Abstract: new link requests are received and an application making the request is identified. SD-WAN parameters are retrieved from an application control database. A first parameter is a JLP loss requirement for the application, and can be either low JLP, medium JLP, or high JLP SLA level. A second parameter a downstream/upstream bandwidth capability requirement. Links are determined from the pool of available links that meet the JLP requirement. One of the links is selected for the new link request, from the pool of available links that meet the JLP requirement, based on a downstream and an upstream bandwidth capability.

Abstract: Systems and methods for improving the catch rate of attacks/malware by a cooperating group of network security devices are provided. According to one embodiment, a security management device configured in a protected network, maintains multiple dynamic IP address lists including an NGFW deep detection list, a DDoS deep detection list, a NGFW block list and a DDoS block list. The security management device, continuously updates the lists based on updates provided by a cooperating group of network security devices based on network traffic observed by the network security devices. In response to receipt of a request from a NGFW device or a DDoS mitigation device associated with the protected network, the security management device provides the requestor with the requested dynamic IP address lists for use in connection with processing network traffic by the requestor.

Abstract: Systems and methods for identifying a source of an attack chain based on network security scanning events triggered by movement of a decoy file are provided. A decoy file is stored on a deception host deployed by a deception-based intrusion detection system (IDS) within a private network. The decoy file contains therein a traceable object that is detectable by network security scanning performed by multiple network security devices protecting the private network. Information regarding an attack chain associated with an access to the decoy file or a transmission of the decoy file through the one or more network security devices is received by the deception-based IDS from the one or more network security devices. The information is created responsive to detection of a security incident by the network security scanning. Finally, an Internet Protocol (IP) address of a computer system that originated the attack chain is determined.

Abstract: Systems and methods are described for determining an on-net/off-set status of a client device. An endpoint security program running on the client device maintains an enterprise public Internet Protocol (IP) list containing one or more ranges of public IP addresses associated with an enterprise network. Further, the endpoint security program sends a request to a cloud-based service for information regarding a public IP address of the client device. In response to the request, the endpoint security program receives from the cloud-based service a response containing the public IP address and determines a connection status of the client device with respect to the enterprise network by comparing the public IP address to the enterprise public IP list.

Abstract: Systems and methods are described for determining an on-net/off-set status of a client device. An endpoint security program running on the client device maintains an enterprise public Internet Protocol (IP) list containing one or more ranges of public IP addresses associated with an enterprise network. Further, the endpoint security program sends a request to a cloud-based service for information regarding a public IP address of the client device. In response to the request, the endpoint security program receives from the cloud-based service a response containing the public IP address and determines a connection status of the client device with respect to the enterprise network by comparing the public IP address to the enterprise public IP list.

Abstract: Systems and methods for improving the catch rate of attacks/malware by a cooperating group of network security devices are provided. According to one embodiment, a security management device configured in a protected network, maintains multiple dynamic IP address lists including an NGFW deep detection list, a DDoS deep detection list, a NGFW block list and a DDoS block list. The security management device, continuously updates the lists based on updates provided by a cooperating group of network security devices based on network traffic observed by the network security devices. In response to receipt of a request from a NGFW device or a DDoS mitigation device associated with the protected network, the security management device provides the requestor with the requested dynamic IP address lists for use in connection with processing network traffic by the requestor.