PatentsDB

Dynamic application firewall configuration for cloud native applications

US11477168B2 · US · B2

Patent metadata
FieldValue
Publication numberUS-11477168-B2
Application numberUS-202117646522-A
CountryUS
Kind codeB2
Filing dateDec 30, 2021
Priority dateDec 4, 2020
Publication dateOct 18, 2022
Grant dateOct 18, 2022

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

  1. Title

    What the patent document calls the invention.

  2. Abstract

    A short plain-language summary of the technical disclosure.

  3. Assignees and inventors

    Who owns or filed the patent and who is credited as inventor.

  4. Key dates

    Filing, priority, publication, and grant dates set the timeline.

  5. First independent claim

    The legal scope of protection — read this for what is actually claimed.

  6. CPC / IPC classifications

    Technology tags used to group this patent with similar filings.

  7. Citations and related patents

    Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.

First claim

Opening claim text (preview).

The invention claimed is: 1. A method comprising: identifying one or more containers of a cloud application deployed to a cloud cluster that are exposed external to the cloud cluster; determining a first container of the one or more containers in front of which to instantiate a web application firewall for the cloud application; instantiating a web application firewall in front of the first container with a default configuration, wherein the default configuration comprises one or more protections enabled for the web application firewall; determining if any protections of the web application firewall should be enabled in addition to those of the default configuration based on characteristics of the cloud application; and based on determining that one or more additional protections should be enabled for the web application firewall based on the characteristics of the cloud application, enabling the one or more additional protections for the web application firewall. 2. The method of claim 1 , wherein determining if any protections of the web application firewall should be enabled in addition to those of the default configuration comprises evaluating the characteristics of the cloud application against a plurality of rules for enabling a corresponding plurality of protections offered by the web application firewall, and wherein enabling the one or more additional protections comprises, based on determining that the characteristics satisfy one or more rules of the plurality of rules, enabling the one or more protections that correspond to the one or more rules for the web application firewall. 3. The method of claim 1 , wherein identifying the one or more containers comprises identifying containers deployed to the cloud cluster that are exposed to a load balancer that distributes traffic across the cloud cluster. 4. The method of claim 1 , wherein identifying the one or more containers that are exposed external to the cloud cluster comprises identifying the one or more containers based on at least one of network topology information obtained for the cloud cluster and a configuration of the cloud cluster. 5. The method of claim 1 further comprising determining communication protocols used for communicating requests to each of the one or more containers, wherein determining the first container in front of which to instantiate the web application firewall comprises determining that a communication protocol that is compatible with web application firewall protection is used for communicating requests to the first container. 6. The method of claim 5 , wherein determining that a communication protocol that is compatible with web application firewall protection is used for communicating requests to the first container comprises determining that Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) is used for communicating requests to the first container. 7. The method of claim 1 , wherein enabling the one or more additional protections of the web application firewall comprises configuring the web application firewall to enable at least one of a signature for which the web application firewall is to monitor and a policy the web application firewall is to apply. 8. The method of claim 1 further comprising: determining a first protection of the one or more protections enabled in the default configuration to disable for the web application firewall based on the characteristics of the cloud application; and disabling the first protection for the web application firewall. 9. One or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions that are executable by a processor to cause the processor to: identify one or more containers of a cloud application that are exposed external to a cloud cluster on which the cloud application executes; determine whether any of the one or more containers are compatible with web application firewall protection; based on a determination that a first container of the one or more containers is compatible with web application firewall protection, instantiate a web application firewall in front of the first container with a default set of protections enabled; determine one or more additional protections to enable for the web application firewall based on characteristics of the cloud application, wherein the one or more additional protections are protections in addition to those of the default set of protections; and enable the one or more additional protections for the web application firewall. 10. The non-transitory machine-readable media of claim 9 , wherein the program code further comprises instructions to determine a first protection of the default set of protections to disable for the web application firewall based on the characteristics of the cloud application and disable the first protection. 11. The non-transitory machine-readable media of claim 9 , wherein the program code further comprises instructions to determine communication protocols used for communicating requests to the one or more containers, and wherein the instructions to determine whether any of the one or more containers are compatible with web application firewall protection comprise instructions to determine whether Hypertext Transfer Protocol (HTTP) or Hypertext Transfer Protocol Secure (HTTPS) are used for communicating requests to any of the one or more containers. 12. The non-transitory machine-readable media of claim 9 , wherein the instructions to identify the one or more containers of the cloud application that are exposed external to the cloud cluster comprise at least one of: instructions to identify containers deployed to the cloud cluster that are exposed to a load balancer that distributes traffic across the cloud cluster, wherein the one or more containers are exposed to the load balancer, instructions to identify the one or more containers based on network topology information obtained for the cloud cluster, and instructions to identify the one or more containers based on a configuration of the cloud cluster. 13. The non-transitory machine-readable media of claim 9 , wherein the instructions to determine the one or more additional protections to enable for the web application firewall comprise instructions to evaluate the characteristics of the cloud application against a plurality of rules for enabling a corresponding plurality of protections offered by the web application firewall, and wherein the instructions to enable the one or more additional protections comprise instructions to, based on a determination that the characteristics satisfy one or more rules of the plurality of rules, enable the one or protections that correspond to the one or more rules for the web application firewall. 14. An apparatus comprising: a processor; and a non-transitory computer-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to: identify one or more containers of a cloud application deployed to a cloud cluster that are exposed external to the cloud cluster; determine a first container of the one or more containers in front of which to instantiate a web application firewall for the cloud application; instantiate a web application firewall in front of the first container with a default set of protections enabled; determine one or more additional protections to enable for the web application firewall based on characteristics of the cloud application, wherein the one or more additional protections are protections in addition to those of the default set of protections; and enable the one o

Assignees

Inventors

Classifications

  • H04L67/02

    based on web technology, e.g. hypertext transfer protocol [HTTP] · CPC title

  • H04L63/029Primary

    Firewall traversal, e.g. tunnelling or, creating pinholes · CPC title

  • H04L67/10

    in which an application is distributed across nodes in the network (software deployment G06F8/60; multiprogramming arrangements G06F9/46) · CPC title

Patent family

Related publications grouped by family.

View patent family 79293967

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US11477168B2 cover?
To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiat…
Who is the assignee on this patent?
Palo Alto Networks Inc
What technology area does this patent fall under?
Primary CPC classification H04L63/029. Mapped technology areas include Electricity.
When was this patent published?
Publication date Tue Oct 18 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?
We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).