Abstract: A runtime state of a virtual port associated with a virtual machine (“VM”) is persisted as the VM is migrated from a source host to a destination host. In certain embodiments, a virtual switch forwards network frames between the VM and the physical network interface via the virtual port. During migration of the VM, the runtime state of the virtual port is transferred to the destination host and applied at the second host to a virtual port associated with a second virtual switch at the destination host. The runtime state of the virtual port at the source host is then cleared, and the second virtual switch at the destination host forwards network frames between the migrated VM and the physical network interface of the destination host using the virtual port at the second host.

Abstract: Systems and methods include receiving network transaction data for a plurality of users monitored by a cloud-based system; creating a relationship graph based on the plurality of user's recent network transactions for a time period, wherein the relationship graph includes vertices for domains and edges for transactions by users between the domains having some number of transaction in the time period; and analyzing the relationship graph to detect previously undetected suspicious anomalies. The weights on each edge are based on a relationship between two domains where the relationship includes any of malware, Internet Protocol (IP) addresses, Autonomous System Number (ASN), registration, and redirects.

Abstract: A runtime state of a virtual port associated with a virtual machine (“VM”) is persisted as the VM is migrated from a source host to a destination host. In certain embodiments, a virtual switch forwards network frames between the VM and the physical network interface via the virtual port. During migration of the VM, the runtime state of the virtual port is transferred to the destination host and applied at the second host to a virtual port associated with a second virtual switch at the destination host. The runtime state of the virtual port at the source host is then cleared, and the second virtual switch at the destination host forwards network frames between the migrated VM and the physical network interface of the destination host using the virtual port at the second host.

Abstract: Systems and methods include obtaining log data for a plurality of users of an enterprise where the log data relates to usage of a plurality of applications by the plurality of users; determining i) app-segments that are groupings of application of the plurality of applications and ii) user-groups that are groupings of users of the plurality of users; and providing access policy of the plurality of applications based on the user-groups and the app-segments. The steps can further include monitoring the access policy over time based on ongoing log data, manual verification of the access policy, and incidents where users are prevented from accessing any application; and adjusting the determined based on the monitoring.

Abstract: A runtime state of a virtual port associated with a virtual machine (“VM”) is persisted as the VM is migrated from a source host to a destination host. In certain embodiments, a virtual switch forwards network frames between the VM and the physical network interface via the virtual port. During migration of the VM, the runtime state of the virtual port is transferred to the destination host and applied at the second host to a virtual port associated with a second virtual switch at the destination host. The runtime state of the virtual port at the source host is then cleared, and the second virtual switch at the destination host forwards network frames between the migrated VM and the physical network interface of the destination host using the virtual port at the second host.

Abstract: Systems and methods include receiving a domain for a determination of a likelihood the domain is a command and control site; analyzing the domain with an ensemble of a plurality of trained machine learning models including a Uniform Resource Locator (URL) model that analyzes lexical features of a hostname of the domain and an artifact model that analyzes content features of a webpage associated with the domain; and combining results of the ensemble to predict the likelihood the domain is a command and control site.

Abstract: A runtime state of a virtual port associated with a virtual machine (“VM”) is persisted as the VM is migrated from a source host to a destination host. In certain embodiments, a virtual switch forwards network frames between the VM and the physical network interface via the virtual port. During migration of the VM, the runtime state of the virtual port is transferred to the destination host and applied at the second host to a virtual port associated with a second virtual switch at the destination host. The runtime state of the virtual port at the source host is then cleared, and the second virtual switch at the destination host forwards network frames between the migrated VM and the physical network interface of the destination host using the virtual port at the second host.

Abstract: Systems and methods for building a monitoring fabric are described. The system receives a duplicate of a first portion of traffic information from a first network as first traffic information and communicates the first traffic information in the monitoring fabric. The first traffic information is communicated to a controller that configures the monitoring fabric. The system receives a duplicate of a second portion of the traffic information from the first network as second traffic information. The system forwards the second traffic information to at least one tool.

Abstract: Systems and methods to scale a network monitoring fabric are described. The system uploads a virtual tool, over a network, to a monitoring fabric. The monitoring fabric includes a first plurality of switches including a second plurality of switches for monitoring a production network. Next, the system configures the monitoring fabric to receive a first portion of traffic information from the production network and communicate the first portion of traffic information to the virtual tool. Next, the system receives a duplicate of the first portion of the traffic information from the production network as first traffic information. The first traffic information is received at a first ingress interface providing access to the monitoring fabric. Finally, the system forwards the first traffic information in the monitoring fabric to the first instance of the first virtual tool.

Abstract: A runtime state of a virtual port associated with a virtual machine (“VM”) is persisted as the VM is migrated from a source host to a destination host. In certain embodiments, a virtual switch forwards network frames between the VM and the physical network interface via the virtual port. During migration of the VM, the runtime state of the virtual port is transferred to the destination host and applied at the second host to a virtual port associated with a second virtual switch at the destination host. The runtime state of the virtual port at the source host is then cleared, and the second virtual switch at the destination host forwards network frames between the migrated VM and the physical network interface of the destination host using the virtual port at the second host.

