Abstract: The disclosure provides an approach for workload labeling and identification of known or custom applications. Embodiments include determining a plurality of sets of features comprising a respective set of features for each respective workload of a first subset of a plurality of workloads. Embodiments include identifying a group of workloads based on similarities among the plurality of sets of features. Embodiments include receiving label data from a user comprising a label for the group of workloads. Embodiments include associating the label with each workload of the group of workloads to produce a training data set. Embodiments include using the training data set to train a model to output labels for input workloads. Embodiments include determining a label for a given workload of the plurality of workloads by inputting features of the given workload to the model.

Abstract: The disclosure provides an approach for workload labeling and identification of known or custom applications. Embodiments include determining a plurality of sets of features comprising a respective set of features for each respective workload of a first subset of a plurality of workloads. Embodiments include identifying a group of workloads based on similarities among the plurality of sets of features. Embodiments include receiving label data from a user comprising a label for the group of workloads. Embodiments include associating the label with each workload of the group of workloads to produce a training data set. Embodiments include using the training data set to train a model to output labels for input workloads. Embodiments include determining a label for a given workload of the plurality of workloads by inputting features of the given workload to the model.

Abstract: The method for implementing mechanisms for Layer 7 context accumulation for enforcing Layers 4, 7, and verb-based rules is presented. The method comprises: receiving stream data, and identifying a packet in the stream. If the packet includes Layer 7 headers: for each Layer 7 header: determining content of the packet identified by a Layer 7 header's identifier; and parsing the content to extract firewall input data. If one or more rules at least partially match the firewall input data, determining that a particular rule also includes additional information that cannot be found in the firewall input data; performing a DPI on the content to determine whether at least a portion of the additional information is found in the content; extracting additional input data from the content and adding it to the firewall input data; and applying the rules to the firewall input data to process the packet.

Abstract: The disclosure provides an approach for workload labeling and identification of known or custom applications. Embodiments include determining a plurality of sets of features comprising a respective set of features for each respective workload of a first subset of a plurality of workloads. Embodiments include identifying a group of workloads based on similarities among the plurality of sets of features. Embodiments include receiving label data from a user comprising a label for the group of workloads. Embodiments include associating the label with each workload of the group of workloads to produce a training data set. Embodiments include using the training data set to train a model to output labels for input workloads. Embodiments include determining a label for a given workload of the plurality of workloads by inputting features of the given workload to the model.

Abstract: Some embodiments provide a method that receives a packet, having a set of one or more layer 7 (L7) expressions, from a datapath. The method identifies a set of datapath firewall rules that match on expressions in the set of expressions. The method provides identifiers for the datapath firewall rules of the identified set to the datapath. The datapath uses the identifiers and additional packet header data to determine a matching firewall rule from the set of datapath firewall rules.

Abstract: For a managed network including multiple nodes providing multiple services and executing multiple applications some embodiments provide a method for generating groupings of network addresses associated with different applications or services. The method analyzes network traffic patterns using a probabilistic topic modeling algorithm to generate the groupings of network addresses. In some embodiments, data is collected and analyzed periodically. A network administrator defines the granularity of the time stamps in some embodiments to monitor changes in network traffic patterns over time for each network address or node and/or for the network as a whole. For each network address or node, a probability distribution over the topics at a given time is stored in some embodiments. The stored distributions are then used to determine a divergence over time of the application or service provided by the network address or node. Additionally, the stored distributions can be used to detect anomalous behavior.

Abstract: Some embodiments provide a method that performs a packet tracing operation for a particular data flow between endpoints of a logical network to generate a representation of logical network components along a path between the endpoints. In response to a selection of at least two of the logical network components, the method automatically generates separate packet capture operations for execution by physical components that implement each of the selected logical network components. The method uses packet header information to correlate packet data from the separate packet capture operations.

Abstract: Some embodiments provide a method that receives a packet, having a set of one or more layer 7 (Li) expressions, from a datapath. The method identifies a set of datapath firewall rules that match on expressions in the set of expressions. The method provides identifiers for the datapath firewall rules of the identified set to the datapath. The datapath uses the identifiers and additional packet header data to determine a matching firewall rule from the set of datapath firewall rules.

