Abstract: Systems and methods include establishing a control channel of a tunnel utilizing a first encryption technique, wherein the tunnel is between a local node including one or more processors and a remote node, and wherein the control channel includes a session identifier; establishing a data channel of the tunnel utilizing a second encryption technique, wherein the data tunnel is bound to the control channel based on the session identifier; performing, over the control channel, device authentication and user authentication of one or more users associated with the remote node, wherein each of the one or more users includes a user identifier; and, subsequent to the device authentication and the user authentication, exchanging data packets over the data channel with each data packet including a corresponding user identifier. The first encryption technique can be one of TLS and SSL, and the second encryption technique can be one of TLS and DTLS.

Abstract: Techniques for determining the path of User Datagram Protocol (UDP) traceroute probes using Transmission Control Protocol (TCP) and Internet Control Message Protocol (ICMP). Various embodiments include sending a plurality of probes to one or more legs in a network path; obtaining measurements from each of the plurality of probes for each of the one or more legs in the network path; and performing one or more actions based on the measurements from each of the plurality of probes. The steps further include overlapping the measurements to determine latency to a destination and identifying throttling of UDP traffic based on the overlapping of measurements from the plurality of probes.

Abstract: A node configured as any of a proxy, a Secure Web Gateway, and a Secure Internet Gateway is configured to perform steps of, responsive to establishing a connection with a user device having a user associated with a tenant and obtaining policy for the user, monitoring traffic between the user device and the Internet where the monitoring is at a middle location, inline between the user device and an endpoint; responsive to the traffic being encrypted as a tunnel, performing one or more operations to enable accessing the encrypted traffic; analyzing the traffic based on the policy, including at least checking for malicious traffic and Data Loss Prevention (DLP) for the tenant; and one of allowing, blocking, or limiting the traffic based on the analyzing.

Abstract: Systems and methods of Exact Data Matching (EDM) for identifying related tokens in data content using structured signature data implemented in a cloud-based system receiving data sets and customer configuration from a customer, wherein the data sets include customer specific sensitive data from a structured data source with each token represented by a hash value and the customer configuration includes one or more primary keys for a plurality of records in the data sets; distributing the data sets and the customer configuration to a plurality of nodes in the cloud-based system; performing monitoring of content between a client of the customer and an external network; detecting a presence of a plurality of tokens associated with a record in the customer specific sensitive data based on the monitoring; and performing a policy-based action in the cloud-based system based on the detecting.

Abstract: Systems and methods include connecting to and authenticating a plurality of user devices; utilizing a plurality of RESTful (Representational State Transfer web service) endpoints to communicate with the plurality of user devices; providing any of policy and configuration to the plurality of user devices utilizing version number via a RESTful endpoint; caching the any of policy and configuration for each device of the plurality of user devices; and receiving metrics based on measurements at the plurality of user devices according to corresponding policy and configuration, via a RESTful endpoint.

Abstract: A cloud service is executed on a plurality of nodes, each including at least one processor, and the cloud service is configured to communicate with a plurality of user devices, each user device associated with a user from an organization of a plurality of organizations, and each user device includes a plugin or browser extension installed thereon, provide configuration information to any of the plurality of user devices where the configuration information includes a plurality of domains to be monitored by the plugin or browser extension, wherein the plugin or browser extension is configured to monitor and/or determine real user monitoring (RUM) statistics when a given user device accesses one of the plurality of domains; and receive the RUM statistics from any of the plurality of user devices.

Abstract: Techniques for deep tracing of one or more users via a cloud-based system include receiving a request from an administrator to actively troubleshoot a user; causing a user device associated with the user to create a deep tracing session based on the request; assisting the user device in performing one or more traces of a plurality of traces to a destination; receiving results from any of the plurality of traces and results from metrics collected at the user device; and displaying a network map between the user device and the destination.

Abstract: The present disclosure relates to systems and methods for automatically bypassing SSL connections responsive to client SSL handshake failures. Various embodiments include detecting a first failed client SSL connection, creating a cache entry including a traffic fingerprint of the first failed client SSL connection, and bypassing subsequent connections matching the cached fingerprint of the first failed client SSL connection. Embodiments further include cache entries that include a TTL, wherein connections can be matched to the entries during the configured TTL. The present systems and methods are provided to alleviate issues associated SSL traffic interruptions and breakdowns.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods implemented by a traceroute application implementing a Transmission Control Protocol (TCP) stack in a processing device include sending a plurality of TCP packets via a raw socket to perform a trace to a destination; receiving responses to the plurality of TCP packets; detecting the responses in the TCP stack and diverting the responses to the raw socket; and aggregating the responses by the traceroute application to determine details of a service path from the processing device to the destination.

