US Pat. No. 9,100,423

SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT

Fortinet, Inc., Sunnyval...

1. A method for processing network traffic data by a network switching device, the method comprising:
receiving a packet, by a network interface of the network switching device, to initiate a new session from an Internet Protocol
(IP) address;

determining, on the network switching device, a number N of concurrent sessions for active concurrent sessions associated
with the IP address; and

when the number N of concurrent sessions for active concurrent sessions associated with the IP address is less than a concurrent
session threshold T1:

determining, on the network switch device, a rate R at which the number of sessions N are received within a time period t
including a session of the received packet, where R=N÷t;

when the session rate threshold R is less than the prescribed session rate threshold T2 (R
classifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or
equal to the prescribed session rate threshold T2 (R?T2) and performing a preventative action with regard to the packet.

US Pat. No. 9,083,677

HUMAN USER VERIFICATION OF HIGH-RISK NETWORK ACCESS

Fortinet, Inc., Sunnyval...

1. A method comprising:
identifying, by an intermediary security device, a high-risk network access initiated by a device, wherein the high-risk network
access poses a risk to the device, a human user of the device or a private network within which the device is operating;

sending, by the intermediary security device, a human user test message to the human user of the device to verify that the
high-risk network access was initiated by or is otherwise authorized by the human user of the device;

receiving, by the intermediary security device, a response to the human user test message;
determining, by the intermediary security device, if the response is a correct response to the human user test message; and
allowing, by the intermediary security device, the high-risk network access if the response is correct, wherein said allowing
the high-risk network access comprises one or more of:

redirecting the human user of the device to the resource originally requested;
directly returning a copy of the requested resource temporarily stored on the intermediary security device;
presenting the human user of the device with an alternative Uniform Resource Locator (URL) that points to a copy of the resource
originally requested temporarily stored on the intermediary security device; and

sending a resource originally requested to the human user of the device via an alternative secure channel.

US Pat. No. 9,065,802

POLICY-BASED CONFIGURATION OF INTERNET PROTOCOL SECURITY FOR A VIRTUAL PRIVATE NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:
displaying, via a browser-based interface of a source network device, a policy page through which a plurality of Virtual Private
Network (VPN) settings configured for establishing a VPN connection, the plurality of VPN settings including a type of Internet
Protocol Security (IPSec) tunnel to be established between the source network device and a peer network device;

receiving, via the browser-based interface by the source network device, one or more parameter values corresponding to one
or more of the plurality of VPN settings;

responsive to said receiving, creating or modifying a policy file corresponding to the VPN connection, the policy file containing
therein a plurality of parameter values corresponding to the plurality of VPN settings;

requesting establishment of the VPN connection between the source network device and the peer network device based on the
plurality of parameter values contained within the policy file by sending a notification request, including the policy file,
from the source network device to the peer network device;

receiving by the source network device an acknowledgement message from the peer network device acknowledging receipt of the
notification message;

receiving by the source network device a reply message from the peer network device in response to the notification message;
and

displaying information regarding a status of the VPN connection on the policy page.

US Pat. No. 9,060,025

CLOUD-BASED SECURITY POLICY CONFIGURATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
logging into a cloud account by a first network appliance;
fetching from the cloud account, by the first network appliance, one or more security parameters shared by a second network
appliance to the cloud account;

automatically creating, by the first network appliance, a security policy that controls a connection between the first network
appliance and the second network appliance based at least in part on the one or more security parameters;

further comprising:
fetching from the cloud account, by the first network appliance, a modification of the one or more security parameters shared
by the second network appliance to the cloud account;

updating, by the first network appliance, the security policy based at least in part on the modification of the one or more
security parameters.

US Pat. No. 9,065,847

SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT

Fortinet, Inc., Sunnyval...

1. A method for processing network traffic content performed on a network switching device, comprising:
receiving, via a network interface of the network switching device, a packet associated with a new network traffic session;
identifying, on the network switching device, one or more Internet Protocol (IP) addresses associated with the new network
traffic session;

determining, on the network switching device, a number of concurrent sessions associated with at least one of the one or more
IP address associated with the new network traffic session; and

when the determined number of concurrent sessions is greater than a concurrent IP address session threshold, performing flooding
attack mitigation processing at least in part on the network switching device, wherein the concurrent IP address session threshold
is learned based on processing of stored packet history log data that determines the concurrent IP address session threshold.

US Pat. No. 9,172,721

SCALABLE INLINE BEHAVIORAL DDOS ATTACK MITIGATION

Fortinet, Inc., Sunnyval...

1. An apparatus capable of enforcing behavioral policies and preventing Distributed Denial of Service (DDoS) attacks, the
apparatus comprising:
a plurality of data interfaces configured to receive and forward or drop inbound/outbound packets;
a plurality of DDoS attack mitigation components configured to (i) continuously learn granular rates at a plurality of Open
System Interconnection (OSI) model network layers, wherein the granular rates represent observed rates of parameters for one
or more of OSI model layer 2, layer 3, layer 4 or layer 7 within the inbound/outbound packets during a period of time; (ii)
send information regarding the granular rates back to a controlling host; (iii) receive granular rate thresholds from the
controlling host, and (iv) perform adaptive DDoS attack mitigation based on the granular rate thresholds;

a switch, coupled to the plurality of DDoS attack mitigation components, configured to forward the inbound/outbound packets
to the plurality of DDoS attack mitigation components and remember a port on which the inbound/outbound packets were received
to facilitate forwarding of packets processed by the plurality of DDoS attack mitigation components over a corresponding pair
port;

a controlling host configured to (i) receive granular rate data relating to the learned granular rates from the plurality
of DDoS attack mitigation components, (ii) aggregate the received granular rate data in accordance with a scaling treatment
scheme to generate the granular rate thresholds and (iii) send the granular rate thresholds to the plurality of DDoS attack
mitigation components; and

a host interface connecting the plurality of DDoS attack mitigation components to the controlling host.

