the cores, one core experiencing a failure may reset the resource. During the period in which the resource is resetting, another core may interpret the reset as a failure and reset the resource. As more cores interpret the resets as failures, they will trigger resets, quickly resulting in the resource being constantly reset and unavailable. Thus, in some embodiments, a coordination system may be utilized to determine failure of a shared resource and control resets and access to the shared resource.

Abstract: The cloud bridge may comprise a tunnel between a datacenter network via a WAN to a cloud network. The cloud bridge makes cloud-hosted applications appear as though they are running on one contiguous enterprise network. With a cloud bridge in place, administrators, tools and the applications believe that the application resides on the enterprise network.

Abstract: A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.

Abstract: A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components.

Abstract: A method and system for generating a web log that includes transaction entries from transaction queues of one or more cores of a multi-core system. A transaction queue is maintained for each core so that either a packet engine or web logging client executing on the core can write transaction entries to the transaction queue. In some embodiments, a timestamp value obtained from a synchronized timestamp variable can be assigned to the transaction entries. When a new transaction entry is added to the transaction queue, the earliest transaction entry is removed from the transaction queue and added to a heap. Periodically the earliest entry in the heap is removed from the heap and written to a web log. When an entry is removed from the heap, the earliest entry in a transaction queue corresponding to the removed entry is removed from the transaction queue and added to the heap.

Abstract: Server state objects are identified by an intermediate server among packets transmitted between an application server and a client device on a network based upon a stateless communication protocol, by monitoring and analyzing the packets transmitted between the application server and the client device. The packets are parsed into a plurality of name-value pairs. The entropy of the name-value pairs having a same name field is computed, and candidate data objects that are likely to be server state objects are selected based upon the computed entropy. Candidate data objects that were transmitted bi-directionally between the application server and the client device are identified as server state objects.

Abstract: The present application is directed towards systems and methods for ensuring equal distribution of packet flows among a plurality of cores in a multi-core system by identifying a rank of a matrix created from a hash key. If the rank of the matrix is equal to or greater than a divisor of a modulo operation applied to the results of the hash function, then the hash key may be used to ensure equal distribution of packet flows.

Abstract: Described herein is a method and system for distributing whole and fragmented requests and responses across a multi-core system. Each core executes a packet engine that further processes data packets and data packet fragments allocated to that core. A flow distributor executing within the multi-core system forwards client requests to a packet engine on a core that is selected based on a value generated when a hash is applied to a tuple comprising a client IP address, a client port, a server IP address and a server port identified in the request. The packet engine maintains each element of the tuple and forwards the request to the selected core. The packet engine can also process data packet fragments by assembling the fragments prior to transmitting them to the selected core, or by transmitting the data packet fragments to the selected core.

Abstract: The present disclosure is directed to methods and systems of providing a user-selectable list of disparately hosted applications. A device intermediary to a client and one or more servers may receive a user request to access a list of applications published to the user. The device may communicate to the client the list of published applications available to the user, the list comprising graphical icons corresponding to disparately hosted applications, at least one graphical icon corresponding to a third-party hosted application of the disparately hosted applications, the third party hosted application served by a remote third-party server. The device may receive a selection from the user of the at least one graphical icon. The device may communicate, from the remote third party server to the client of the user, execution of the third party hosted application responsive to the selection by the user.

Abstract: Server state objects are identified by an intermediate server among packets transmitted between an application server and a client device on a network based upon a stateless communication protocol, by monitoring and analyzing the packets transmitted between the application server and the client device. The packets are parsed into a plurality of name-value pairs. The entropy of the name-value pairs having a same name field is computed, and candidate data objects that are likely to be server state objects are selected based upon the computed entropy. Candidate data objects that were transmitted bi-directionally between the application sever and the client device are identified as server state objects.

Abstract: Described herein is a method and system for distributing whole and fragmented requests and responses across a multi-core system. Each core executes a packet engine that further processes data packets and data packet fragments allocated to that core. A flow distributor executing within the multi-core system forwards client requests to a packet engine on a core that is selected based on a value generated when a hash is applied to a tuple comprising a client IP address, a client port, a server IP address and a server port identified in the request. The packet engine maintains each element of the tuple and forwards the request to the selected core. The packet engine can also process data packet fragments by assembling the fragments prior to transmitting them to the selected core, or by transmitting the data packet fragments to the selected core.

Abstract: A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components.

Abstract: The present invention is directed towards systems and methods for efficiently an intermediary device processing strings in web pages across a plurality of user sessions. A device intermediary to a plurality of clients and a server identifies a plurality of strings in forms and uniform resource locators (URLs) of web pages traversing the device across a plurality of user sessions. The device stores each string of the plurality of strings to one or more allocation arenas shared among a plurality of user session. Each string is indexed using a hash key generated from the string. The device recognizes that a received string transmitted from a webpage of a session of a user is eligible to be shared among the plurality of user sessions. The device determines that a copy of the received string is stored in an allocation arena using a hash generated from the received string.