Abstract: A classifier component receives an instruction to determine whether any data fields in a datastore are sensitive data fields in which sensitive data is stored. The classifier component analyzes the set of data fields and determines that a data field is a sensitive data field. The classifier component causes information that classifies the data field as a sensitive data field to a data catalog without sending content of any data field in the set of data fields to the data catalog. A data security component subsequently accesses a query made to the datastore, the query including a data field name that identifies the data field. The data security component determines, based on the data catalog, that the query requested content from a sensitive data field, and stores, by the data security component, information that the query requested the content from the sensitive data field.

Abstract: In general, embodiments relates to a method for creating an on-demand tunnel (ODT) in a network between a first network device and a second network device, the method comprising: storing by the first network device, a potentially suboptimal path to the second network device, determining that a trigger condition to create the ODT between the first network device and the second network device is satisfied, in response to the determination: transmitting, by the first network device, an ODT signaling packet to the second network device via the potentially suboptimal path, receiving, from the second network device and in response to transmitting the ODT signaling packet, an ODT keepalive by first network device via the ODT, and transmitting, after receiving the ODT keepalive, a second packet to the second network device via the ODT.

Abstract: A method for generating an application-aware virtual topology (AAVT) routing table for a network device among network devices connected via a wide area network is provided. The method is executed by a network controller connected to the network and includes: receiving, from the network devices, path information of the network devices; generating, using the path information, an underlay graph specifying a path topology of the network device; generating, based on the path topology specified in the underlay graph, the AAVT routing table for the network device where the AAVT routing table includes a set of paths; and transmitting, in response to generating the AAVT routing table, the AAVT routing table to the network device to cause the network device to program the set of paths.

Abstract: A validating service of a plurality of services that compose an application receives a security token that identifies an entity that has submitted a transaction to the application, the security token indicating that the entity is authorized to submit the transaction to the application. The validating service obtains a transaction identifier that uniquely identifies the transaction. The validating service sends, to a collector service, the transaction identifier and data derived from the security token that identifies the entity. A downstream service receives input data associated with the transaction, the input data including the transaction identifier. The downstream service accesses an information source to obtain information. The downstream service sends, to the collector service, the transaction identifier and metadata about the information.

Abstract: A method for transmitting network traffic across a wide area network (WAN) from a first site to a second site is provided. The method is executed by a first edge network device at the first site that further includes a second edge network device, and the method includes: receiving the network traffic from a client device at the first site; determining, using ipath characteristics and a classification of the network traffic, that the network traffic should be transmitted by the second edge network device to the second site; forwarding in response to the determination, the network traffic to the second edge network device using a local tunnel over a local area network (LAN) of the first site such that the network traffic is transmitted to the second site by the second edge network device.

Abstract: A datastore layer service of a plurality of services that compose an application receives, from an upstream service of the plurality of services, a request, the request being associated with a transaction submitted to the application, the request including a transaction identifier that uniquely identifies the transaction. The datastore layer service, in response to the request, initiates a query against a datastore to obtain a data item based on information included in the request. A sensitive data classifier analyzes query information associated with the query. The sensitive data classifier determines that the query requests a data item that has been classified as a sensitive data item. The sensitive data classifier causes the transaction identifier and classification information that indicates the query requested the data item that has been classified as a sensitive data item to be sent to a collector service.

Abstract: A method for generating an application-aware virtual topology (AAVT) routing table for a network device among network devices connected via a wide area network is provided. The method is executed by a network controller connected to the network and includes: receiving, from the network devices, path information of the network devices; generating, using the path information, an underlay graph specifying a path topology of the network device; generating, based on the path topology specified in the underlay graph, the AAVT routing table for the network device where the AAVT routing table includes a set of paths; and transmitting, in response to generating the AAVT routing table, the AAVT routing table to the network device to cause the network device to program the set of paths.

Abstract: A method for servicing network traffic in a wide area network (WAN) comprising a plurality of network devices is provided. The method is executed by a network device among the plurality of network devices and comprises: receiving a request to transmit the network traffic to a destination network device where the request specifies that the network traffic is to be serviced by a network service; determining, based on the request and using a service-aware virtual topology (SAVT) routing table, a path through the WAN for reaching the network service and a service instance identifier (ID) of the network service; configuring the network traffic to include a service bit indicating whether service is to be performed and instructions specifying the path for reaching the network service; and transmitting, after configuring the network traffic, the network traffic toward the destination device through the at least one network service.

Abstract: A validating service of a plurality of services that compose an application receives a security token that identifies an entity that has submitted a transaction to the application, the security token indicating that the entity is authorized to submit the transaction to the application. The validating service obtains a transaction identifier that uniquely identifies the transaction. The validating service sends, to a collector service, the transaction identifier and data derived from the security token that identifies the entity. A downstream service receives input data associated with the transaction, the input data including the transaction identifier. The downstream service accesses an information source to obtain information. The downstream service sends, to the collector service, the transaction identifier and metadata about the information.