US Pat. No. 9,197,628

DATA LEAK PROTECTION IN UPPER LAYER PROTOCOLS

Fortinet, Inc., Sunnyval...

1. A data leak prevention (DLP) method comprising:
receiving from a network administrator, by a network security appliance within a private network, (i) information defining
a DLP rule to be applied by the network security appliance to packets associated with an upper layer protocol and (ii) information
defining an action to take when one or more conditions associated with the DLP rule are satisfied, wherein the packets are
originated within the private network and addressed to a destination residing outside of the private network and wherein the
DLP rule is defined in terms of one or more of a regular expression and a string that are configured to detect existence of
one or more forms of sensitive information carried by the packets;

receiving, by the network security appliance, a packet originated by a host device within the private network and directed
to a destination device outside of the private network;

determining, by the network security appliance, the received packet is associated with the upper layer protocol;
identifying, by the network security appliance, a command, request or method of the upper layer protocol that is specified
by or represented by the received packet;

scanning, by the network security appliance, the received packet for sensitive information by applying the DLP rule to one
or more fields of the command, request or method, wherein the command, request or method is not designed or intended to carry
data or information in a form of a message or file to a target of the command, request or method;

when the scanning results in a conclusion that the sensitive information is contained within the received packet, then performing,
by the network security appliance, the defined action;

wherein the one or more forms of sensitive information comprise a payment card number or a social security number;
wherein the regular expression detects a format and type of content corresponding to a credit card number associated with
a particular payment processing provider or the social security number; and

wherein the regular expression comprises:
?4[0-9]{12}(?:[0-9]{3})?$;
?5[1-5][0-9]{14}$; or
?([[:digit:]]{3}[-][[:digit:]]{2}[[:digit:]]{4}|[[:digit:]]{9})$.

US Pat. No. 9,143,351

IDENTIFYING NODES IN A RING NETWORK

Fortinet, Inc., Sunnyval...

14. A method of determining a token master on a ring network, the method comprising:
receiving a packet containing a network token at a first node of a plurality of nodes, each of which have a priority, on the
ring network;

if the network token does not arrive within a preselected network timeout period, generating an arbitration token;
if the packet contains an arbitration token, checking to see if the arbitration token was modified by a higher priority node
of the plurality of nodes of the ring network and if not, setting the first node as a token master and converting the arbitration
token to a packet transmission token, wherein arbitration tokens are used to identify a token master of the plurality of nodes,
which are responsible for generating a packet transmission token onto the ring network and wherein the packet transmission
token authorizes a transmitting node of the plurality of nodes that has most recently received the packet transmission token
to transmit locally generated packets onto the ring network.

US Pat. No. 9,130,978

SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT

Fortinet, Inc., Sunnyval...

1. A method for processing network traffic data comprising:
receiving a packet to initiate a new session associated with an Internet Protocol (IP) address;
taking into account the received packet, determining a rate R at which a number of sessions initiation packets N associated
with the IP address are received within a time period t, where R=N÷t;

storing, on a data storage device, a representation of the rate R;
comparing the rate R with a prescribed session rate threshold T;
allowing the packet to pass when the session rate threshold R is less than the prescribed session rate threshold T (R and

classifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or
equal to the prescribed session rate threshold T (R?T).

US Pat. No. 9,319,303

SCALABLE IP-SERVICES ENABLED MULTICAST FORWARDING WITH EFFICIENT RESOURCE UTILIZATION

Fortinet, Inc., Sunnyval...

1. A method of managing multicast Internet Protocol (IP) sessions, the method comprising:
identifying, by a router, active multicast IP sessions; and
maintaining, by the router, a data structure within a memory of the router containing therein information regarding the active
multicast IP sessions;

wherein the data structure includes:
a plurality of pairs of a source field and a group field ({S, G} pairs), in which each pair of the plurality of {S, G} pairs
defines a multicast IP session of the active multicast IP sessions, wherein the source field defines a source of a multicast
transmission of the multicast IP session and the group field defines a group corresponding to the multicast IP session;

a first pointer associated with each of the plurality of {S, G} pairs that points to a dynamically allocated set of outbound
interface (OIF) blocks, wherein a number OIF blocks in the dynamically allocated set of OIF blocks is dependent upon a number
of OIFs of the router that are participating in the IP multicast session and the number of OIF blocks in the dynamically allocated
set of OIF blocks defines a number of times packets of the IP multicast session are to be replicated; and

a set of slots for each OIF block of the set of dynamically allocated OIF blocks, each slot of the set of slots having stored
therein a second pointer to a transmit control block (TCB) data structure which services one or more users participating in
the IP multicast session and which has stored therein control information to process or route packets of the IP multicast
session, including information regarding an OIF of the router through which the packets are to be transmitted.