Abstract: Systems and methods to scale a network monitoring fabric are described. The system uploads a virtual tool, over a network, to a monitoring fabric. The monitoring fabric includes a first plurality of switches including a second plurality of switches for monitoring a production network. Next, the system configures the monitoring fabric to receive a first portion of traffic information from the production network and communicate the first portion of traffic information to the virtual tool. Next, the system receives a duplicate of the first portion of the traffic information from the production network as first traffic information. The first traffic information is received at a first ingress interface providing access to the monitoring fabric. Finally, the system forwards the first traffic information in the monitoring fabric to the first instance of the first virtual tool.

Abstract: A runtime state of a virtual port associated with a virtual machine (“VM”) is persisted as the VM is migrated from a source host to a destination host. In certain embodiments, a virtual switch forwards network frames between the VM and the physical network interface via the virtual port. During migration of the VM, the runtime state of the virtual port is transferred to the destination host and applied at the second host to a virtual port associated with a second virtual switch at the destination host. The runtime state of the virtual port at the source host is then cleared, and the second virtual switch at the destination host forwards network frames between the migrated VM and the physical network interface of the destination host using the virtual port at the second host.

Abstract: A packet forwarding network may include switches that forward network packets between end hosts. A monitoring network may be coupled to the forwarding network. A controller may control switches in the monitoring network to forward network packets tapped from the forwarding network to one or more packet recorders. The packet recorders may store the tapped packets and the controller may query the stored packets at a later time. The controller may analyze queried packets to monitor the operation of the packet forwarding network and, if desired, to display graphical visualizations associated with the packet forwarding network. If desired, the controller may instruct the packet recorders to replay the tapped packets to network visibility tools through the monitoring network. The controller may coordinate storage and query operations across multiple packet recorders using the monitoring network so that the packet storage capacity and recording rate may be scaled up over time.

Abstract: A packet forwarding network may include switches that forward network packets between end hosts. A monitoring network may be coupled to the forwarding network. A controller may control switches in the monitoring network to forward network packets tapped from the forwarding network to one or more packet recorders. The packet recorders may store the tapped packets and the controller may query the stored packets at a later time. The controller may analyze queried packets to monitor the operation of the packet forwarding network and, if desired, to display graphical visualizations associated with the packet forwarding network. If desired, the controller may instruct the packet recorders to replay the tapped packets to network visibility tools through the monitoring network. The controller may coordinate storage and query operations across multiple packet recorders using the monitoring network so that the packet storage capacity and recording rate may be scaled up over time.

Abstract: Systems and methods for building a monitoring fabric are described. The system receives a duplicate of a first portion of traffic information from a first network as first traffic information and communicates the first traffic information in the monitoring fabric. The first traffic information is communicated to a controller that configures the monitoring fabric. The system receives a duplicate of a second portion of the traffic information from the first network as second traffic information. The system forwards the second traffic information to at least one tool.

Abstract: A controller may fulfill hardware address requests that are sent by source end hosts in a network to discover hardware addresses of destination end hosts. The controller may use network topology information to determine how to process the hardware address requests. The controller may retrieve a requested hardware address from a database of end hosts. If the controller is able to retrieve the hardware address of a destination end host from the database of end hosts, the controller may provide the source end host with a reply packet that contains the requested hardware address. If the controller is unable to retrieve the requested hardware address, the controller may form request packets to discover the address of the second end host and/or to discover a packet forwarding path between the source end host and the destination end host.

Abstract: Systems and methods for building a hyper-scale monitoring fabric are described. The system receives a duplicate of a first portion of traffic information from a production network as first traffic information and communicates the first traffic information in the hyper-scale monitoring fabric. The first traffic information is communicated to a controller computer that configures the hyper-scale monitoring fabric. The system receives a duplicate of a second portion of the traffic information from the production network as second traffic information. The system forwards the second traffic information to a tool farm.

Abstract: A runtime state of a virtual port associated with a virtual machine (“VM”) is persisted as the VM is migrated from a source host to a destination host. In certain embodiments, a virtual switch forwards network frames between the VM and the physical network interface via the virtual port. During migration of the VM, the runtime state of the virtual port is transferred to the destination host and applied at the second host to a virtual port associated with a second virtual switch at the destination host. The runtime state of the virtual port at the source host is then cleared, and the second virtual switch at the destination host forwards network frames between the migrated VM and the physical network interface of the destination host using the virtual port at the second host.

Abstract: A runtime state of a virtual port associated with a virtual machine (“VM”) is persisted as the VM is migrated from a source host to a destination host. In certain embodiments, a virtual switch forwards network frames between the VM and the physical network interface via the virtual port. During migration of the VM, the runtime state of the virtual port is transferred to the destination host and applied at the second host to a virtual port associated with a second virtual switch at the destination host. The runtime state of the virtual port at the source host is then cleared, and the second virtual switch at the destination host forwards network frames between the migrated VM and the physical network interface of the destination host using the virtual port at the second host.

Abstract: A controller may control switches such as physical and software switches in a network. The controller may generate virtual switches from groups of end hosts in forming a virtual network topology. The controller may receive one or more network policy rules that govern network traffic through the switches. For a given network policy rule, the controller may perform a test in determining whether the network satisfies the network policy rule. The test may be performed based on a testing rule identifying test parameters and expected test results. The controller may perform tests in determining whether the network satisfies the testing rule and the corresponding network policy rule. The tests may be performed via simulation at the controller or by injecting a tagged test packet into the network.