US2016294866A1PendingUtilityA1

Load balancing in a network with session information

Assignee: FORTINET INCPriority: Feb 16, 2011Filed: Jun 9, 2016Published: Oct 6, 2016
Est. expiryFeb 16, 2031(~4.6 yrs left)· nominal 20-yr term from priority
H04L 67/142H04L 61/2007H04L 49/354H04L 63/0236H04L 47/196H04L 63/1408H04L 67/1027H04L 63/1458H04L 63/0218H04L 67/1001H04L 61/5007H04L 47/125G06F 16/9017H04L 63/0227H04L 47/726H04L 45/74H04L 67/1004H04L 63/0272H04L 63/029H04L 63/02G06F 16/282
58
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, service group and VLAN associations are stored within a switching device for each front panel port and for each fabric slot of the switching device. Each of multiple FSDs providing security services for a protected network are coupled with a fabric slot. When a packet is received, the switching device: (i) tags the packet based on a VLAN ID corresponding to the VLAN to which front panel port on which it was received is assigned; (ii) identifies the service group based on the VLAN ID; (iii) selects a slot within the identified service group and thereby selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the packet; and (iv) causes the packet to be processed by the selected FSD.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A method comprising:
 storing, within a switching device associated with a protected network, information regarding service group and Virtual Local Area Network (VLAN) associations for each of a plurality of front panel ports of the switching device and for each of a plurality of fabric slots of the switching device, wherein each service group of a plurality of service groups includes a set of one or more of a plurality of VLANs and each of the plurality of front panel ports is assigned to a VLAN of the plurality of VLANs, wherein each service group includes a set of one or more slots of the plurality of fabric slots and wherein each of a plurality of firewall security devices providing security services for the protected network are to be coupled with one of the plurality of fabric slots; and   responsive to receiving, at a first front panel port of the plurality of front panel ports, a first packet of a forward traffic session from a source device coupled to the first front panel port and directed to a target device coupled to a second front panel port of the plurality of front panel ports:
 tagging, by the switching device, the first packet of the forward traffic session based on a VLAN identifier (VLAN ID) corresponding to the VLAN of the plurality of VLANs to which the first front panel port is assigned; 
 identifying, by the switching device, the service group of the plurality of service groups in which the VLAN is included; 
 selecting, by a load balancing control unit of the switching device, a slot of the set of one or more slots within the identified service group and thereby selecting a firewall security device from among the plurality of firewall security devices to associate with the forward traffic session and a corresponding reverse traffic session from the target device to the source device by performing a load balancing function on at least a portion of the first packet of the forward traffic session; and 
 causing the first packet of the forward traffic session to be processed by the selected firewall security device by redirecting the first packet of the forward traffic session to the selected slot. 
   
     
     
         2 . The method of  claim 1 , further comprising maintaining, by the switching device, session data including a plurality of session entries each of which represent a previously observed traffic session by the switching device from a particular source device to a particular destination device and each of which form an association between the previously observed traffic session and a particular firewall security device of the plurality of firewall security devices. 
     
     
         3 . The method of  claim 2 , wherein the first packet of the forward traffic session comprises a TCP synchronize (SYN) packet. 
     
     
         4 . The method of  claim 3 , further comprising:
 responsive to said receiving, reducing vulnerability of the switching device to a TCP SYN flooding attack, by the switching device, by foregoing installation of a forward session entry for the forward traffic session within the session data; and   responsive to receipt from the selected firewall security device the processed TCP SYN packet:   installing, by the switching device, a reverse session entry for the corresponding reverse traffic session within the session data with the target device identified as the particular source device and with the source device identified as the particular destination device; and   transmitting the processed TCP SYN packet to the target device via the second port.   
     
     
         5 . The method of  claim 1 , wherein the plurality of session entries contain information regarding a source Internet Protocol (IP) address, a destination IP address, a protocol field, a source port number, a destination port number and a corresponding VLAN ID. 
     
     
         6 . The method of  claim 5 , wherein the source port number and the destination port number comprise a TCP port number, a User Datagram Protocol (UDP) port number or a layer 4 port number. 
     
     
         7 . A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a switching device associated with a protected network, cause the one or more processors to perform a method for load balancing among a plurality of firewall security devices performing security services on behalf of the protected network, the method comprising:
 storing information regarding service group and Virtual Local Area Network (VLAN) associations for each of a plurality of front panel ports of the switching device and for each of a plurality of fabric slots of the switching device, wherein each service group of a plurality of service groups includes a set of one or more of a plurality of VLANs and each of the plurality of front panel ports is assigned to a VLAN of the plurality of VLANs, wherein each service group includes a set of one or more slots of the plurality of fabric slots and wherein each of a plurality of firewall security devices providing security services for the protected network are to be coupled with one of the plurality of fabric slots; and   responsive to receiving, at a first front panel port of the plurality of front panel ports, a first packet of a forward traffic session from a source device coupled to the first front panel port and directed to a target device coupled to a second front panel port of the plurality of front panel ports:
 tagging the first packet of the forward traffic session based on a VLAN identifier (VLAN ID) corresponding to the VLAN of the plurality of VLANs to which the first front panel port is assigned; 
 identifying the service group of the plurality of service groups in which the VLAN is included; 
 selecting a slot of the set of one or more slots within the identified service group and thereby selecting a firewall security device from among the plurality of firewall security devices to associate with the forward traffic session and a corresponding reverse traffic session from the target device to the source device by performing a load balancing function on at least a portion of the first packet of the forward traffic session; and 
 causing the first packet of the forward traffic session to be processed by the selected firewall security device by redirecting the first packet of the forward traffic session to the selected slot. 
   
     
     
         8 . The non-transitory computer-readable storage medium of  claim 7 , wherein the method further comprises maintaining session data including a plurality of session entries each of which represent a previously observed traffic session by the switching device from a particular source device to a particular destination device and each of which form an association between the previously observed traffic session and a particular firewall security device of the plurality of firewall security devices. 
     
     
         9 . The non-transitory computer-readable storage medium of  claim 8 , wherein the first packet of the forward traffic session comprises a TCP synchronize (SYN) packet. 
     
     
         10 . The non-transitory computer-readable storage medium of  claim 9 , wherein the method further comprises:
 responsive to said receiving, reducing vulnerability of the switching device to a TCP SYN flooding attack by foregoing installation of a forward session entry for the forward traffic session within the session data; and   responsive to receipt from the selected firewall security device the processed TCP SYN packet:   installing a reverse session entry for the corresponding reverse traffic session within the session data with the target device identified as the particular source device and with the source device identified as the particular destination device; and   transmitting the processed TCP SYN packet to the target device via the second port.   
     
     
         11 . The non-transitory computer-readable storage medium of  claim 7 , wherein the plurality of session entries contain information regarding a source Internet Protocol (IP) address, a destination IP address, a protocol field, a source port number, a destination port number and a corresponding VLAN ID. 
     
     
         12 . The non-transitory computer-readable storage medium of  claim 11 , wherein the source port number and the destination port number comprise a TCP port number, a User Datagram Protocol (UDP) port number or a layer 4 port number.

Join the waitlist — get patent alerts

Track US2016294866A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.