US Pat. No. 9,288,844

WIRELESS RADIO ACCESS POINT CONFIGURATION

Fortinet, Inc., Sunnyval...

2. A method of steering antennas of a dual radio access point (AP) comprising:
computing, by the dual radio AP, locations of recipient devices based on packets queued for transmission on a first transmit
queue of a first 5 GigaHertz (GHz) radio and packets queued for transmission on a second transmit queue of a second 5 GHz
radio of the dual radio AP;

calculating, by the dual radio AP, angles within a horizontal plane to which a first directional antenna associated with the
first 5 GHz radio and a second directional antenna associated with the second 5 GHz radio should be directed to transmit the
packets queued on the first transmit queue and the packets queued on the second transmit queue, respectively, based on the
computed locations;

determining, by the dual radio AP, whether interference would take place between the first directional antenna and the second
directional antenna if the packets queued on the first transmit queue and the packets queued on the second transmit queue
are transmitted based on the calculated angles and estimated timing of transmission; and

transmitting, by the dual radio AP, the packets to avoid interference by rescheduling one or more of the packets queued on
the first transmit queue or one or more of the packets queued on the second transmit queue when a result of said determining
is affirmative.

US Pat. No. 9,049,220

SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT

Fortinet, Inc., Sunnyval...

1. A method for processing network traffic data comprising:
receiving a packet to initiate a new session from an Internet Protocol (IP) address;
determining a concurrent session counter N for active concurrent sessions associated with the IP address;
comparing the concurrent session counter N for active concurrent sessions associated with the IP address with a prescribed
concurrent session threshold T;

allowing the packet to pass when the concurrent session counter N for active concurrent sessions associated with the IP address
is less than the prescribed concurrent session threshold T (N
classifying the packet as possibly associated with a flooding attack when the concurrent session counter N for active concurrent
sessions associated with the IP address is greater than or equal to the prescribed concurrent session threshold T (N>=T).

US Pat. No. 9,118,705

DETECTING NETWORK TRAFFIC CONTENT

Fortinet, Inc., Sunnyval...

1. A device for detecting network traffic content, the device comprising:
a memory configured for storing one or more signatures, each of the one or more signatures associated with content desired
to be detected, and defined by one or more predicates;

a processor configured to receive data associated with network traffic content, execute one or more instructions based on
the one or more signatures and the data, and determine whether the network traffic content matches the content desired to
be detected;

a compiler connected to the memory, the compiler configured to translate the one or more signatures into a machine language
and to store compiled signatures in the memory;

a network traffic content processing module, executable by the processor, to receive data associated with network traffic
content, apply instructions based on the one or more signatures and the data, and determine whether the network traffic content
matches the content desired to be detected;

a network traffic flow management module to manage flow of the network traffic, the management including redirecting the network
traffic content when the network traffic content processing module identifies network traffic content including content desired
to be detected, the redirecting including passing a copy of the network traffic content to a stack, passing at least a portion
of the network traffic content to the processor to determine whether the at least a portion of the network traffic content
contains undesirable content, signal the stack to release the copy to the user when the processor identifies no undesirable
content, and signaling the stack to delete the copy when the processor identifies undesirable content; and

wherein the network traffic content is received and transmitted via a plurality of wire-based network ports of the device
and signatures are received via a, wire-based network port of the device, the wire-based network port that receives the signatures
is a distinct wire-based port from the plurality of wire-based network ports that receive and transmit the network traffic
content, and the network traffic content is communicated over a different network than then signatures.

US Pat. No. 9,172,677

FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS

Fortinet, Inc., Sunnyval...

1. A method comprising:
providing, by a firewall interposed between an internal network and an external network, network-layer protection against
unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal
network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the
plurality of internal hosts;

providing, by the firewall, application-layer protection from the external network on behalf of the plurality of internal
hosts and supporting VoIP services without compromising internal network security by actively processing signaling protocols
associated with Voice over IP (VoIP) sessions, including

distinguishing among VoIP packets and non-VoIP packets,
understanding and parsing the VoIP packets within an operating system kernel of the firewall, and
performing content-aware NAT within the operating system kernel by changing data in headers of the VoIP packets and also changing
data contents in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications
among one or more of the plurality of internal hosts and one or more of the hosts associated with the external network;

providing a plurality of VoIP ports to an external VoIP interface of the firewall;
receiving by the external VoIP interface incoming VoIP packets each having associated therewith a user alias and an indication
regarding one of the plurality of VoIP ports;

causing each of said received multiple incoming VoIP packets to be directed to an appropriate internal host of the plurality
of internal hosts by performing by the firewall port address forwarding based on the port indication to a media gateway within
the internal network that maintains a mapping of user aliases to private addresses of the plurality of internal hosts.

US Pat. No. 9,288,183

LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES

Fortinet, Inc., Sunnyval...

