Abstract: Techniques for using an end-to-end policy controller to utilize an inventory of enforcement points to generate a chain of enforcement points having capabilities to enforcement individual operations of an intent-based security policy associated with an entity accessing a resource. A network controller may intelligently split an intent-based security policy and send portions thereof to enforcement points along a path configured for an entity to access a resource. For example, a portion of a security policy corresponding to an operation may be mapped to and implemented by an enforcement point having a capability to perform the operation. Once each operation of a security policy has been mapped to an enforcement point, a chain of enforcement points may be generated.

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

Abstract: Techniques for augmenting deep packet inspection capabilities of a network security device provisioned in a networked computing environment with inference-based flow selection to focus processing resources on network traffic that is likely to be malicious. The network device(s) may receive decryption policies comprising one or more decrypt and/or do not decrypt rules for applying the decryption policy to the network traffic. The network device may receive network traffic associated with a given connection flow through the network between a client device and a workload application, and the network device may determine whether to decrypt or refrain from decrypting the network traffic associated with the network flow based on a risk score that is generated by the network device using connection fingerprints associated with the client device and the workload application, respectively, based on behavioral characteristics of the client device and the workload, respectively.

Abstract: Techniques for using an end-to-end policy controller to utilize an inventory of enforcement points to generate a chain of enforcement points having capabilities to enforcement individual operations of an intent-based security policy associated with an entity accessing a resource. A network controller may intelligently split an intent-based security policy and send portions thereof to enforcement points along a path configured for an entity to access a resource. For example, a portion of a security policy corresponding to an operation may be mapped to and implemented by an enforcement point having a capability to perform the operation. Once each operation of a security policy has been mapped to an enforcement point, a chain of enforcement points may be generated.

Abstract: Techniques for using an end-to-end policy controller to automatically discover and inventory enforcement points in a network. A network controller may leverage data associated with network devices in a network to identify paths between source endpoints and destination endpoints to establish an inventory of enforcement points along the paths. For example, the controller may consume telemetry data indicative of network events (e.g., firewall events, IPS event logs, netflow events, etc.) to figure out where enforcement points are provisioned with respect to traffic being observed. Additionally, the SDN controller may dynamically build a network topology providing indications of roles and/or locations of enforcement points.

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

Abstract: A network security device has at least one Fully Qualified Domain Name (FQDN) access policy that permits traffic to flow to at least one resource associated with at least one FQDN. The network security device receives, from a managed endpoint device, a packet directed to the at least one resource associated with the at least one FQDN. The network security device obtains DNS information associated with the managed endpoint device and, based on the domain name system (DNS) information, substitutes a network address of the at least one resource into the at least one FQDN access policy to open a traffic flow to the at least one resource associated with the at least one FQDN. The network security device then provides the packet to the at least one resource associated with the at least one FQDN.

Abstract: Methods and apparatuses providing file type inspection in firewalls by moving the flow between deep inspection file and lightweight accelerated paths. The method includes obtaining, by a network security device, a packet flow of a file transfer session in which at least two files are transferred and determining, by the network security device, at least an offset parameter based on at least one attribute of at least a first packet in the packet flow. The offset parameter is for a first file being transferred of the at least two files and relates to an expected positon of a control data sequence within the packet flow. In this method, based on the offset parameter, directing, by the network security device, to an accelerated packet inspection path instead of to a deep packet inspection path, a portion of the packet flow including one or more packets that follow the first packet.

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across the network devices for port address translation. The master network device divides the port blocks in the pool into multiple buckets. The master network device allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

Abstract: A first packet of a packet flow is received at a classifying network device. The first packet is forwarded from the classifying network device to a firewall network device. An indication that the packet flow is to be offloaded is received at the classifying network device. Data is stored at the classifying network device indicating that the packet flow is to be offloaded. A non-control packet of the packet flow is received at the classifying network device. A determination is made that the non-control packet belongs to the packet flow by comparing data contained in the non-control packet to the stored data. The non-control packet of the packet flow is directed to a processing entity in response to the determining. A control packet of the packet flow is received at the classifying network device. The control packet of the packet flow is directed to the firewall network device.

