Abstract: The present disclosure provides solutions for an enterprise providing services to a variety of clients to enable the client to use the resources provided by the enterprise by modifying URLs received and the URLs from the responses from the servers to the client's requests before forwarding the requests and the responses to the intended destinations. An intermediary may identify an access profile for a clients' request to access a server via a clientless SSL VPN session. The intermediary may detect one or more URLs in content served by the server in response to the request using one or more regular expressions of the access profile. The intermediary may rewrite or modify, responsive to detecting, the one or more detected URLs in accordance with a URL transformation specified by one or more rewrite policies of the access profile. The response with modified URLs may be forwarded to the client.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: The present solution is related to a method for distributing flows of network traffic across a plurality of packet processing engines executing on a corresponding core of a multi-core device. The method includes receiving, by a multi-core device intermediary to clients and servers, a packet of a first flow of network traffic between a client and server. The method also includes assigning, by a flow distributor of the multi-core device, the first flow of network traffic to a first core executing a packet processing engine and distributing the packet to this core. The flow distributor may distribute packets of another or second flow of traffic between another client and server to a second core executing a second packet processing engine. When a packet for the flow of traffic assigned to the first core is received, such as a third packet, the flow distributor distributes this packet to the first core.

Abstract: The present solution is related to a method for distributing flows of network traffic across a plurality of packet processing engines executing on a corresponding core of a multi-core device. The method includes receiving, by a multi-core device intermediary to clients and servers, a packet of a first flow of network traffic between a client and server. The method also includes assigning, by a flow distributor of the multi-core device, the first flow of network traffic to a first core executing a packet processing engine and distributing the packet to this core. The flow distributor may distribute packets of another or second flow of traffic between another client and server to a second core executing a second packet processing engine. When a packet for the flow of traffic assigned to the first core is received, such as a third packet, the flow distributor distributes this packet to the first core.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: A security gateway receives messages transmitted between a server and a client device on a network and parses the messages into a plurality of data objects, such as strings and name-value pairs. The data objects may represent user personal identification information, such as user name, social security number, credit card number, patient code, driver's license number, and other personal identification information. The security gateway uses rules to recognize data objects and validate the data objects to determine whether the recognized data objects are appropriately included within the context. The security gateway may also perform an action on the data objects. Data objects that are not appropriately included in the context may be transformed, suppressed or disallowed.

Abstract: The present invention is directed towards systems and methods for sharing session data among cores in a multi-core system. A first application firewall module executes on a core of a multi-core intermediary device which establishes a user session. The first application firewall module stores application firewall session data to memory accessible by the first core. A second application firewall module executes on a second core of the multi-core intermediary device. The second application firewall module receives a request from the user via the established user session. The request includes a session identifier identifying that the user session was established by the first core. The second application firewall module determines to perform one or more security checks on the request and communicates a portion of the request the first core. The second application firewall module receives and processes the security check results and instructions from the first core.

Abstract: The present invention is directed towards systems and methods for efficiently an intermediary device processing strings in web pages across a plurality of user sessions. A device intermediary to a plurality of clients and a server identifies a plurality of strings in forms and uniform resource locators (URLs) of web pages traversing the device across a plurality of user sessions. The device stores each string of the plurality of strings to one or more allocation arenas shared among a plurality of user session. Each string is indexed using a hash key generated from the string. The device recognizes that a received string transmitted from a webpage of a session of a user is eligible to be shared among the plurality of user sessions. The device determines that a copy of the received string is stored in an allocation arena using a hash generated from the received string.

Abstract: This disclosure describes a system for Single Root I/O Virtualization (SR-IOV) pass-thru for network packet processing via a virtualized environment of a device. The system includes a device comprising a virtualized environment and a plurality of virtual machines having a virtual network interface for receiving and transmitting network packets. A driver for the physical network interface of the device creates a plurality of virtual devices corresponding to the physical network interface, which appear as a Peripheral Component Interconnect (PCI) device to the virtualized environment. A virtual device of the plurality of virtual devices is assigned via the virtualized environment to each virtual machine of the plurality of virtual machines. The virtual machine uses the virtual device assigned to the virtual machine, to receive and transmit network packets via the physical network interface of the device.

Abstract: A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.

Abstract: A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components.

