PALO ALTO NETWORKS, INC. Patent applications |
Patent application number | Title | Published |
20140331311 | SECURITY PROCESSING IN ACTIVE SECURITY DEVICES - Methods, systems, and apparatus, including computer program products, featuring receiving at a first security device a packet. The first security device determines that the packet is associated with a flow assigned to a distinct second security device. The first security device sends the packet to the second security device. After the second security device performs security processing using the packet, the first security device receives from the second security device a message regarding the packet. The first security device transmits the packet. | 11-06-2014 |
20140237597 | AUTOMATIC SIGNATURE GENERATION FOR MALICIOUS PDF FILES - In some embodiments, automatic signature generation for malicious PDF files includes: parsing a PDF file to extract script stream data embedded in the PDF file; determining whether the extracted script stream data within the PDF file is malicious; and automatically generating a signature for the PDF file. | 08-21-2014 |
20140215562 | EVENT AGGREGATION IN A DISTRIBUTED PROCESSOR SYSTEM - A security device for processing network flows includes packet processing cards with packet processors formed thereon where each packet processing card stores local counter values for one or more events and a packet processing manager including global event counters to maintain event statistics for events in the security device. In one embodiment, the packet processing manager stores a copy of the local counter value of an event for each packet processor reporting the event in the counter memory and the global event counter provides a global counter sum value for the event by summing the copies of local counter values in the local memory. In another embodiment, the global counter sum is compared to a threshold value to put the event in a conforming state or non-conforming state. The packet processing manager sends a multicast message to the interested packet processors indicating an event has transitioned to a non-conforming state. | 07-31-2014 |
20140150051 | DYNAMIC RESOLUTION OF FULLY QUALIFIED DOMAIN NAME (FQDN) ADDRESS OBJECTS IN POLICY DEFINITIONS - Dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions is provided. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes receiving a network policy that includes a domain name (e.g., the network policy can include a network security rule that is based on the domain name); and periodically updating Internet Protocol (IP) address information associated with the domain name by performing a Domain Name Server (DNS) query. In some embodiments, dynamic resolution of Fully Qualified Domain Name (FQDN) address objects in policy definitions includes dynamically performing a first local Domain Name Server (DNS) lookup for a first VSYS using a first DNS server on a first domain name for implementing a network policy based on the first domain name; dynamically performing a second local DNS lookup for a second VSYS using a second DNS server on the first domain name for implementing the network policy based on the first domain name; in which the network policy includes a network security rule that is based on the first domain name, and the network policy includes a network security rule that is based on the second domain name. | 05-29-2014 |
20140119376 | L2/L3 MULTI-MODE SWITCH INCLUDING POLICY PROCESSING - Methods and apparatus for processing data packets in a computer network are described. One general method includes receiving a data packet; examining the data packet to classify the data packet including classifying the data packet as a L2 or L3 packet and including determining at least one zone associated with the packet; processing the packet in accordance with one or more policies associated with the zone; determining forwarding information associated with the data packet; and if one or more policies permit, forwarding the data packet toward an intended destination using the forwarding information. | 05-01-2014 |
20140090059 | HEURISTIC BOTNET DETECTION - In some embodiments, heuristic botnet detection is provided. In some embodiments, heuristic botnet detection includes monitoring network traffic to identify suspicious network traffic; and detecting a bot based on a heuristic analysis of the suspicious network traffic behavior using a processor, in which the suspicious network traffic behavior includes command and control traffic associated with a bot master. In some embodiments, heuristic botnet detection further includes assigning a score to the monitored network traffic, in which the score corresponds to a botnet risk characterization of the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); increasing the score based on a correlation of additional suspicious behaviors associated with the monitored network traffic (e.g., based on one or more heuristic botnet detection techniques); and determining the suspicious behavior is associated with a botnet based on the score. | 03-27-2014 |
20140075539 | PACKET CLASSIFICATION IN A NETWORK SECURITY DEVICE - Methods and apparatuses are described for inspecting data packets in a computer network. One or more data packets through the network have associated header data and content. One method includes receiving a data packet, examining the data packet to classify the data packet including classifying the data packet using information included in the header and content, determining flow instructions for processing the packet based on both the header information and the content and processing of the packet using the flow instructions. | 03-13-2014 |
20130318198 | MANAGING NETWORK DEVICES - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for configuring network devices. A central management system stores shared configuration objects in a central configuration database. A network device stores shared configuration objects and device-specific configuration objects in a local configuration database. The local configuration database's shared configuration objects correspond to shared configuration objects in the central configuration database. The central management system determines the network device has received a request to update a shared configuration object, where the request did not originate from the central management system, and updates the central configuration database. | 11-28-2013 |
20130298222 | HIGH AVAILABILITY SECURITY DEVICE - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for processing a first plurality of packets using one or more processors and maintaining one or more flow records associated with the first plurality of packets, and processing a second plurality of packets without maintaining flow records associated with the second plurality of packets and allowing the second plurality of packets to pass to one or more destinations. | 11-07-2013 |
20130198348 | MANAGING NETWORK DEVICES - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for managing network devices. A central management system stores shared configuration objects in a central configuration database. A network device stores shared configuration objects and device-specific configuration objects in a local configuration database. The local configuration database's shared configuration objects correspond to shared configuration objects in the central configuration database. The network device can be configured locally or using the central management system. | 08-01-2013 |
20120324064 | MANAGING NETWORK DEVICES - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for configuring network devices. A central management system stores shared configuration objects in a central configuration database. A network device stores shared configuration objects and device-specific configuration objects in a local configuration database. The local configuration database's shared configuration objects correspond to shared configuration objects in the central configuration database. The central management system determines the network device has received a request to update a shared configuration object, where the request did not originate from the central management system, and updates the central configuration database. | 12-20-2012 |
20120304244 | MALWARE ANALYSIS SYSTEM - In some embodiments, a malware analysis system includes receiving a potential malware sample from a firewall; analyzing the potential malware sample using a virtual machine to determine if the potential malware sample is malware; and automatically generating a signature if the potential malware sample is determined to be malware. In some embodiments, the potential malware sample does not match a preexisting signature, and the malware is a zero-day attack. | 11-29-2012 |
20120303808 | USING DNS COMMUNICATIONS TO FILTER DOMAIN NAMES - Using DNS communications to filter domain names is disclosed. A domain name is extracted from a received DNS request. The received DNS request is blocked in response to determining based on a policy that access to the domain name of the DNS request is not permitted. In some cases, such a DNS request is responded to with a spoofed DNS response. | 11-29-2012 |
20120166599 | MANAGING NETWORK DEVICES - Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for managing network devices. A central management system stores shared configuration objects in a central configuration database. A network device stores shared configuration objects and device-specific configuration objects in a local configuration database. The local configuration database's shared configuration objects correspond to shared configuration objects in the central configuration database. The network device can be configured locally or using the central management system. | 06-28-2012 |
20120026881 | PACKET CLASSIFICATION IN A NETWORK SECURITY DEVICE - Methods and apparatuses are described for inspecting data packets in a computer network. One or more data packets through the network have associated header data and content. One method includes receiving a data packet, examining the data packet to classify the data packet including classifying the data packet using information included in the header and content, determining flow instructions for processing the packet based on both the header information and the content and processing of the packet using the flow instructions. | 02-02-2012 |