Abstract: A network security device has at least one Fully Qualified Domain Name (FQDN) access policy that permits traffic to flow to at least one resource associated with at least one FQDN. The network security device receives, from a managed endpoint device, a packet directed to the at least one resource associated with the at least one FQDN. The network security device obtains DNS information associated with the managed endpoint device and, based on the domain name system (DNS) information, substitutes a network address of the at least one resource into the at least one FQDN access policy to open a traffic flow to the at least one resource associated with the at least one FQDN. The network security device then provides the packet to the at least one resource associated with the at least one FQDN.

Abstract: A method is provided including obtaining at a newly added flow mapper node of a plurality of flow mapper nodes, from a first flow locator node of a plurality of flow locator nodes, a flow owner lookup request for flow state information that includes identification of a particular flow locator that is to handle processing of a packet flow. The newly added flow mapper node determines whether it has stored flow state information. When the newly added flow mapper node does not have stored flow state information, the newly added flow mapper node identifies a particular flow mapper node of the plurality of flow mapper nodes which has stored flow state information for the particular packet flow and services the flow owner lookup request using flow state information stored by the particular flow mapper node.

Abstract: A method is provided including obtaining at a newly added flow mapper node of a plurality of flow mapper nodes, from a first flow locator node of a plurality of flow locator nodes, a flow owner lookup request for flow state information that includes identification of a particular flow locator that is to handle processing of a packet flow. The newly added flow mapper node determines whether it has stored flow state information. When the newly added flow mapper node does not have stored flow state information, the newly added flow mapper node identifies a particular flow mapper node of the plurality of flow mapper nodes which has stored flow state information for the particular packet flow and services the flow owner lookup request using flow state information stored by the particular flow mapper node.

Abstract: Methods and apparatuses providing file type inspection in firewalls by moving the flow between deep inspection file and lightweight accelerated paths. The method includes obtaining, by a network security device, a packet flow of a file transfer session in which at least two files are transferred and determining, by the network security device, at least an offset parameter based on at least one attribute of at least a first packet in the packet flow. The offset parameter is for a first file being transferred of the at least two files and relates to an expected positon of a control data sequence within the packet flow. In this method, based on the offset parameter, directing, by the network security device, to an accelerated packet inspection path instead of to a deep packet inspection path, a portion of the packet flow including one or more packets that follow the first packet.

Abstract: A method for selecting either a first malware analysis system or a second malware analysis system to analyze a file is disclosed. The method includes obtaining, at a network security element, a file sent between a first device and a second device, the file having one or more associated attributes; analyzing, at the network security element, the one or more attributes of the file; selecting, based on the analyzing, either the first malware analysis system or the second malware analysis system as a selected malware analysis system for malware analysis of the file; and providing the file to the selected malware analysis system.

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across the network devices for port address translation. The master network device divides the port blocks in the pool into multiple buckets. The master network device allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

Abstract: An example method for facilitating hierarchical clustering in a geographically dispersed network environment is provided and includes receiving a packet at one of a plurality of adaptive security appliance (ASA) units in one of a plurality of ASA clusters in a cluster domain of a network environment, identifying the packet as matching an inter-data center live traffic profile, identifying a target ASA cluster in the plurality of ASA clusters in the cluster domain, querying a domain director in the target ASA cluster for a flow owner, and if the flow owner is identified by the domain director, forwarding the packet to the flow owner in the target cluster, and if the flow owner is not identified by the domain director, and the domain director includes a flow state for a flow to which the packet belongs, designating the ASA unit as the flow owner.

Abstract: A method is performed by a master network device among network devices of a cluster. The master network device receives cluster configuration information including a set of Internet Protocol (IP) addresses and a pool of port blocks associated with the IP addresses. Each port block includes multiple ports, and the pool of the port blocks is to be shared across and used by the network devices for port address translation on network connections with the network devices. The master network device divides the port blocks in the pool into multiple buckets. The master network device first allocates to each network device in the cluster a corresponding one of the buckets, and reserves each bucket that is not allocated for allocation to a potential new network device. When a new network device joins the cluster, the master network device second allocates to the new network device the port blocks from a corresponding one of the reserved buckets.

Abstract: A method for selecting either a first malware analysis system or a second malware analysis system to analyze a file is disclosed. The method includes obtaining, at a network security element, a file sent between a first device and a second device, the file having one or more associated attributes; analyzing, at the network security element, the one or more attributes of the file; selecting, based on the analyzing, either the first malware analysis system or the second malware analysis system as a selected malware analysis system for malware analysis of the file; and providing the file to the selected malware analysis system.