Abstract: A zero trust network access appliance deployed at a customer premises can support gateway and cloud modes. In a gateway mode, the appliance operates as a zero trust network access gateway, and provides zero trust network access to applications hosted at the customer premises, using a firewall at the customer premises for network security. In the cloud mode, the appliance initiates a secure connection with a remote, cloud computing platform that provides a front end for zero trust network access. A threat management facility for the customer provides a control plane for managing zero trust network access provided through the cloud computing platform.

Abstract: Infrastructure for zero trust network access (ZTNA) is deployed as a cloud-based service remotely from a customer premises where user applications are hosted. By connecting an appliance on the customer premises to the cloud-based service through a secure tunnel or the like, an application hosted on the customer premises can then be accessed externally as a ZTNA application without the customer premises opening a firewall to public networks or otherwise exposing potential attack surfaces to the customer premises.

Abstract: A method includes receiving, by a computer system, information related to device health of an electronic device, determining, by the computer system, a health status of the electronic device based at least in part on the received information related to the device health of the electronic device, requesting, by a switch having a port connected to the electronic device, the health status of the electronic device from the computer system, receiving, by the computer system, the request for the health status of the electronic device from the switch, transmitting, by the computer system, the health status of the electronic device to the switch, evaluating, by the switch, the transmitted health status of the electronic device using network access rules associated corresponding to health statuses, and applying, by the switch, a network access control configuration to the port of the switch based on the evaluating the transmitted health status.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: A method comprises monitoring a computing environment including a plurality of containers, determining, for one of the containers, a service type and an IP address, assigning the IP address of the container having the determined service type to a first list of IP addresses, assigning an IP address of each of the containers to a second list of IP addresses, applying a first security policy for a first source of network traffic for processing by the container having the determined service type and the IP address assigned to the first list of IP addresses, and applying a second security policy for a second source of network traffic for processing by the containers having the IP addresses assigned to the second list of IP addresses.

Abstract: A virtualized gateway for applications in a zero trust network access environment is managed from a cloud-based threat management facility for an enterprise network. In order to facilitate creation of a new, centrally managed gateway, a one-time passcode for registration of the gateway to the threat management facility is encoded onto a virtual disk and distributed to a host platform along with a base gateway image for the gateway. This advantageously permits the new gateway to boot and securely register with the threat management facility without further administrative intervention.

Abstract: Threat management devices and methods for a containerized firewall. The methods may include receiving instructions to configure a web application firewall being executed within a first container-based architecture, wherein the received instructions include changes to a previous network traffic policy; storing the received instructions as a changelog that indicates an updated network traffic policy to be implemented by the web application firewall; and communicating the updated network traffic policy to a first object store associated with the first container-based architecture and to a proxy service associated with the web application firewall.

Abstract: A method comprises monitoring a computing environment including a plurality of containers, determining, for one of the containers, a service type and an IP address, assigning the IP address of the container having the determined service type to a first list of IP addresses, assigning an IP address of each of the containers to a second list of IP addresses, applying a first security policy for a first source of network traffic for processing by the container having the determined service type and the IP address assigned to the first list of IP addresses, and applying a second security policy for a second source of network traffic for processing by the containers having the IP addresses assigned to the second list of IP addresses.

Abstract: A method includes receiving, by a computer system, information related to device health of an electronic device, determining, by the computer system, a health status of the electronic device based at least in part on the received information related to the device health of the electronic device, requesting, by a switch having a port connected to the electronic device, the health status of the electronic device from the computer system, receiving, by the computer system, the request for the health status of the electronic device from the switch, transmitting, by the computer system, the health status of the electronic device to the switch, evaluating, by the switch, the transmitted health status of the electronic device using network access rules associated corresponding to health statuses, and applying, by the switch, a network access control configuration to the port of the switch based on the evaluating the transmitted health status.

Abstract: A method for performing admission control in a containerized computing environment includes deploying, by one or more processors of a computer system, the containerized computing environment, receiving, by the containerized computing environment, constraints associated with admission control for containers, the constraints related to container security and receiving, by the containerized computing environment, a request for creating a container. The method includes determining, by an admission controller of the containerized computing environment, a quality metric of the container associated with the received request, performing, by the admission controller of the containerized computing environment, admission control prior to the creating of the container by applying the constraints using the determined quality metric, and allowing or disallowing, by the admission controller of the containerized computing environment, creation of the container based on the performing the admission control.

Abstract: Systems and methods for operating a container-based architecture. The methods include executing, using one or more processors, instructions stored on memory to provide a Domain Name Service (DNS) proxy service, wherein the DNS proxy service is executed in a container-based architecture; and receiving at the DNS proxy service a domain name service (DNS) request, wherein the DNS request is received from an application service executing in the container-based architecture and the DNS request is directed to a DNS service being executed in the same container-based architecture as the DNS proxy service.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: A policy created through an administrative user interface is converted into an intermediate representation that can be compiled for execution by a gateway or converted into a human-readable form for modifications by the administrator.

Abstract: An administrator can initiate an automatic software update to a network appliance that is configured as a cluster of nodes. The update is performed sequentially on a node-by-node basis in order to maintain availability and performance of the network appliance during the update.

Abstract: In order to use zero trust network resources distributed across multiple gateways, an agent is deployed on an endpoint of an enterprise network. The agent maps requests for specific applications to corresponding gateways. The agent may also multiplex or otherwise aggregate communications among different network applications and gateways in order to provide seamless, transparent access to the distributed resources at a single endpoint, and/or within a single interface.

Abstract: A gateway performs silent authentication refreshes with an identity management platform in order to extend the expiration of a cookie provided to an endpoint that accesses network applications through the gateway.

Abstract: A virtualized gateway for applications in a zero trust network access environment is managed from a cloud-based threat management facility for an enterprise network. In order to facilitate creation of a new, centrally managed gateway, a one-time passcode for registration of the gateway to the threat management facility is encoded onto a virtual disk and distributed to a host platform along with a base gateway image for the gateway. This advantageously permits the new gateway to boot and securely register with the threat management facility without further administrative intervention.

Abstract: Certain edge networking devices such as application gateways may report status to a cloud-based threat management platform using a persistent network connection between the gateway and the cloud platform. Where a cloud computing platform for an edge networking device or the treat management platform imposes periodic timeouts, the threat management platform may monitor connects and disconnects for edge devices and asynchronously evaluate connection status of edge devices independently of a heartbeat or other signal through the persistent connection in order to distinguish periodic timeouts imposed by the cloud computing platform from networking devices that are compromised or malfunctioning.

Abstract: A virtualized gateway for applications in a zero trust network access environment is managed from a cloud-based threat management facility for an enterprise network. In order to facilitate creation of a new, centrally managed gateway, a one-time passcode for registration of the gateway to the threat management facility is encoded onto a virtual disk and distributed to a host platform along with a base gateway image for the gateway. This advantageously permits the new gateway to boot and securely register with the threat management facility without further administrative intervention.