Abstract: A network interface device includes a security database and a security services engine. The security database is configured to store patterns corresponding to predetermined malware. The security services engine is configured to compare data to be transmitted through a network to the patterns stored in the security database, and the security database is configured to receive updated patterns from the network.

Abstract: A network interface device includes a security database and a security services engine. The security database is configured to store patterns corresponding to predetermined malware. The security services engine is configured to compare data to be transmitted through a network to the patterns stored in the security database, and the security database is configured to receive updated patterns from the network.

Abstract: A network device and method include token buckets, each token bucket associated with one of clients and virtual ports and configured to process information based on a predefined bandwidth and a strict priority/weighted deficit round robin. A maximum rate shaper module and a minimum rate meter module shape and meter whether any of the clients or virtual ports have exceeded a predefined threshold. A scheduler is configured to schedule services of the clients and to calculate a new bandwidth allocation for at least one of the clients or virtual ports when the at least one of the clients or virtual ports has exceeded the predefined threshold, the new bandwidth allocation replacing the predefined bandwidth and being proportional to the predefined bandwidth for each of the clients or virtual ports.

Abstract: The present solution is directed towards systems and methods for managing cookies by a multi-core device. The device is intermediary to a client and one or more servers. A first core of a multi-core device receives a response from a server to a request of the client through a user session. The response comprises a cookie. The first core removes the cookie from the response and stores the cookie in a corresponding storage for the session. The first core forwards the response without the cookie to the client. A second core then receives via a session, a second request from the client. The second core determines the identification of the first core as owner of the session from the second request. The second core then communicates to the first core a third request for cookie information for the session.

Abstract: The present solution enables a client that is not configured to use cookies to access resources of the server that uses cookies for communications with the clients. An intermediary deployed between a client and a server intercepts and modifies transmissions between the client and the server to compensate for the mismatch in configuration of the cookies between the client and the server. The present disclosure relates to a method for managing cookies by an intermediary for a client. An intermediary receives a response from a server to a request of a client. The response may comprise a uniform resource locator (URL) and a cookie. The intermediary may modify the response by removing the cookie from the response and inserting a unique client identifier into the URL. The intermediary may store the removed cookie in association with the unique client identifier and forward the modified response to the client.

Abstract: Various aspects of a method and system for transmission control protocol (TCP) traffic smoothing are presented. Traffic smoothing may comprise a method for controlling data transmission in a communications system that further comprises scheduling the timing of transmission of information from a TCP offload engine (TOE) based on a traffic profile. Traffic smoothing may comprise transmitting information from a TOE at a rate that is either greater than, approximately equal to, or less than, the rate at which the information was generated. Some conventional network interface cards (NIC) that utilize TOEs may not provide a mechanism that enables traffic shaping. By not providing a mechanism for traffic shaping, there may be a greater probability of lost packets in the network.

Abstract: The solution of the present application addresses the problem of authentication across disparately hosted systems by providing a single authentication domain across SaaS and cloud hosted applications as well as traditional enterprise hosted applications. An application delivery controller intermediary to a plurality of clients and the disparately hosted applications providing single sign on management, integration and control. A user may log in via an interface provided, controlled or managed by the ADC, which in turns, authenticates the user to the application in accordance with policy and the host of the application. As such, the user may login once to gain access to a plurality of disparately hosted applications.

Abstract: A method includes for determining a plurality of fields of a packet associated with a routing of the packet, wherein each field of the plurality of fields includes one or more bits. Arranging the bits of the plurality of fields into a plurality of ordered partitions of a search sequence, the search sequence being associated with a plurality of searches, wherein the searches are based on the bits included in one or more of the ordered partitions. Providing, to a routing table including routing information associated with the routing of the packet, one or more of the ordered partitions of the search sequence, wherein the routing table is structured based on the search sequence. Receiving, based on the plurality of searches, the routing information associated with the routing of the packet from the routing table. Routing the packet based on the routing information.

Abstract: A network device for implementing mirroring on packets. The network device includes a plurality of ports, each of which is at least one of an ingress port, an egress port and a mirror-to port. The network device also includes processing means for supporting a plurality of mirroring types. Each of the ingress port, egress port and mirror-to port includes at least one register for supporting the plurality of mirroring types. To support mirroring at each of the ingress port, egress port and mirror-to port predefined bits in the at least one register are set. When an incoming packet is received, the predefined bits are examined to determine which of the plurality of mirroring types to apply to the packet.

Abstract: A user can refine a search over structured data by specifying that a label or an attribute value be used to further filter the results of a query.

