Multi-tenant cloud-based firewall systems and methods are described. The firewall systems and methods can operate overlaid with existing branch office firewalls or routers as well as eliminate the need for physical firewalls. The firewall systems and methods can protect users at user level control, regardless of location, device, etc., over all ports and protocols (not only ports 80/443) while providing administrators a single unified policy for Internet access and integrated reporting and visibility. The firewall systems and methods can eliminate dedicated hardware at user locations, providing a software-based cloud solution. The firewall systems and methods support application awareness to identify application; user awareness to identify users, groups, and locations regardless of physical address; visibility and policy management providing unified administration, policy management, and reporting; threat protection and compliance to block threats and data leaks in real-time; high performance through an in-line cloud-based, scalable system; etc.

Systems and methods for connecting devices via a virtual global network across network fabrics using a network tapestry are disclosed. The network system comprises a first access point server in communication with a first backbone exchange server, a second access point server in communication with a second backbone exchange server, and a network tapestry comprising a first communication path connecting the first and second access point servers and a second communication path connecting the first and second backbone exchange servers.

In general, this disclosure describes a multi-zone secure AI exchange. The multi-zone secure AI exchange may be implemented in a multi-cloud, multi-data center environment, where each zone may be in a different cloud or data center. The multi-zone secure AI exchange may include a data repository, a data exchange, and shared services. The data repository may be configured to store algorithms and datasets, each having a respective owning user. The data exchange may receive datasets and algorithms from the data repository, and may perform the algorithms to produce output data. Each of the data repository, data exchange, and shared services may have a different level of security. The data repository may implement the highest level of security, allowing the owner user, and only the owning user, to control how their data and algorithms move in and out of the data repository, or are changed while in the data repository.

Some embodiments provide a method for configuring a logical middlebox in a hosting system that includes a set of nodes. The logical middlebox is part of a logical network that includes a set of logical forwarding elements that connect a set of end machines. The method receives a set of configuration data for the logical middlebox. The method uses a stored set of tables describing physical locations of the end machines to identify a set of nodes at which to implement the logical middlebox. The method provides the logical middlebox configuration for distribution to the identified nodes.

In general, in an aspect, a method for providing an outbound gateway protection includes provisioning one or more worker gateways located in a first gateway virtual private cloud, the one or more worker gateways sharing configuration data with the controller gateway, provisioning one or more load balancer gateways in one or more client virtual clouds, the one or more client virtual clouds each comprising one or more clients, the one or more load balancer gateways distributing client requests among the worker gateways, assigning groups of the one or more clients to one of the one or more load balancer gateways based on requests from a majority of the worker gateways, and communicating outbound network traffic from the clients via the assigned load balancer gateways.

In an example, a security service providing system receives a service request for requesting security service for a target flow, determine a security device for providing security service for the target flow and first service configuration information and next-hop information of the security device according to security service information carried in the service request, and configure the first service configuration information and the next-hop information of the security device onto the security device, so that the security device provides security service to the target flow according to the first service configuration information and forwards the target flow according to the next-hop information

For a managed network, some embodiments provide a method for a set of service nodes in an active-active service node cluster in conjunction with a host computer hosting a destination data compute node (DCN) to improve the efficiency of directing a data message to a service node storing state information for the flow to which the data message belongs. a first service node receives a data message in a particular data message flow for which it does not maintain state information. The first service node then identifies a second service node to process the data message and forwards the data message to the second service node. The second service node sends state information for the particular data message flow to the first service node, for the first service node to use to process subsequent data messages in the particular data message flow.

A distributed network security service is disclosed. The disclosed platform comprises an external service that facilitates security operations for a private network. Data from nodes of the private network is received and analyzed by the service. An output is automatically generated by the service in response to a detected security event in the analyzed data that facilitates remediating the security event at least at one or more of the nodes of the private network, wherein a latency exists between the security event occurring on the private network and being remediated during which time an entity responsible for the security event has access to the private network before being blocked.

Embodiments are directed to host discovery for firewall coordination. An embodiment of a storage medium includes instructions for discovering a network topology for a network branch, the network branch including multiple access points including a first access point, the first access point having an interface to a network, the discovery of the network topology including identifying any access point that is linked to the first access point directly or via one or more intermediary access points; discovering one or more host devices that are connected by wireless or wired connections to one or more access points in the network branch; and generating a firewall coordination plan for the network branch based on the discovered network topology and the discovered one or more hosts, the firewall coordination plan including applying a firewall process for an access point to which a first host device is attached and bypassing one or more other firewall processes.

The technology disclosed herein enables micro-segmentation of virtual computing elements. In a particular embodiment, a method provides identifying one or more multi-tier applications comprising a plurality of virtual machines. Each application tier of the one or more multi-tier applications comprises at least one of the plurality of virtual machines. The method further provides maintaining information about the one or more multi-tier applications. The information at least indicates a security group for each virtual machine of the plurality of virtual machines. Additionally, the method provides identifying communication traffic flows between virtual machines of the plurality of virtual machines and identifying one or more removable traffic flows of the communication traffic flows based, at least in part, on the information. The method then provides blocking the one or more removable traffic flows.