Abstract: Methods and apparatus for handling failure of servers in traffic forwarding (TF) systems between networks. A TF system may include units each including multiple servers. Outbound and inbound traffic for a local network may be distributed among the units according to a routing technique, with each unit responsible for an allocated portion of the traffic. Servers in a unit may participate in a health check protocol to detect servers that are not healthy. If the healthy servers in a unit drops below a threshold at which the unit cannot reliably handle its allocated portion of the traffic, the servers may automatically take the unit out of service, for example by stopping advertisement of routes, and the traffic may be reallocated across the remaining units. This may help prevent congestion-related delays, high latency, packet losses, and other problems on connections through the unhealthy unit.

Abstract: Methods and apparatus for handling failure of traffic forwarding (TF) systems in networks that include multiple zones each including a TF system between a production network and a border network. A TF system advertises routes in its zone and handles egress of packets from sources on the local production network onto the border network. TF systems may also advertise low-priority routes in other zones. If a TF system in a zone fails, sources in the zone may make connection requests to the low-priority routes. Instead of egressing the packets onto the border network, the requests on the low-priority routes are responded to with reset messages. Thus, the sources do not have to wait for a connection timeout, and packets for destinations in the zone are not egressed onto local border networks in other zones and sent through thin pipes between the local border networks.

Abstract: In one aspect, the technology relates to a method for analyzing a security event in a distributed fashion. The method includes the steps of detecting an occurrence of a security event within a customer network and querying a first component of the customer network for data in response to the detected occurrence of the security event. The method also includes the steps of receiving, by a data monitor located within the customer network, first data from the component in response to the query and determining, based on the received first data, whether to query for additional data. The method additionally includes querying at least one of the first component and another component of the customer network to obtain the additional data in response to the determining step, and analyzing the security event using at least one of the first data and the additional data.

Abstract: In one aspect, the technology relates to a method for analyzing a security event in a distributed fashion. The method includes the steps of detecting an occurrence of a security event within a customer network and querying a first component of the customer network for data in response to the detected occurrence of the security event. The method also includes the steps of receiving, by a data monitor located within the customer network, first data from the component in response to the query and determining, based on the received first data, whether to query for additional data. The method additionally includes querying at least one of the first component and another component of the customer network to obtain the additional data in response to the determining step, and analyzing the security event using at least one of the first data and the additional data.