What technology area does this patent fall under?

Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue Jun 17 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).

Service optimization in networks and cloud interconnects

US12335237B2 · US · B2

Patent metadata
Field	Value
Publication number	US-12335237-B2
Application number	US-202218072374-A
Country	US
Kind code	B2
Filing date	Nov 30, 2022
Priority date	Nov 30, 2022
Publication date	Jun 17, 2025
Grant date	Jun 17, 2025

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for optimizing firewall enforcement. The techniques may implement a dynamic detection of Layer 7 processing at one end of the network, alleviating the need to enforce another layer 7 firewall inspection at the other end, thereby saving processing and network resources. The techniques enable firewalls and policies to be statically defined and located in one place.

First claim

Opening claim text (preview).

What is claimed is: 1. A method comprising: receiving, by a first network device located at a first site, a data packet, wherein the data packet corresponds to a data flow between the first network device and a second network device over a network; identifying a first firewall policy associated with the first network device, the first firewall policy being provided by a controller and identifying a first firewall of the network configured to inspect the data packet; inspecting, based at least in part on the first firewall policy and by the first firewall of the network, the data packet by the first network device; adding, by the first network device, a marker to a header of the data packet to indicate inspection by the first firewall, the marker comprising unified threat defense (UTD) metadata; transmitting, via the network, the data packet to the second network device at a second site; identifying, based on receiving the data packet and by the second network device, a second firewall policy associated with the second network device, wherein the UTD metadata indicates a profile identifier applied to the data packet by the first firewall, wherein identifying the second firewall policy is based on extracting the profile identifier; and determining, by the second network device, based at least in part on the second firewall policy and extracting the marker from the header, to refrain from inspecting the data packet. 2. The method of claim 1 , wherein the data packet further comprises an initial data packet of the data flow, the method further comprising refraining from adding the marker to subsequent data packets of the data flow. 3. The method of claim 1 , wherein refraining from inspecting the data packet comprises refraining from processing a Layer 7 Firewall inspection by the second network device. 4. The method of claim 1 , wherein the first network device comprises a software defined cloud interconnect (SDCI) router and the second network device comprises a SDCI headend device. 5. The method of claim 1 , wherein the UTD metadata is added to a software-defined wide area network header of the data packet in a tag length value format. 6. The method of claim 1 , wherein the marker comprises a flag included in the UTD metadata, wherein the flag is included as part of a security level tag length value. 7. The method of claim 1 , wherein the network comprises a software defined cloud interconnect wide area network and wherein the data packet comprises a header, wherein data included in the header of the data packet is encrypted. 8. A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, by a first network device located at a first site, a data packet, wherein the data packet corresponds to a data flow between the first network device and a second network device over a network; identifying a first firewall policy associated with the first network device, the first firewall policy being provided by a controller and identifying a first firewall of the network configured to inspect the data packet; inspecting, based at least in part on the first firewall policy and by the first firewall of the network, the data packet by the first network device; adding, by the first network device, unified threat defense (UTD) metadata to a header of the data packet to indicate inspection by the first firewall; transmitting, via the network, the data packet to the second network device at a second site; identifying, based on receiving the data packet and by the second network device, a second firewall policy associated with the second network device, wherein the UTD metadata indicates a profile identifier applied to the data packet by the first firewall, wherein identifying the second firewall policy is based on extracting the profile identifier; and determining, by the second network device, based at least in part on the second firewall policy and the UTD metadata, to refrain from inspecting the data packet. 9. The system of claim 8 , wherein the data packet comprises an initial data packet of the data flow, the operations further comprising refraining from adding the UTD metadata to subsequent data packets of the data flow. 10. The system of claim 8 , wherein refraining from inspecting the data packet comprises refraining from processing a Layer 7 Firewall inspection by the second network device. 11. The system of claim 8 , wherein the first network device comprises a software defined cloud interconnect (SDCI) router and the second network device comprises a SDCI headend device. 12. The system of claim 8 , wherein the header of the data packet comprises a software defined wide area network (SDWAN) header and the UTD metadata is added to the SDWAN header in a tag length value format. 13. The system of claim 8 , wherein the UTD metadata comprises a flag that is included as part of a security level tag length value. 14. The system of claim 8 , wherein the network comprises a software defined cloud interconnect wide area network and wherein data included in the header of the data packet is encrypted. 15. One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving, by a first network device located at a first site, a data packet, wherein the data packet corresponds to a data flow between the first network device and a second network device over a network; identifying a first firewall policy associated with the first network device, the first firewall policy corresponding to a unified security policy and identifying a first firewall of the network configured to inspect the data packet; inspecting, based at least in part on the first firewall policy and by the first firewall, the data packet by the first network device; adding, by the first network device, a marker to the data packet to indicate inspection by the first firewall, the marker comprising unified threat defense (UTD) metadata; transmitting, via the network, the data packet to the second network device at a second site; identifying a second firewall policy associated with the second network device, the second firewall policy corresponding to the unified security policy, wherein the UTD metadata indicates a profile identifier applied to the data packet by the first firewall, wherein identifying the second firewall policy is based on extracting the profile identifier; and determining, by the second network device, based at least in part on the second firewall policy and the marker, to refrain from inspecting the data packet. 16. The one or more non-transitory computer-readable media of claim 15 , wherein the marker further comprises a flag included in the UTD metadata in a header of the data packet, wherein the flag is included as part of a security level tag length value. 17. The one or more non-transitory computer-readable media of claim 15 , wherein determining to refrain from inspecting the data packet comprises refraining from processing a Layer 7 Firewall inspection by the second network device. 18. The one or more non-transitory computer-readable media of claim 15 , wherein the first firewall of the network comprises a zone-based firewall.

Assignees

Cisco Tech Inc

Inventors

Classifications

H04L63/0428
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
H04L63/0245
Filtering by information in the payload · CPC title
H04L63/0209
Architectural arrangements, e.g. perimeter networks or demilitarized zones · CPC title
H04L63/0227
Filtering policies (mail message filtering H04L51/212) · CPC title
H04L63/20
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title

Patent family

Related publications grouped by family.

View patent family 89452637

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US12335237B2 cover?: This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for optimizing firewall enforcement. The techniques may implement a dynamic detection of Layer 7 processing at one end of the network, alleviating the need to enforce another layer 7 firewall inspection at the other end, thereby saving processing and network resources. The techniques enable fi…
Who is the assignee on this patent?: Cisco Tech Inc
What technology area does this patent fall under?: Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue Jun 17 2025 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).

How to read this patent

Abstract

First claim

Assignees

Inventors

Classifications

Patent family

External sources

Related patents

Apparatus, system, and method for applying firewall rules at dynamic offsets within packets in kernel space

Distributing a network policy using connectivity fault management

Dynamic Firewall Discovery on a Service Plane in a SDWAN Architecture

Synergistic dns security update

Rule processing and enforcement for interleaved layer 4, layer 7 and verb based rulesets

Frequently asked questions