Abstract: The present disclosure discloses a method and a network device for performing dynamic detection and application-based policy enforcement of proxy connections in a network. Specifically, a network device receives, from a client device, a packet in a session. The network device then determines whether the packet is transmitted to a proxy. In response to determining that the packet is associated with a different application classification or web content category during the same session, the network device re-applies network firewall policies to determine whether to allow or deny transmission of the packet to the proxy.

Abstract: The present disclosure discloses a method and a network device for adaptive resource allocation in congested wireless local area network deployment. Specifically, a network device dynamically assigns priorities of client devices associated with a remote access point based at least on an application type or a traffic type corresponding to each client device. Further, the network device transmits the priorities of the client devices to the remote access point in response to the wired uplink being unavailable. The priorities of the client devices facilitate the remote access point to limit a number of client devices connected to the remote access point subsequent to the wired uplink being unavailable.

Abstract: The present disclosure discloses a method and a network device for session aware access point load balancing. Specifically, a network device monitors data corresponding to a plurality of client devices associated with a first access point. Then, the network device determines whether the data matches particular criteria. Responsive to determining that the data matches the particular criteria, the network device select at least a first client device of the plurality of client devices for disassociation and/or de-authentication. Moreover, the network device causes disassociation and/or de-authentication of the first client device from the first access point.

Abstract: A system and a method are described that reduce or eliminate inefficiencies caused by double encryption in network tunnel communications. In particular, a set of virtual tunnels may be established that require a lower level of encryption in comparison to a full-encryption tunnel. Upon determining that a session is end-to-end encrypted, the system and method described herein may assign the session to one of the virtual tunnels instead of the full-encryption tunnel. By intelligently assigning sessions to virtual tunnels when encryption has already been applied, double encryption may be avoided, which will improve throughput and decrease processor usage. However, in cases where a session is not end-to-end encrypted, the full-encryption tunnel may be utilized to ensure secure communications are maintained between gateways.

Abstract: The present disclosure discloses a method and network device for intelligent handling of voice calls from mobile voice client devices. In some embodiments, the network device detects that a load, corresponding to a plurality of client devices associated with an access point, exceeds a particular threshold value. In some embodiments, the network device detects that a call quality for a current ongoing call, corresponding to a first client device associated with an access point, is below a first threshold value. In response, the network device selects a particular client device, of the plurality of client devices associated with the access point, for disassociation with the access point. The network device then causes the particular client device to disassociate with the access point.

Abstract: The present disclosure discloses a method and system for displaying an HTTPS block page without SSL inspection. Specifically, a network device snoops a first message transmitted between a client device and a network resource. The first message is transmitted as part of a SSL Handshake between the client device and the network resource to establish a SSL session. Moreover, the network device determines whether the client device is authorized to access the network resource. If not, the network device blocks the establishment of a SSL session between the client device and the network resource, and spoofs the network resource for establishing the SSL session between the client device and the network device instead of establishment of the SSL session between the client device and the network resource. Otherwise, the network device refrains from blocking the establishment of the SSL session between the client device and the network resource.

Abstract: The present disclosure discloses a method and network device for intelligent handling of voice calls from mobile voice client devices. In some embodiments, the network device detects that a load, corresponding to a plurality of client devices associated with an access point, exceeds a particular threshold value. In some embodiments, the network device detects that a call quality for a current ongoing call, corresponding to a first client device associated with an access point, is below a first threshold value. In response, the network device selects a particular client device, of the plurality of client devices associated with the access point, for disassociation with the access point. The network device then causes the particular client device to disassociate with the access point.

Abstract: A system and a method are described that reduce or eliminate inefficiencies caused by double encryption in network tunnel communications. In particular, a set of virtual tunnels may be established that require a lower level of encryption in comparison to a full-encryption tunnel. Upon determining that a session is end-to-end encrypted, the system and method described herein may assign the session to one of the virtual tunnels instead of the full-encryption tunnel. By intelligently assigning sessions to virtual tunnels when encryption has already been applied, double encryption may be avoided, which will improve throughput and decrease processor usage. However, in cases where a session is not end-to-end encrypted, the full-encryption tunnel may be utilized to ensure secure communications are maintained between gateways.