1. A method comprising:
causing, by a switching device within a network, a plurality of firewall security devices within the network and operating
as part of a cluster to enter into a load balancing mode by sending one or more control messages to the plurality of firewall
security devices;

responsive to receiving, by the switching device, a heartbeat signal on a port of a plurality of ports of the switching device
from a firewall security device of the plurality of firewall security devices, including information regarding the firewall
security device and the port into a load balancing table maintained by the switching device that maps a plurality of hash
values or emulated hash values output by a load balancing function to the plurality of ports;

receiving, by the switching device, a packet from a client device associated with the network; and
forwarding, by the switching device, the packet to a firewall security device of the cluster by:
extracting a configurable number of bit values from a configurable set of bit positions within one or more of a packet type,
a source port, a destination port, a source address and a destination address of the packet,

wherein the configurable set of bit positions are not limited to being contiguous;
determining a hash value or an emulated hash value by applying the load balancing function to the configurable number of bit
values;

identifying a port of the plurality of ports to which the firewall security device is coupled based on the hash value or the
emulated hash value and the load balancing table;

transmitting the packet to the firewall security device via the identified port;
wherein the load balancing function is based on a portion, but not an entirety, of the destination address of the packet;
and

wherein the load balancing function is expressed in a form substantially as follows:
f(x)=DN*2N+DN-1*2N-1+. . . +D2*22+D1*21+D0*20;

where DN represents a value of a particular bit position within the destination address of the packet; and

where N represents the configurable number of bit values minus 1.

US Pat. No. 9,240,890

COMPUTERIZED SYSTEM AND METHOD FOR DEPLOYMENT OF MANAGEMENT TUNNELS

Fortinet, Inc., Sunnyval...

1. A system comprising:
a plurality of network devices, including one or more peer managed devices and one or more management devices, deployed within
a network;

wherein the plurality of network devices are pre-configured to form a web of trust by storing within each network device of
the plurality of network devices (i) a digital certificate signed by a manufacturer or a distributor of the network device
and (ii) a unique identifier of the network device, the unique identifier individually identifying each of the one or more
peer managed devices and each of the one or more management devices;

wherein the web of trust includes a trusted peer managed device that is trusted by a peer managed device of the one or more
peer managed devices;

wherein the peer managed device is configured to broadcast a message to the trusted peer managed device to retrieve an address
of a management device of the one or more management devices from an external source;

wherein the peer managed device is further configured to establish a management tunnel with the management device based on
the address of the management device received from the external source;

wherein the peer managed device further comprises a conflict resolution algorithm for determining the address of the management
device when multiple replies to the broadcast message are received; and

wherein, prior to allowing the management device to use the management tunnel to perform management functionality in relation
to the peer managed device, the peer managed device is configured to verify credentials of the management device by causing
the unique identifier of the management device to be confirmed with reference to a pre-configured identifier of an authorized
management device stored within the peer managed device.

US Pat. No. 9,130,989

SECURING EMAIL COMMUNICATIONS

Fortinet, Inc., Sunnyval...

1. A method for securing electronic mail (email) communications comprising:
receiving, by a network device, an outbound email originated by a computing device of an internal network and directed to
a target recipient;

determining, by the network device, whether a domain name of the target recipient is present in a global doppelganger database;
when the domain name is determined to be present in the global doppelganger database, preventing transmission of the outbound
email to the target recipient if the domain name is an unacceptable domain name and transmitting the outbound email to the
target recipient if the domain name is an acceptable domain name.

US Pat. No. 9,083,652

CROWD BASED CONTENT DELIVERY

Fortinet, Inc., Sunnyval...

1. A method for managing content delivery within a network, comprising:
receiving at a resource manager computer system coupled to the network and configured to facilitate servicing of requests
for a content item published by a node of the network registered with the resource manager computer system as a resource consumer
a specification of a resource consumer policy for servicing requests for the content item;

receiving at the resource manager computer system a specification from a node of the network registered with the resource
manager computer system as a resource provider of a resource provider policy for using a content delivery service available
at the resource provider;

determining using a processor of the resource manager computer system that the resource consumer policy for servicing requests
for the content item and the resource provider policy for using the available content delivery service are compatible;

selecting, by the resource manager computer system, the resource provider to service at least a subset of requests for the
content item;

facilitating caching of the content item at the resource provider; and
redirecting, by a content redirect action of a communication protocol supported by the network, a received client request
for the content item to the resource provider for servicing, wherein the resource provider is configured to service the client
request by providing the content item to the requesting client.

US Pat. No. 9,325,526

MECHANISM FOR ENABLING LAYER TWO HOST ADDRESSES TO BE SHIELDED FROM THE SWITCHES IN A NETWORK

Fortinet, Inc., Sunnyval...

1. A method performed by a border component interposed between a network of switches and a plurality of local hosts, the method
comprising:
receiving, by the border component from a first local host of the plurality of local hosts, a first packet destined for a
first destination host, wherein the first local host has a first layer 2 (L2) address and a first layer 3 (L3) address associated
therewith, and wherein the first packet includes the first L2 address as a source L2 address for the first packet, and includes
the first L3 address as a source L3 address for the first packet;

shielding, by the border component, the first L2 address from the network of switches by replacing the source L2 address for
the first packet with a substitute L2 address that is shared by the plurality of local hosts; and

sending, by the border component, the first packet to the network of switches.

US Pat. No. 9,319,417

DATA LEAK PROTECTION

Fortinet, Inc., Sunnyval...