Abstract: Techniques for determining the path of User Datagram Protocol (UDP) traceroute probes using Transmission Control Protocol (TCP) and Internet Control Message Protocol (ICMP). Various embodiments include sending a plurality of probes to one or more legs in a network path; obtaining measurements from each of the plurality of probes for each of the one or more legs in the network path; and performing one or more actions based on the measurements from each of the plurality of probes. The steps further include overlapping the measurements to determine latency to a destination and identifying throttling of UDP traffic based on the overlapping of measurements from the plurality of probes.

Abstract: A node configured as any of a proxy, a Secure Web Gateway, and a Secure Internet Gateway is configured to perform steps of establishing a connection with a user device having a user associated with a tenant; obtaining policy for the user; monitoring traffic between the user device and the Internet including snooping session keys for any encrypted traffic; analyzing the traffic based on the policy including utilizing the session keys on the encrypted traffic; and one of allowing, blocking, or limiting the traffic based on the analyzing.

Abstract: Mobile device security, device management, and policy enforcement are described in a cloud-based system where the “cloud” is used to pervasively enforce security and policy and perform device management regardless of device type, platform, location, etc. A method includes receiving one or more mobile profiles for one or more mobile devices each associated with a user from an enterprise; responsive to enrollment of a mobile device of the one or more mobile devices, communicating to the mobile device; determining an associated mobile profile of the one or more mobile profiles for the mobile device; and configuring the mobile device based on the associated mobile profile.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include receiving a request, from a client, for a trace of the tunnel; causing the trace inside the tunnel; obtaining results of the trace inside the tunnel; and sending the results of the trace inside the tunnel to the client so that the client aggregates these details with details from one or more additional legs to provide an overall view of a service path between the client and a destination.

Abstract: Techniques for using web probes for monitoring user experience including use of caching to prevent a surge of web probes on destination servers and for detecting web probe traffic through a proxy including where the traffic is encrypted. A method implemented by a proxy includes receiving a response to a first web probe to a destination server; caching data associated with the response to the first web probe in a cache; receiving a request for a second web probe to the destination server; and serving a response to the second web probe utilizing the data in the cache in lieu of forwarding the second web probe to the destination server.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include requesting a trace to a destination with a signature inserted into a trace packet; receiving a response to the trace packet; when the response does not include tunnel info, providing details in the response to a service where the details include parameters associated with a service path between the client and the destination; and, when the response includes tunnel info, segmenting the service path into a plurality of legs, causing a trace for each of the plurality of legs, and aggregating details for each of the plurality of legs based on the causing.

Abstract: Multi-tenant cloud-based firewall systems and methods are described. The firewall systems and methods can operate overlaid with existing branch office firewalls or routers as well as eliminate the need for physical firewalls. The firewall systems and methods can protect users at user level control, regardless of location, device, etc., over all ports and protocols (not only ports 80/443) while providing administrators a single unified policy for Internet access and integrated reporting and visibility. The firewall systems and methods can eliminate dedicated hardware at user locations, providing a software-based cloud solution.

Abstract: Systems and methods implemented in a node in a cloud-based system include operating a first cloud service that is implemented as a monolith system; operating a RESTful framework (Representational State Transfer web service) embedded in the cloud node; and operating one or more applications for one or more cloud services utilizing the RESTful framework, wherein the one or more applications are microservices. The RESTful framework utilizes Hypertext Transfer Protocol (HTTP) methods.

Abstract: Mobile device security, device management, and policy enforcement are described in a cloud-based system where the “cloud” is used to pervasively enforce security and policy and perform device management regardless of device type, platform, location, etc. A method includes receiving one or more mobile profiles for one or more mobile devices each associated with a user from an enterprise; responsive to enrollment of a mobile device of the one or more mobile devices, communicating to the mobile device; determining an associated mobile profile of the one or more mobile profiles for the mobile device; and configuring the mobile device based on the associated mobile profile.

Abstract: Techniques for using web probes for monitoring user experience including use of caching to prevent a surge of web probes on destination servers and for detecting web probe traffic through a proxy including where the traffic is encrypted. A method implemented by a proxy includes receiving encrypted traffic with an indicator in a header indicating a request for probe traffic; inspecting the request and a response for the probe traffic; and caching data associated with the response to in a cache.

Abstract: Techniques for using traceroute with tunnels and cloud-based systems for determining measures of network performance are presented. Systems and methods include periodically performing a full trace, at a first interval, to a destination; periodically performing a short trace, at a second interval that is less than the first interval, to a node in a cloud-based system; responsive to detection of issues based on the short trace, performing a full trace to the destination; and providing results of any of the full trace, the short trace, and any associated issues detected based thereon.