Abstract: The present disclosure discloses a method and a network device for performing content filtering on SPDY connections. Specifically, a network device receives, from a client device, a first control frame identifying a first maximum number of unsolicited unacknowledged messages related to a web resource that can be transmitted by a web server. The network device transmits to the web server a second control frame identifying a second and different maximum number of unsolicited unacknowledged messages related to the web resource that can be transmitted by the web server. In some embodiments, the network device establishes a first connection with the client device without forwarding the request to the web server, and a second connection with the web server. Further, the network device inspects data in the unsolicited unacknowledged messages and forwards at least portion of the data to the client device using the first connection.

Abstract: The present disclosure discloses a method and a network device for adaptive resource allocation in congested wireless local area network deployment. Specifically, a network device dynamically assigns priorities of client devices associated with a remote access point based at least on an application type or a traffic type corresponding to each client device. Further, the network device transmits the priorities of the client devices to the remote access point in response to the wired uplink being unavailable. The priorities of the client devices facilitate the remote access point to limit a number of client devices connected to the remote access point subsequent to the wired uplink being unavailable.

Abstract: The present disclosure discloses a method and a network device for performing dynamic detection and application-based policy enforcement of proxy connections in a network. Specifically, a network device receives, from a client device, a packet in a session. The network device then determines whether the packet is transmitted to a proxy. In response to determining that the packet is associated with a different application classification or web content category during the same session, the network device re-applies network firewall policies to determine whether to allow or deny transmission of the packet to the proxy.

Abstract: The present disclosure discloses a method and system for displaying an HTTPS block page without SSL inspection. Specifically, a network device snoops a first message transmitted between a client device and a network resource. The first message is transmitted as part of a SSL Handshake between the client device and the network resource to establish a SSL session. Moreover, the network device determines whether the client device is authorized to access the network resource. If not, the network device blocks the establishment of a SSL session between the client device and the network resource, and spoofs the network resource for establishing the SSL session between the client device and the network device instead of establishment of the SSL session between the client device and the network resource. Otherwise, the network device refrains from blocking the establishment of the SSL session between the client device and the network resource.

Abstract: The present disclosure discloses a method and a network device for performing content filtering on SPDY connections. Specifically, a network device receives, from a client device, a first control frame identifying a first maximum number of unsolicited unacknowledged messages related to a web resource that can be transmitted by a web server. The network device transmits to the web server a second control frame identifying a second and different maximum number of unsolicited unacknowledged messages related to the web resource that can be transmitted by the web server. In some embodiments, the network device establishes a first connection with the client device without forwarding the request to the web server, and a second connection with the web server. Further, the network device inspects data in the unsolicited unacknowledged messages and forwards at least portion of the data to the client device using the first connection.

Abstract: The present disclosure discloses a method and a network device for session aware access point load balancing. Specifically, a network device monitors data corresponding to a plurality of client devices associated with a first access point. Then, the network device determines whether the data matches particular criteria. Responsive to determining that the data matches the particular criteria, the network device select at least a first client device of the plurality of client devices for disassociation and/or de-authentication. Moreover, the network device causes disassociation and/or de-authentication of the first client device from the first access point.

Abstract: Methods and systems are described for intelligently steering client devices operating in an enterprise network system to an appropriate access point based on types of traffic on each client device and/or types of traffic on access points. In particular, client devices may be moved to a different access point when the wireless channel provided by a current access point fails to meet the signal strength requirements of latency sensitive traffic utilized by the client device. Client devices may be further steered to new access points based on load conditions on access points. For example, client devices with low priority traffic sessions may be steered away from access points with high traffic load levels. Accordingly, the methods and systems described herein ensure improved network access for latency sensitive access categories and/or access categories that are considered important to an enterprise system with minimal disruptions to these sessions.

Abstract: The present disclosure discloses a system and method for dynamically modifying role based access control for a client based on the activity. Generally, a client device is granted access to a network resource based on a first reputation score assigned to the client device. The activity of the client device is monitored. Responsive to monitoring the activity of the client device, a second reputation score is determined for the client device based on the activity. The access by the client device to the network resource is then modified to be granted based on the second reputation score.

Abstract: The present disclosure discloses a method and network device for intelligent handling of voice calls from mobile voice client devices. In some embodiments, the network device detects that a load, corresponding to a plurality of client devices associated with an access point, exceeds a particular threshold value. In some embodiments, the network device detects that a call quality for a current ongoing call, corresponding to a first client device associated with an access point, is below a first threshold value. In response, the network device selects a particular client device, of the plurality of client devices associated with the access point, for disassociation with the access point. The network device then causes the particular client device to disassociate with the access point.