Abstract: A method for transmitting network traffic across a wide area network (WAN) from a first site to a second site is provided. The method is executed by a first edge network device at the first site that further includes a second edge network device, and the method includes: receiving the network traffic from a client device at the first site; determining, using ipath characteristics and a classification of the network traffic, that the network traffic should be transmitted by the second edge network device to the second site; forwarding in response to the determination, the network traffic to the second edge network device using a local tunnel over a local area network (LAN) of the first site such that the network traffic is transmitted to the second site by the second edge network device.

Abstract: In general, embodiments relates to a method for creating an on-demand tunnel (ODT) in a network between a first network device and a second network device, the method comprising: storing by the first network device, a a potentially suboptimal path to the second network device, determining that a trigger condition to create the ODT between the first network device and the second network device is satisfied, in response to the determination: transmitting, by the first network device, an ODT signaling packet to the second network device via the potentially suboptimal path, receiving, from the second network device and in response to transmitting the ODT signaling packet, an ODT keepalive by first network device via the ODT, and transmitting, after receiving the ODT keepalive, a second packet to the second network device via the ODT.

Abstract: A method for servicing network traffic in a wide area network (WAN) comprising a plurality of network devices is provided. The method is executed by a network device among the plurality of network devices and comprises: receiving a request to transmit the network traffic to a destination network device where the request specifies that the network traffic is to be serviced by a network service; determining, based on the request and using a service-aware virtual topology (SAVT) routing table, a path through the WAN for reaching the network service and a service instance identifier (ID) of the network service; configuring the network traffic to include a service bit indicating whether service is to be performed and instructions specifying the path for reaching the network service; and transmitting, after configuring the network traffic, the network traffic toward the destination device through the at least one network service.

Abstract: A method for remotely configuring a network device using a user device and a network management service is provided. The user device includes a first communication interface and a second communication interface, and the method includes: initiating, by the user device, a communication channel with the network device using the second communication interface; after the communication channel is established: obtaining, by the user device via the first communication interface, configuration information for the network device from the network management service; and sending, by the user device, the configuration information to the network device via the communication channel. The user device is in communication with the network management service via the first communication interface, and the user device is configured as a pass-through device that relays the configuration information from the network management service to the network device.

Abstract: Packets in a network may be dropped from time to time. Although network devices are able to provide counters specifying the number of dropped packets, these network devices are unable to provide additional context about the dropped packets. However, users of a network wish to know more about dropped packets; such as why the packets were dropped. Therefore, methods for capturing and storing the dropped packets are provided. This way, users can analyze the dropped packets to determine why these packets were dropped.

Abstract: A method for generating an application-aware virtual topology (AAVT) routing table for a network device among network devices connected via a wide area network is provided. The method is executed by a network controller connected to the network and includes: receiving, from the network devices, path information of the network devices; generating, using the path information, an underlay graph specifying a path topology of the network device; generating, based on the path topology specified in the underlay graph, the AAVT routing table for the network device where the AAVT routing table includes a set of paths; and transmitting, in response to generating the AAVT routing table, the AAVT routing table to the network device to cause the network device to program the set of paths.

Abstract: Systems and methods for load balancing in a network are disclosed. An illustrative method includes receiving network telemetry data corresponding to network paths of a plurality of coexisting multipaths, performing an adaptive load balancing process by determining whether a network path from the plurality of coexisting multipaths is an adequate network path based on the network telemetry data, and in response to determining the network path is an adequate network path, selecting the network path for a network flow.

Abstract: Systems and methods for load balancing in a network are disclosed. An illustrative method includes receiving network telemetry data corresponding to network paths of a plurality of coexisting multipaths, performing an adaptive load balancing process by determining whether a network path from the plurality of coexisting multipaths is an adequate network path based on the network telemetry data, and in response to determining the network path is an adequate network path, selecting the network path for a network flow.

Abstract: Systems and methods for a path selection by a network router are disclosed. The router receives a data packet destined to travel a current path, as identified by a packet header, to a destination router. The router determines whether the current path is the best path of a set of network paths for the data packet to travel to reach the destination router based on telemetry characteristics of a set of network paths. The telemetry characteristics include a bandwidth availability estimate that is a function of one or both of a corresponding path throughput and a corresponding path packet loss rate. In response to determining the current path is not the best path, the router chooses a best path based on the telemetry characteristics of the set of paths and replaces the current path with the best path for travel by the data packet to the destination router.

Abstract: A method for transmitting packets in a network is provided. The method includes determining that a first packet will be encrypted prior to transmitting the first packet to a network device. The first packet includes a first source address for the first packet. The method also includes generating a routing value based on the first source address. The routing value allows the network device to determine which of a plurality of processing cores will be used to process the first packet. The method further includes encrypting the first packet to generate an encrypted first packet. The method further includes encapsulating the encrypted first packet within a second packet. A payload of the second packet comprises the encrypted first packet and a packet header of the second packet includes the routing value. The method further includes transmitting the second packet to the network device.

Abstract: A method and apparatus of a device that simulates a plurality of network elements is described. In an exemplary embodiment, the device receives network topology information for the plurality of simulated network elements. The device further instantiates a container for each of the plurality of simulated network elements. The device additionally configures a set of processes for each of the plurality of containers, where each of the set of processes simulates at least one of the plurality of simulated network elements. The plurality of set of processes further implements a network topology represented by the network topology information. The device performs a test of the network topology and saves the results of the test.