Dynamic Firewall Discovery on a Service Plane in a SDWAN Architecture
US-2021266291-A1 · Aug 26, 2021 · US
Service optimization in networks and cloud interconnects
US2024179125A1 · US · A1
| Field | Value |
|---|---|
| Publication number | US-2024179125-A1 |
| Application number | US-202218072374-A |
| Country | US |
| Kind code | A1 |
| Filing date | Nov 30, 2022 |
| Priority date | Nov 30, 2022 |
| Publication date | May 30, 2024 |
| Grant date | — |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for optimizing firewall enforcement. The techniques may implement a dynamic detection of Layer 7 processing at one end of the network, alleviating the need to enforce another layer 7 firewall inspection at the other end, thereby saving processing and network resources. The techniques enable firewalls and policies to be statically defined and located in one place.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method comprising: receiving, by a first network device located at a first site, a data packet, wherein the data packet corresponds to a data flow between the first network device and a second network device over a network; identifying a first firewall policy associated with the first network device; inspecting, based at least in part on the first firewall policy and by a first firewall, the data packet by the first network device; adding, by the first network device, a marker to the data packet to indicate inspection by the first firewall; transmitting, via the network, the data packet to the second network device at a second site; identifying a second firewall policy associated with a second network device; and determining, by the second network device, based at least in part on the second firewall policy and the marker, to refrain from inspecting the data packet. 2 . The method of claim 1 , wherein the data packet comprises UTD metadata. 3 . The method of claim 1 , wherein refraining from inspecting the data packet comprises refraining from processing a Layer 7 Firewall inspection by the second network device. 4 . The method of claim 1 , wherein the first network device comprises a SDCI router and the second network device comprises a SDCI headend device. 5 . The method of claim 1 , wherein adding the marker comprises adding UTD metadata to a SDWAN header of the data packet in a TLV format. 6 . The method of claim 1 , wherein the data packet comprises a header, wherein data included in the header of the data packet is encrypted. 7 . The method of claim 1 , wherein the marker comprises a flag included in UTD metadata in a header of the data packet, wherein the flag is included as part of a security level TLV. 8 . The method of claim 1 , wherein the network comprises a SDCI WAN. 9 . A system comprising: one or more processors; and one or more non-transitory computer-readable media storing computer-executable instructions that, when executed by the one or more processors, cause the one or more processors to perform operations comprising: receiving, by a first network device located at a first site, a data packet, wherein the data packet corresponds to a data flow between the first network device and a second network device over a network; identifying a first firewall policy associated with the first network device, inspecting, based at least in part on the first firewall policy and by a first firewall, the data packet by the first network device; adding, by the first network device, a marker to the data packet to indicate inspection by the first firewall; transmitting, via the network, the data packet to the second network device at a second site; identifying a second firewall policy associated with a second network device; and determining, by the second network device, based at least in part on the second firewall policy and the marker, to refrain from inspecting the data packet. 10 . The system of claim 9 , wherein the data packet comprises UTD metadata. 11 . The system of claim 9 , wherein refraining from inspecting the data packet comprises refraining from processing a Layer 7 Firewall inspection by the second network device. 12 . The system of claim 9 , wherein the first network device comprises a SDCI router and the second network device comprises a SDCI headend device. 13 . The system of claim 9 , wherein adding the marker comprises adding UTD metadata to a SDWAN header of the data packet in a TLV format. 14 . The system of claim 9 , wherein the data packet comprises a header, wherein data included in the header of the data packet is encrypted. 15 . The system of claim 9 , wherein the marker comprises a flag included in UTD metadata in a header of the data packet, wherein the flag is included as part of a security level TLV. 16 . The system of claim 9 , wherein the network comprises a SDCI WAN. 17 . One or more non-transitory computer-readable media storing computer-readable instructions that, when executed by one or more processors, cause the one or more processors to perform operations comprising: receiving, by a first network device located at a first site, a data packet, wherein the data packet corresponds to a data flow between the first network device and a second network device over a network; identifying a first firewall policy associated with the first network device; inspecting, based at least in part on the first firewall policy and by a first firewall, the data packet by the first network device; adding, by the first network device, a marker to the data packet to indicate inspection by the first firewall; transmitting, via the network, the data packet to the second network device at a second site; identifying a second firewall policy associated with a second network device; and determining, by the second network device, based at least in part on the second firewall policy and the marker, to refrain from inspecting the data packet. 18 . The one or more non-transitory computer-readable media of claim 17 , wherein the marker comprises a flag included in UTD metadata in a header of the data packet, wherein the flag is included as part of a security level TLV. 19 . The one or more non-transitory computer-readable media of claim 17 , wherein refraining from inspecting the data packet comprises refraining from processing a Layer 7 Firewall inspection by the second network device. 20 . The one or more non-transitory computer-readable media of claim 17 , wherein the network comprises a SDCI WAN.
Assignees
Inventors
Classifications
- H04L63/0263Primary
Rule management · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
for managing network security; network security policies in general (filtering policies H04L63/0227) · CPC title
Filtering policies (mail message filtering H04L51/212) · CPC title
Architectural arrangements, e.g. perimeter networks or demilitarized zones · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US2024179125A1 cover?
- This disclosure describes techniques and mechanisms for disclosure describes techniques and mechanisms for optimizing firewall enforcement. The techniques may implement a dynamic detection of Layer 7 processing at one end of the network, alleviating the need to enforce another layer 7 firewall inspection at the other end, thereby saving processing and network resources. The techniques enable fi…
- Who is the assignee on this patent?
- Cisco Tech Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0263. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Thu May 30 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (A1). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 2 related publications on this page (citations in our corpus or others sharing the same primary CPC).