1. A data leak protection method comprising:
receiving, by a network filtering device, via a graphical user interface (GUI) of the network filtering device information
regarding a watermark filtering rule, including a plurality of filtering parameters, including a file size threshold, an indication
regarding one or more file types and a sensitivity level, and an action to be taken by the network filtering device when files
observed by the network device satisfy the plurality of filtering parameters of the watermark filtering rule;

scanning, by the network filtering device, a file attempted to be passed through the network filtering device, by locating
a watermark embedded within the file and identifying a file type and a size of the file;

comparing (i) a sensitivity level associated with the watermark to the sensitivity level of the watermark filtering rule;
(ii) the identified file size to the file size threshold of the watermark filtering rule; and (iii) the identified file type
to the indication regarding one or more file types of the watermark filtering rule, wherein the sensitivity level is selected
from a group comprising critical sensitivity, high sensitivity, medium sensitivity and low sensitivity; and

if the comparing results in a determination that all of the plurality of filtering parameters are satisfied by the file and
the watermark embedded therein, then performing, by the network filtering device, the action specified by the watermark filtering
rule.

US Pat. No. 9,253,155

COMPUTERIZED SYSTEM AND METHOD FOR ADVANCED NETWORK CONTENT PROCESSING

Fortinet, Inc., Sunnyval...

1. A computer-implemented method comprising:
receiving a plurality of packets at a first interface of a firewall device;
identifying, by the firewall device, a first transmission protocol according to which network content distributed among a
first subset of packets of the plurality of packets is formatted;

redirecting, by the firewall device, the first subset of packets to a first proxy module executing on the firewall device
based on the identified first transmission protocol;

extracting the network content from the first subset of packets and buffering at least a portion of the network content by
the first proxy module;

processing, by the first proxy module, the buffered portion of the network content in accordance with at least one content
processing rule selected from a plurality of content processing rules based on the identified first transmission protocol,
wherein the plurality of content processing rules includes one or more content filtering rules;

identifying, by the firewall device, a second transmission protocol, distinct from the first transmission protocol, according
to which network content distributed among a second subset of packets of the plurality of packets is formatted; and

redirecting, by the firewall device, the second subset of packets to a second proxy module executing on the firewall device
based on the identified second transmission protocol.

US Pat. No. 9,118,719

METHOD, APPARATUS, SIGNALS, AND MEDIUM FOR MANAGING TRANSFER OF DATA IN A DATA NETWORK

Fortinet, Inc., Sunnyval...

1. An apparatus for managing a transfer of data in a data network, the apparatus comprising:
a session identifier operably configured to identify data associated with a communication session between a first node and
a second node in the data network, the identifying of data associated with the communication session including:

performing signature analysis on an initial portion of the data associated with the communication session to identify further
processing to apply to data of the communication session, the further processing identifying at least one data processing
action to be performed with regard to data of the communication session;

storing an identifier of the communication session in association with an identifier of the identified further processing;
processing subsequently received data of the communication session according to the identified further processing; and
prior to and until identifying the further processing, permitting data associated with the communication session to pass between
the first node and the second node;

a session controller having an input for receiving a control signal indicating whether said communication session meets a
criterion, said session controller responsive to said control signal to produce a signal to indicate whether or not said communication
session should be permitted to continue or should be subjected to further processing, the session controller permitting said
communication session to continue without further processing when the control signal indicates the communication session does
not meet the criterion; and

a further processing module operably configured to perform said further processing as identified through performance of the
signature analysis on the initial portion of data associated with the communication session and subsequently received data
of the communication session, said further processing module including:

a third node operably configured to divide said communication session into a first communication session between the first
node and said third node and a second communication session between said third node and said second node, said third node
acting as a proxy node; and

altering data of the communication session prior to transmitting the data to at least one of the first and second nodes within
the first and second communication sessions, respectively.

US Pat. No. 9,100,319

CONTEXT-AWARE PATTERN MATCHING ACCELERATOR

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a network interface of a network device, a packet stream;
identifying one or more packets within the packet stream that satisfy one or more conditions of a plurality of predefined
conditions specified by a rule by pre-matching, by an acceleration device of the network device, the packet stream with the
plurality of predefined conditions;

identifying, by the acceleration device, for a full-match processing stage a candidate packet of the one or more packets that
satisfies all of the plurality of predefined conditions by correlating the one or more satisfied conditions of the candidate
packet;

generating, by the acceleration device, for use by the full-match processing stage a matching token and a corresponding location
of the matching token within the candidate packet for each of the plurality of predefined conditions; and

determining, by a context-aware pattern matching and parsing (CPMP) processor of the acceleration device, whether the candidate
packet meets the rule by performing the full-match processing stage including fetching and executing special purpose CPMP
instructions to perform context-aware pattern matching processing on the packet, wherein the context-aware pattern matching
processing includes one or more of string matching, regular expression matching and packet field value matching based on,
for each of the plurality of predefined conditions, corresponding contextual information provided by the rule, the matching
token and the corresponding location.

US Pat. No. 9,324,081

NETWORK ADVERTISING SYSTEM

Fortinet, Inc., Sunnyval...

1. A method of transmitting unsolicited content to a client comprising:
detecting, at an insertion server associated with an Internet Service Provider (ISP), an active communication protocol connection
between the client and a destination by examining packets, by the insertion server, as they pass through the ISP and pass
by the insertion server and observing, by the insertion server, a transport communication protocol request from the client
to the destination; and

responsive to detecting the active communication protocol connection,
negating the transport communication protocol request, by the insertion server, by causing a canceling message to be sent
to the destination;

selecting unsolicited content to be delivered to the client; and
sending the unsolicited content to the client.

US Pat. No. 9,197,521

CLOUD BASED LOGGING SERVICE

Fortinet, Inc., Sunnyval...

