An apparatus in a computer network system extracts network traffic metadata related to a client computing device of a local network. The network traffic metadata is required by a device fingerprinting process. In response to detecting a multicast DNS (mDNS) packet query in the network traffic metadata, the apparatus collects an mDNS hostname related to the client computing device from the mDNS packet query. In response to determining, at a first point in time, that a dynamic host configuration protocol (DHCP) hostname related to the client computing device is unavailable in the network traffic metadata, the apparatus assigns the mDNS hostname to the client computing device.

Some embodiments provide a novel method for dynamically adjusting sampling rates of a middlebox service. In some embodiments, the method is performed by the controller. The method configures the forwarding element to collect samples from packets processed by the forwarding element at a first sampling rate. The method analyzes the samples in order to collect information regarding the packets processed by the forwarding element. Based on the analysis, the method detects a new traffic pattern in the packets processed by the forwarding element. The method then configures the forwarding element to collect samples from packets processed by the forwarding element at a second sampling rate different than the first sampling rate.

A method for training an analytics engine hosted by an edge server device is provided. The method includes determining a classification for data in an analytics engine hosted by an edge server and computing a confidence level for the classification. The confidence level is compared to a threshold. The data is sent to a cloud server if the confidence level is less than the threshold. A reclassification is received from the cloud server and the analytics engine is trained based, at least in part, on the data and the reclassification.

A method for training an analytics engine hosted by an edge server device is provided. The method includes determining a classification for data in an analytics engine hosted by an edge server and computing a confidence level for the classification. The confidence level is compared to a threshold. The data is sent to a cloud server if the confidence level is less than the threshold. A reclassification is received from the cloud server and the analytics engine is trained based, at least in part, on the data and the reclassification.

A method, computer system, and a computer program product for deploying a plurality of microservices across a service infrastructure having a plurality of resources is provided. The present invention may include determining at least one dependency of the plurality of microservices. The present invention may include for each resource of the plurality of resources, determining an outage distribution descriptive of an availability of the resource with respect to time. The present invention may include based on the outage distribution associated with each resource and the at least one dependency of the plurality of microservices, determining a deployment configuration of the plurality of microservices across the resources of the service infrastructure.

Example methods and systems for logical network health check. One example may comprise obtaining network configuration information and network realization information associated with a logical network; processing the network configuration information and the network realization information to determine the following: (a) network configuration health information specifying a network configuration issue and a first remediation action; and (b) network realization health information specifying a network realization issue and a second remediation action; and providing, to a user device, multiple user interfaces (UIs) specifying the first health information and the second health information along with a visualization of the logical network. In response to detecting an instruction initiated by the user device using at least one of the multiple UIs, the first remediation action or the second remediation action may be performed.

Techniques are disclosed for generating intent-based policies and applying the policies to traffic of a computer network. In one example, a policy controller for the computer network receives traffic statistics for traffic flows among a plurality of application workloads executed by a first set of computing devices. The policy controller correlates the traffic statistics into session records for the plurality of application workloads. The policy controller generates, based on the session records for the application workloads, application firewall policies for the application workloads. Each of the application firewall policies define whether traffic flows between application workloads are to be allowed or denied. The policy controller distributes the application firewall policies to a second set of one or more computing devices for application to traffic flows between instances of the application workloads.

Techniques are disclosed for generating intent-based policies and applying the policies to traffic of a computer network. In one example, a policy controller for the computer network receives traffic statistics for traffic flows among a plurality of application workloads executed by a first set of computing devices. The policy controller correlates the traffic statistics into session records for the plurality of application workloads. The policy controller generates, based on the session records for the application workloads, application firewall policies for the application workloads. Each of the application firewall policies define whether traffic flows between application workloads are to be allowed or denied. The policy controller distributes the application firewall policies to a second set of one or more computing devices for application to traffic flows between instances of the application workloads.

In some examples, a non-transitory computer-readable medium stores machine-readable instructions which, when executed by a processor, cause the processor to: collect operational data of an enterprise; identify a domain of the operational data; determine a performance metric of the domain; and generate a report based on the performance metric.

Systems and methods for analyzing user behavior patterns to detect compromised computing devices in an enterprise network are provided. According to one embodiment, an enforcement engine running on a network security device, identifies top users of a network exhibiting a suspicious behavior relating to login failures by determining a first set of users having a number of login failure events during a given time duration exceeding a threshold. The enforcement engine identifies from the first set of computers associated with the top users, a second set of computers exhibiting a suspicious behavior relating to new connections exceeding a threshold. The enforcement engine classifies a third set of computers, representing a subset of the second set exhibiting a suspicious behavior relating to consecutive new connections, as compromised source computers when their respective new connections are in a sequence that results in a Shannon entropy measure exceeding a threshold.