Abstract: A hardware packets reassembly apparatus and method includes an ingress unit receiving and parsing a data packet, recognizing fragments corresponding to the data packet, and outputting control information of the fragments. An en-queue unit stores the control information of each fragment, links each related fragment based on the control information, and enqueues the data packet when all fragments are available corresponding to the data packet, wherein the data packet is enqueued only when all of the fragments corresponding to the data packet are available in a sequential order. A dequeue unit dequeues the data packet from a packet descriptor, and scheduling the data packet based on a corresponding class of service. An egress unit assembles all fragments corresponding to the data packet into a full packet and outputting the assembled data packet from an output port.

Abstract: A method for propagating authentication session information to a plurality of cores of a multi-core device includes establishing, by an authentication virtual server executing on a first core of a device intermediary to at least one client and server, a session for a user, the authentication virtual server authenticating the session. A traffic management virtual server executes on a second core of device, and receives a request to access a server via the session. The traffic management virtual server may identify, responsive to a determination that the session is not stored by the second core, from an identifier of the session that the first core established the session. The second core may send to the first core a request for data for the session identified by the identifier. The second core may receive from the first core a response to the second request identifying whether the session is valid.

Abstract: The present invention is directed towards systems and methods for form-based single sign-on by a user desiring access to one or more protected resources, e.g., protected web pages, protected web-served applications, etc. In various embodiments, a single sign-on (SSO) module is in operation on an intermediary device, which is disposed in a network to manage internet traffic between a plurality of clients and a plurality of servers. The intermediary device can identify an authentication response from a server and forward the authentication response to the SSO module. The SSO module can complete a login form in the authentication response with a client's authentication data, return the completed login form to the server and forward cookies associated with the authentication response to the client. In various embodiments, multiple login forms can be completed, transparently to the client, by the SSO module on a client's behalf and reduce time expended by a client in obtaining access to protected resources.

Abstract: A flow control sender includes an ingress port with one or more Class Groups (CG) defined including a shared buffer pool, a shared counter per ingress port per CG tracking an amount of the shared buffer pool utilized by each CG, an ingress port utilization counter per ingress port tracking an amount of the shared buffer pool utilized by the ingress port, and a controller computing a dynamic threshold for each CG, comparing the dynamic threshold of each CG with the ingress port utilization counter, and determining a particular CG experiencing congestion when the ingress port utilization counter is greater than the dynamic threshold for the particular CG. A flow control receiver ceases transmission of data packets to the particular CG experiencing congestion and allows transmission of the data packets corresponding to other CGs.

Abstract: A system may include a content addressable memory (CAM) that is configured to include multiple services, receive a key, where the key includes source port information and IP information related to a packet received on one of multiple ports, and output a match index value in response to a search of the CAM using the key. The system may include a policy memory module that is configured to receive the match index value and to output meter controls and a meter address based on the match index value, a port meter map module that is configured to receive the source port information and to output a mask value and a per port meter value, and a remapping module that is configured to receive the meter address, receive the mask value and the per port meter value, and modify the meter address based on those values.

Abstract: An RFID edge server can associate with multiple RFID readers at a location, a service bus can receive RFID data from the RFID edge server and make the RFID data available to multiple services that consume the RFID data.

Abstract: A user can refine a search over structured data by specifying that a label or an attribute value be used to further filter the results of a query.

Abstract: Apparatus and methods for intelligent congestion feedback are disclosed. An example apparatus includes a data interface configured to receive data packets from a source endpoint via an intermediate node. The data packets include a field indicating whether data congestion for data being sent to the destination endpoint is occurring. The example apparatus also includes a timer. The example apparatus further includes a feedback loop interface configured to selectively enable a feedback loop to the source endpoint and to transmit congestion notification (CN) messages to the source endpoint over the feedback loop. Upon receiving a data packet indicating that congestion has occurred due to the data packets from the source endpoint to the destination endpoint, the destination endpoint is configured to set the timer to a preset time value; start the timer reverse counting from the preset time value to zero, enable the feedback loop and transmit the CN messages.

Abstract: Methods and apparatus for dynamic load balancing are disclosed. An example method includes receiving, at a network device, a data packet to be sent via an aggregation group, where the aggregation group comprising a plurality of aggregate members. The example method further includes determining, based on the data packet, a flow identifier of a flow to which the data packet belongs and determining a state of the flow. The example method also includes determining, based on the flow identifier and the state of the flow, an assigned member of the plurality of aggregate members for the flow and communicating the packet via the assigned member.

Abstract: Methods and apparatus for dynamic load balancing using virtual link credit accounting are disclosed. An example method includes receiving, at a network device, a data packet to be communicated using an aggregation group, the aggregation group including a plurality of virtual links having a common destination. The example method further includes determining a hash value based on the packet and determining an assigned virtual link of the plurality of virtual links based on the hash value. The example method also includes reducing a number of available transmission credits for the aggregation group and reducing a number of available transmission credits for the assigned virtual link. The example method still further includes communicating the packet to another network device using the assigned virtual link.