1. A network security gateway appliance for managing access to a cloud-based logging service, the network security gateway
appliance comprising:
one or more processors;
a communication interface device;
one or more internal data storage devices operatively coupled to the one or more processors and storing:
a cloud-based logging service settings module configured to make the cloud-based logging service accessible to an administrator
of the network security gateway appliance via an interface of the network security gateway appliance by integrating and customizing
the cloud-based logging service within the network security gateway appliance, including registering a user account for the
network security gateway appliance with the cloud-based logging service;

a cloud-based logging service access module configured to receive, via the interface, a request to access the cloud-based
logging service from the administrator, wherein the cloud-based logging service access module is further configured to analyze
the request and retrieve and process logs from the cloud-based logging service, wherein the cloud-based logging service access
module is configured to access a basic level of service of the cloud-based logging service without requiring separate registration
of the administrator with the cloud-based logging service; and

an output module configured to receive the processed logs at the network security gateway appliance and output the processed
logs to the administrator.

US Pat. No. 9,319,490

VIRTUAL MEMORY PROTOCOL SEGMENTATION OFFLOADING

Fortinet, Inc., Sunnyval...

1. A method of performing segmentation offloading, the method comprising:
fetching, by an interface of a computer system, payload data originated by a user process running on a host processor of the
computer system by performing direct virtual memory addressing of a user memory space of a system memory of the computer system
on behalf of a network processor of the computer system, wherein said direct virtual memory addressing maps a physical address
of the payload data to a virtual address;

segmenting, by the network processor, the payload data across one or more packets, wherein said segmenting comprises creating
one or more Transmission Control Protocol (TCP) packets by performing TCP segmentation; and

storing a buffer descriptor in the system memory, the buffer descriptor containing (i) information indicative of a starting
address of a payload buffer in the system memory containing at least a portion of the payload data and (ii) information indicative
of whether the starting address is virtual or physical.

US Pat. No. 9,258,280

TUNNEL INTERFACE FOR SECURING TRAFFIC OVER A NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a service management system (SMS) of a managed security service provider, a request to establish an Internet
Protocol (IP) connection between a first location of the managed security service provider and a second location of the managed
security service provider; and

establishing, by the SMS, a tunnel between a first service processing switch of the managed security service provider and
a second service processing switch of the managed security service provider coupled in communication with the first service
processing switch through a public network by

associating a first packet routing node within the first service processing switch with the first location;
associating a second packet routing node within the second service processing switch with the second location;
binding an encryption configuration decision associated with the request with a routing configuration of the first packet
routing node, by, when the request is to establish a secure IP connection, configuring, the first packet routing node (i)
to cause all packets transmitted from the first location to the second location to be encrypted prior to transmission through
the public network by inserting an encryption node of the first service processing switch into a first path between the first
location and the second location and (ii) to cause all packets received from the second location to be decrypted after transmission
through the public network by inserting a decryption node of the first service processing switch into a second path between
the second location and the first location; and

binding the encryption configuration decision with a routing configuration of the second packet routing node, by, when the
request is to establish a secure IP connection, configuring, the second packet routing node (i) to cause all packets transmitted
from the second location to the first location to be encrypted prior to transmission through the public network by inserting
an encryption node of the second service processing switch into the second path and (ii) to cause all packets received from
the first location to be decrypted after transmission through the public network by inserting a decryption node of the second
service processing switch into the first path.

US Pat. No. 9,124,555

TUNNEL INTERFACE FOR SECURING TRAFFIC OVER A NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:
providing, within each of a plurality of service processing switches of a service provider, a plurality of virtual routers
(VRs), wherein each VR of the plurality of VRs is supported by an object group and each object of the object group supports
a network service;

assigning one or more VRs of the plurality of VRs to a subscriber of a plurality of subscribers of the service provider;
providing customized network services to the subscriber by the one or more VRs assigned to the subscriber;
receiving, by a service management system (SMS) of the service provider, a request to establish an Internet Protocol (IP)
connection between a first location of the subscriber and a second location of the subscriber; and

establishing a tunnel between a first service processing switch of the plurality of service processing switches and a second
service processing switch of the plurality of service processing switches coupled in communication with the first service
processing switch through a public network, including:

binding an encryption configuration decision associated with the request with a routing configuration of a first packet routing
node of the first service processing switch, by, when the request is to establish a secure IP connection, configuring, the
first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted
prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted
after transmission through the public network; and

binding the encryption configuration decision with a routing configuration of a second packet routing node of the second service
processing switch, by, when the request is to establish a secure IP connection, configuring, the second packet routing node
(i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission
through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission
through the public network.

US Pat. No. 9,219,748

VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH

Fortinet, Inc., Sunnyval...

1. A method comprising:
downloading, by a general purpose processor of a network security appliance, a virus signature file that includes a plurality
of virus signatures capable of detecting and identifying a variety of known viruses;

determining, by the general purpose processor, whether a virus co-processor is coupled to the general purpose processor;
when the virus co-processor is determined to be coupled to the general purpose processor, then determining, by the general
purpose processor, which virus signatures of the plurality of virus signatures are supported by the virus co-processor (“CP-supported
virus signatures”);

causing to be transferred, by the general purpose processor, the CP-supported virus signatures to a memory associated with
the virus co-processor;

directing, by the general purpose processor, the virus co-processor to perform a virus scan based on the supported virus signatures.