Abstract: The method for implementing mechanisms for Layer 7 context accumulation for enforcing Layers 4, 7, and verb-based rules is presented. The method comprises: receiving stream data, and identifying a packet in the stream. If the packet includes Layer 7 headers: for each Layer 7 header: determining content of the packet identified by a Layer 7 header's identifier; and parsing the content to extract firewall input data. If one or more rules at least partially match the firewall input data, determining that a particular rule also includes additional information that cannot be found in the firewall input data; performing a DPI on the content to determine whether at least a portion of the additional information is found in the content; extracting additional input data from the content and adding it to the firewall input data; and applying the rules to the firewall input data to process the packet.

Abstract: The method for processing interleaved Layers 4, 7 and verb-based rulesets is presented. The method comprises receiving stream data; identifying a packet in the stream; parsing the packet to extract firewall input data; and determining that one or more rules at least partially match the firewall input data. If any of the rules also include additional information not found in the firewall input data, a DPI is performed to determine whether a first portion of the additional information is found in the packet. If no first portion of the additional information is found, a full DPI is performed to determine whether a second portion of the additional information is found in the packet. If the second portion is found, additional input data is extracted from the packet, and added to the firewall input data. The rules are applied to the firewall input data to determine whether to transmit the packet.

Abstract: For a managed network including multiple nodes providing multiple services and executing multiple applications some embodiments provide a method for generating groupings of network addresses associated with different applications or services. The method analyzes network traffic patterns using a probabilistic topic modeling algorithm to generate the groupings of network addresses. Network traffic patterns are related to the different flows in the network. The method analyzes information about the different flows such as some combination of the network addresses in the network that are a source or destination of the flow, the source or destination port, the number of packets in each flow, the number of bytes exchanged during the life of the flow, a start time of a flow, and the duration of the flow. In some embodiments, the information is collected as part of an internet protocol flow information export (IPFIX) operation or a tcpdump operation.

Abstract: For a managed network including multiple nodes providing multiple services and executing multiple applications some embodiments provide a method for generating groupings of network addresses associated with different applications or services. The method analyzes network traffic patterns using a probabilistic topic modeling algorithm to generate the groupings of network addresses. In some embodiments, data is collected and analyzed periodically. A network administrator defines the granularity of the time stamps in some embodiments to monitor changes in network traffic patterns over time for each network address or node and/or for the network as a whole. For each network address or node, a probability distribution over the topics at a given time is stored in some embodiments. The stored distributions are then used to determine a divergence over time of the application or service provided by the network address or node. Additionally, the stored distributions can be used to detect anomalous behavior.

Abstract: Some embodiments provide a method that performs a packet tracing operation for a particular data flow between endpoints of a logical network to generate a representation of logical network components along a path between the endpoints. In response to a selection of at least two of the logical network components, the method automatically generates separate packet capture operations for execution by physical components that implement each of the selected logical network components. The method uses packet header information to correlate packet data from the separate packet capture operations.

Abstract: A computer system provides a method for identifying firewall rules to apply to a virtual machine based on detecting initiation of a new network connection from the virtual machine. An example method generally includes detecting initiation of communications on a network port by a virtual machine, identifying one or more applications executing on the virtual machine that initiated communications on the network port, identifying one or more firewall rules to apply to the virtual machine based, at least in part, on the identification of the one or more applications, determining a deviation between firewall rules applied to the virtual machine and the identified one or more firewall rules, and upon determining that a deviation exists between the firewall rules applied to the virtual machine and the identified one or more firewall rules, applying one or more rules corresponding to the determined deviation to the virtual machine.

Abstract: A computer system provides a method for identifying firewall rules to apply to a virtual machine based on detecting initiation of a new network connection from the virtual machine. An example method generally includes detecting initiation of communications on a network port by a virtual machine, identifying one or more applications executing on the virtual machine that initiated communications on the network port, identifying one or more firewall rules to apply to the virtual machine based, at least in part, on the identification of the one or more applications, determining a deviation between firewall rules applied to the virtual machine and the identified one or more firewall rules, and upon determining that a deviation exists between the firewall rules applied to the virtual machine and the identified one or more firewall rules, applying one or more rules corresponding to the determined deviation to the virtual machine.

Abstract: A method of collecting health check metrics for a network is provided. The method, at a deep packet inspector on a physical host in a datacenter, receives a copy of a network packet from a load balancer. The packet includes a plurality of layers. Each layer corresponds to a communication protocol in a plurality of communication protocols. The method identifies an application referenced in the packet. The method analyzes the information in one or more layers of the packet to determine metrics for the source application. The method sends the determined metrics to the load balancer.