Systems and methods for load balancing network traffic at firewalls deployed in a cloud computing environment
US-11855896-B1 · Dec 26, 2023 · US
Firewall load balancing with tunnel switching protocols
US12184552B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12184552-B2 |
| Application number | US-202217660128-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 21, 2022 |
| Priority date | Apr 21, 2022 |
| Publication date | Dec 31, 2024 |
| Grant date | Dec 31, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
An auto scale monitoring service performs load balancing on a cloud firewall with minimized traffic disruption using eager and lazy load balancing protocols. The auto scale monitoring service operates through an orchestrator that initializes a new firewall and sends forwarding instructions to the new firewall for rerouting excess traffic. The auto scale monitoring service additionally operates through a software-defined wide area network controller that sends routing instructions to a local branch of network devices to reroute to the new firewall from an overloaded current firewall. The eager protocol immediately tears down a tunneling session from the local branch to the current firewall and the lazy protocols gradually tears down this tunneling session. Both protocols properly inform firewalls how to forward ongoing traffic in each case and establish updated traffic flow through a tunneling session from the local branch to the new firewall.
First claim
Opening claim text (preview).
The invention claimed is: 1. A method comprising: detecting a load balancing event affecting a first firewall; and lazy load balancing between the first firewall and at least a second firewall, wherein lazy load balancing between the first and second firewalls comprises, identifying a first branch location with a set of one or more network devices communicatively coupled to the first firewall with a first tunnel; instructing a set of one or more routing devices at the first branch location to establish a second tunnel between the set of one or more network devices of the first branch location and a second firewall; instructing the first firewall to forward, to the second firewall, protocol data units (PDUs) for at least one of traffic flows and traffic sessions not previously observed by the first firewall; communicating router metric values that indicate a preference for the first tunnel over the second tunnel to the set of one or more routing devices at the first branch location; and based on one or more tear down criteria being satisfied, instructing at least one of the first firewall and the first branch location to tear down the first tunnel. 2. The method of claim 1 , wherein the first firewall and the second firewall are hosted in a cloud. 3. The method of claim 1 , wherein the one or more tear down criteria comprise a determination that at least one of traffic flows and traffic sessions not previously observed by the first firewall have at least one of inactive and timed out. 4. The method of claim 1 , wherein communicating router metric values that indicate the preference for the first tunnel over the second tunnel to the set of one or more routing devices at the first branch location comprises communicating, to a wide area network controller managing the set of one or more routing devices, instructions to, update one or more routing tables for the set of one or more routing devices with a first route corresponding to the second tunnel, wherein the first route in the updated one or more routing tables has a higher router metric value than a second route corresponding to the first tunnel; and advertise the second route. 5. The method of claim 1 , further comprising communicating, to a network orchestrator managing at least the first and second firewalls, instructions to, initialize the second firewall based, at least in part, on detecting the load balancing event; and communicate forwarding instructions to the first firewall and the second firewall. 6. The method of claim 5 , wherein communicating the instructions to initialize the second firewall comprises communicating initialization parameters to a cloud service provider, wherein the initialization parameters are formatted according to an application programming interface for the cloud service provider. 7. The method of claim 1 , wherein the lazy load balancing between the first firewall and at least the second firewall is based, at least in part, on a determination that a traffic load at the first firewall is acceptable for at least a time interval until the tear down criteria are satisfied. 8. The method of claim 7 , wherein the determination that the traffic load at the first firewall is acceptable for at least the time interval until the tear down criteria are satisfied is based, at least in part, on network topology for a network comprising the first firewall and the second firewall. 9. A non-transitory, computer-readable medium having instructions stored thereon that are executable by a computing device, the instructions to: detect a load balancing event affecting a first firewall; and eager load balance between the first firewall and at least a second firewall, wherein the instructions to eager load balance between the first and second firewalls comprise instructions to, identify a first branch location with a set of one or more network devices communicatively coupled to the first firewall with a first tunnel; instruct a set of one or more routing devices at the first branch location to establish a second tunnel between the set of one or more network devices of the first branch location and a second firewall; instruct the second firewall to forward, to the first firewall, protocol data units (PDUs) for at least one of traffic flows and traffic sessions previously observed by the first firewall; communicate router metric values that indicate a preference for the second tunnel over the first tunnel to the set of one or more routing devices at the first branch location; and instruct at least one of the first firewall and the first branch location to tear down the first tunnel. 10. The computer-readable medium of claim 9 , further comprising instructions to instruct the first firewall to forward, to the second firewall, indications of the at least one of traffic flows and traffic sessions previously observed by the first firewall, wherein the instructions to instruct the second firewall to forward, to the first firewall, the PDUs for at least one of traffic flows and traffic sessions previously observed by the first firewall are based, at least in part, on the indications of the at least one of traffic flows and traffic sessions previously observed by the first firewall. 11. The computer-readable medium of claim 9 , further comprising instructions to, subsequent to instructing at least one of the first firewall and the first branch location to tear down the first tunnel, determine that an inspection criterion is satisfied; and based on the inspection criterion being satisfied, instruct the second firewall to terminate forwarding, to the first firewall, PDUs for at least one of traffic flows and traffic sessions previously observed by the first firewall. 12. The computer-readable medium of claim 11 , wherein the inspection criterion comprises a determination that the at least one of traffic flows and traffic sessions previously observed the first firewall are at least one of inactive and timed out. 13. The computer-readable medium of claim 9 , wherein the first firewall and the second firewall are hosted in a cloud. 14. The computer-readable medium of claim 9 , wherein the instructions to communicate router metric values that indicate the preference for the second tunnel over the first tunnel to the set of one or more routing devices at the first branch location comprise instructions to communicate, to a wide area network controller managing the set of one or more routing devices, instructions to, update one or more routing tables for the set of one or more routing devices with a first route corresponding to the second tunnel, wherein the first route in the updated one or more routing tables has a lower router metric value than a second route corresponding to the first tunnel; and advertise the first route. 15. The computer-readable medium of claim 9 , further comprising instructions to communicate to a software-defined wide area network (SD-WAN) orchestrator managing at least the first and second firewalls instructions to, initialize the second firewall based, at least in part, on detecting the load balancing event; and communicate forwarding instructions to the first firewall and the second firewall. 16. The computer-readable medium of claim 9 , wherein the instructions to eager load balance between the first firewall and at least the second firewall are based, at least in part, on a determination that a traffic load at the first firewall is above a threshold load, wherein the threshold load corresponds to immediate traffic rerouting. 17. The computer-readable medium of claim 16 , wher
Assignees
Inventors
Classifications
Interconnection of networks using encapsulation techniques, e.g. tunneling · CPC title
Firewall traversal, e.g. tunnelling or, creating pinholes · CPC title
Distributed architectures, e.g. distributed firewalls · CPC title
Virtual private networks · CPC title
- H04L47/125Primary
by balancing the load, e.g. traffic engineering · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12184552B2 cover?
- An auto scale monitoring service performs load balancing on a cloud firewall with minimized traffic disruption using eager and lazy load balancing protocols. The auto scale monitoring service operates through an orchestrator that initializes a new firewall and sends forwarding instructions to the new firewall for rerouting excess traffic. The auto scale monitoring service additionally operates …
- Who is the assignee on this patent?
- Palo Alto Networks Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L47/125. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Dec 31 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).