Abstract: A method of a device for filtering messages routing across a network includes extracting, by a filter configured on the device, a plurality of message components from messages received via a network. The plurality of message components is identified as having at least a field name in common, including a first field name. A learning engine configured on the device creates a list of data types for values of the first field name. The list includes one or more data types of a value of the first field name identified for each of the plurality of message components. The learning engine determines a most restrictive data type from the list of data types for the values of the first field name of the plurality of message components.

Abstract: The present invention is directed towards systems and methods for efficiently an intermediary device processing strings in web pages across a plurality of user sessions. A device intermediary to a plurality of clients and a server identifies a plurality of strings in forms and uniform resource locators (URLs) of web pages traversing the device across a plurality of user sessions. The device stores each string of the plurality of strings to one or more allocation arenas shared among a plurality of user session. Each string is indexed using a hash key generated from the string. The device recognizes that a received string transmitted from a webpage of a session of a user is eligible to be shared among the plurality of user sessions. The device determines that a copy of the received string is stored in an allocation arena using a hash generated from the received string.

Abstract: The present invention is directed towards systems and methods for sharing session data among cores in a multi-core system. A first application firewall module executes on a core of a multi-core intermediary device which establishes a user session. The first application firewall module stores application firewall session data to memory accessible by the first core. A second application firewall module executes on a second core of the multi-core intermediary device. The second application firewall module receives a request from the user via the established user session. The request includes a session identifier identifying that the user session was established by the first core. The second application firewall module determines to perform one or more security checks on the request and communicates a portion of the request the first core. The second application firewall module receives and processes the security check results and instructions from the first core.

Abstract: An efficient method for parsing HTML pages identifies pages containing a mix of static and dynamic content. The pages are parsed to form abstract syntax trees (ASTs), which are then cached along with the pages. When a later version of a page is retrieved, it is compared against the cached version, and only those portions of the AST that contain different content are reparsed.

Abstract: A security gateway receives messages rejected by a message filter based on a set of rules. The security gateway also receives attributes of the rejected messages that triggered the rules. The security gateway maintains frequencies with which the messages with a particular attribute were rejected by the rules. The security gateway finds rejected messages or attributes having a high frequency of occurrence. Since messages or attributes having a high frequency of occurrences are more likely to represent legitimate requests rather than malicious attacks, the security gateway generates exception rules, which would allow messages that have similar attributes to pass through the gateway.

Abstract: Systems and methods for configuring and evaluating policies that direct processing of one or more data streams are described. A configuration interface is described for allowing users to specify object oriented policies. These object oriented policies may allow any data structures to be applied with respect to a payload of a received packet stream, including any portions of HTTP traffic. A configuration interface may also allow the user to control the order in which policies and policy groups are executed, in addition to specifying actions to be taken if one or more policies are undefined. Systems and methods for processing the policies may allow efficient processing of object-oriented policies by applying potentially complex data structures to unstructured data streams. A device may also interpret and process a number of flow control commands and policy group invocation statements to determine an order of execution among a number of policies and policy groups.

Abstract: The present disclosure is directed to systems and method for providing a virtual appliance. One or more application delivery controller appliances intermediary to a plurality of clients and a plurality of servers perform a plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers. A virtual application delivery controller is deployed on a device intermediary to the plurality of clients and the plurality of servers. The virtual application delivery controller executing on the device performs one or more of the plurality of application delivery control functions on network traffic communicated between the plurality of clients and the plurality of servers.

Abstract: The present disclosure presents systems and methods for controlling network traffic traversing an intermediary device based on a license or a permit granted for the intermediary device. The systems and methods control a rate of a traffic of a device in accordance with a rate limit identified by a rate limiting license. A rate limiting manager of an intermediary device that processes network traffic between a plurality of clients and a plurality of servers, may identify presence of a rate limiting license that further identifies a performance level. The rate limiting manager may establish a rate limit based on the performance level of the rate limiting license. A throttler of the intermediary may control a rate of receiving network packets in accordance with the rate limit.

Abstract: The present solution is related to a method for distributing flows of network traffic across a plurality of packet processing engines executing on a corresponding core of a multi-core device. The method includes receiving, by a multi-core device intermediary to clients and servers, a packet of a first flow of network traffic between a client and server. The method also includes assigning, by a flow distributor of the multi-core device, the first flow of network traffic to a first core executing a packet processing engine and distributing the packet to this core. The flow distributor may distribute packets of another or second flow of traffic between another client and server to a second core executing a second packet processing engine. When a packet for the flow of traffic assigned to the first core is received, such as a third packet, the flow distributor distributes this packet to the first core.