US Pat. No. 9,319,384

FILTERING HIDDEN DATA EMBEDDED IN MEDIA FILES

Fortinet, Inc., Sunnyval...

1. A method comprising:
capturing, by a network security appliance, network traffic;
extracting, by the network security appliance, a media file from the network traffic;
determining, by the network security appliance, presence of a hidden data item embedded in the media file encoded within a
barcode;

when said determining is affirmative, then:
identifying existence of a Uniform Resource Locator (URL) within the hidden data item by decoding the hidden data item by
a decoding module of the network security appliance implementing a barcode reader supporting multiple barcode formats;

when said identifying is affirmative, then determining whether the URL is associated with malicious activities or is associated
with or redirects to a website blocked by a security policy of the network appliance, referred to as a Malware URL, by applying
a website filter to the URL by a content inspection engine of the network security appliance; and

when the website filter determines the URL to be a Malware URL, then protecting the intended recipient of the network traffic
against the Malware URL by blocking transmission of the media file to the intended recipient by the network security appliance.

US Pat. No. 9,078,137

MOBILE HOTSPOT MANAGED BY ACCESS CONTROLLER

Fortinet, Inc., Sunnyval...

1. A method comprising:
establishing, by a mobile hotspot, a wide area network (WAN) connection through a wireless WAN module;
determining, by the mobile hotspot, which one of the first AP profile and a second AP profile of the mobile hotspot is to
be used for establishing a wireless local area network (WLAN) connection with a wireless fidelity (WiFi)-enabled device, wherein
the first AP profile is the same as an AP profile for APs that are controlled by an access controller (AC);

establishing, by the mobile hotspot, the WLAN connection with the WiFi-enabled device using the determined AP profile;
receiving, by the mobile hotspot, WLAN traffic from the WiFi-enabled device through the WLAN connection;
when the determined AP profile is the first AP profile:
setting up, by the mobile hotspot, a security tunnel with the AC through the WAN connection; and
transmitting, by the mobile hotspot, the WLAN traffic to the AC through the security tunnel; and
when the determined AP profile is the second AP profile, transmitting the WLAN traffic from the WiFi-enabled device through
the WAN connection of the mobile hotspot without having to set up the security tunnel.

US Pat. No. 9,075,984

SECURE SYSTEM FOR ALLOWING THE EXECUTION OF AUTHORIZED COMPUTER PROGRAM CODE

Fortinet, Inc., Sunnyval...

1. A method comprising:
intercepting, by a kernel mode driver of a computer system, file system or operating system activity relating to a code module;
selectively authorizing, by the kernel mode driver, the code module by authenticating a content authenticator of the code
module with reference to a multi-level whitelist, the multi-level whitelist comprising (i) a global whitelist database remote
from the computer system, the global whitelist database containing content authenticators of approved code modules that are
known not to contain viruses or malicious code and (ii) a local whitelist database containing content authenticators of at
least a subset of the approved code modules;

allowing the file system or operating system activity relating to the code module when the content authenticator matches one
of the content authenticators of approved code modules within the multi-level whitelist; and

blocking the file system or operating system activity relating to the code module when the content authenticator does not
match any of the content authenticators of approved code modules within the multi-level whitelist.

US Pat. No. 9,185,050

HETEROGENEOUS MEDIA PACKET BRIDGING

Fortinet, Inc., Sunnyval...

1. A network-computing device comprising:
a plurality of network interfaces (netmods), including a first set of netmods operable to receive network packets encapsulated
within a first plurality of media transmissions each having a first framing media format of a plurality of framing media formats
and a second set of netmods operable to transmit network packets encapsulated within a second plurality of media transmissions
each having a second framing media format of the plurality of framing media formats;

a plurality of processing resources coupled to the plurality of netmods and shared by the plurality of netmods, including
a first processing resource upon which a virtual bridging application executes, the virtual bridging application representing
a single bridging domain for all network packets received by the network-computing device;

a non-transitory memory, accessible to the first processing resource, having stored therein one or more translation data structures
defining translations between the first framing media format and an intermediate format and between the intermediate format
and the second framing media format;

a switching fabric, coupled to the plurality of netmods, forwarding the network packets received from the first set of netmods
to one or more of the plurality of processing resources;

wherein responsive to receiving a network packet, the first set of netmods pass the network packet to the virtual bridging
application through the switching fabric;

the virtual bridging application determines a relay location to which the network packet is to be relayed and whether the
relay location is among the second set of netmods, which are associated with a disparate framing media format and a disparate
media channel than that of the first set of netmods; and

responsive to an affirmative determination that the relay location is among the second set of netmods, the virtual bridging
application uses the one or more translation data structures to translate the network packet to the second framing media format
before relaying the network packet to the relay location.

US Pat. No. 9,143,492

SOFT TOKEN SYSTEM

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving and installing, by a mobile device of a user of a secure network resource, a soft token application;
programmatically obtaining from the mobile device, by the soft token application, a unique device ID of the mobile device
that uniquely identifies the mobile device;

requesting, by the soft token application via an Internet Protocol (IP)-based network, a seed from a provisioning server coupled
to the IP-based network, wherein the seed is for generating a One-Time Password (OTP) for accessing the secure network resource;

receiving, by the mobile device, the seed via a first out-of-band channel in encrypted form based on a secret key, the unique
device ID and a hardcoded-pre-shared key;

decrypting, by the soft token application, the received encrypted seed and installing the seed within the soft token application;
generating, by the soft token application, the OTP based on the seed; and
binding, by the soft token application, the OTP to the mobile device by encrypting the seed with the unique device ID and
the hardcoded pre-shared key.

US Pat. No. 9,143,526

CONTENT FILTERING OF REMOTE FILE-SYSTEM ACCESS PROTOCOLS

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, at a network device, logically interposed between one or more clients and a server, a remote file-system access
protocol response from the server, the remote file-system access protocol response representing a response to a remote file-system
access protocol request relating to a file associated with a share of the server sent from a client of the one or more clients;

when the remote file-system access protocol request represents a request to access the file, then determining, by the network
device, whether a holding buffer exists on the network device corresponding to the file;

when a result of said determining is negative, then creating, by the network device, the holding buffer on the network device;
when the result of said determining is affirmative, then using, by the network device, the holding buffer for any of the one
or more clients or processes running on the one or more clients that access the file;

buffering, by the network device, into the holding buffer data being read from or written to the file as a result of the remote
file-system access protocol request; and

determining, by the network device, the existence or non-existence of malicious, dangerous or unauthorized content contained
within the holding buffer by performing content filtering on the holding buffer.

US Pat. No. 9,326,144

RESTRICTING BROADCAST AND MULTICAST TRAFFIC IN A WIRELESS NETWORK TO A VLAN

Fortinet, Inc., Sunnyval...

1. A computer-implemented method, in an access point of a wireless network, for restricting broadcast traffic to a VLAN, comprising
the steps of:
associating a plurality of stations with a BSSID (basic service set identifier);
receiving a list of members of a first VLAN;
configuring the first VLAN by sending a first group key to each station from the plurality of stations that is a member of
the first VLAN, wherein each VLAN is associated with a unique group key sent to stations of each VLAN using the IEEE 802.1X
protocol, and wherein the unique group key decrypts frames sent by the access point for decryption only by the plurality of
stations in the specific group and the unique group key also decrypts general, non-VLAN frames sent by the access point for
decryption by any of the plurality of stations;

receiving one or more frames addressed to the first VLAN at either a broadcast port or a multicast port of the access point;
encrypting the one or more frames with the first group key to prevent stations without the first group key from being able
to decrypt the one or more frames, wherein the plurality of stations process successfully decrypted frames and ignore frames
that are not successfully decrypted;

configuring a second VLAN by sending a second group key to each station from the plurality of stations that is a member of
the second VLAN;

receiving one or more frames addressed to the second VLAN;
encrypting the one or more frames with the second group key to prevent stations without the second group key from being able
to decrypt the one or more frames; and

broadcasting the one or more encrypted VLAN frames for a specific VLAN to the plurality of stations associated with the BSSID,
wherein at least one station from the first VLAN is handed-off to a different access point while retaining membership in the
first VLAN.

US Pat. No. 9,231,968

SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS

Fortinet, Inc., Sunnyval...

1. A network gateway device comprising:
at least one processor;
at least one memory device;
at least one network interface device;
content detection and configuration data stored on the at least one memory device; and
an instruction set, stored in the at least one memory device and executable by the at least one processor to:
receive network traffic via the at least one network interface device;
process the received network traffic in view of the content detection and configuration data stored in the at least one memory
device to enforce policies defined at least in part by the content detection and configuration data and including at least
one policy that defines a suspicious category of network traffic, the policy enforcement performed to determine whether to
allow the received network traffic to pass, the policy enforcement including user identification, content identification,
and at least one of source verification and destination verification, wherein when network traffic is determined to violate
the at least one policy defining suspicious network traffic, forwarding the network traffic to an analysis process that will
perform analysis on network traffic to determine whether the network traffic contains a threat desired to be detected and,
when the network traffic is determined to contain a threat desired to be detected, the analysis process generates additional
content detection data to detect the threat in subsequently received network traffic;

receive, via the network interface device, the additional content detection data indirectly from the analysis process via
an update station;

store the additional content detection data on the at least one memory device;
process subsequently received network traffic in view of the additional content detection data;
block network traffic determined to violate at least one policy; and
allow network traffic to pass that does not violate a policy.

US Pat. No. 9,276,955

HARDWARE-LOGIC BASED FLOW COLLECTOR FOR DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK MITIGATION

Fortinet, Inc., Sunnyval...

1. A system for mitigating rate-based distributed denial of service (DDoS) attacks, the system comprising:
a flow controller; and
a hardware module coupled to flow controller via a host interface, including:
a flow packet interface through which flow statistics packets are received from one or more routers within a network;
a packet interface, coupled to the flow packet interface, configured to receive and buffer the flow statistics packets;
a packet processing module, coupled to the packet interface, configured to (i) determine a DDoS attack status of at least
one monitored destination coupled to or within the network based on information regarding the flow statistics packets, (ii)
parse the flow statistics packets, (ii) derive a plurality of granular traffic rates and (iii) determine the DoS attack status
of the at least one monitored destination based on the derived granular traffic rates and associated thresholds;

wherein the packet processing module comprises:
a layer 2 classifier module that is configured to parse the flow statistics packets at layer 2 and validate Ethernet frames;
a layer 3 classifier module that is configured to parse the flow statistics packets at layer 3 and validate Internet Protocol
(IP) version 4 (IPv4) and IP version 6 (IPv6) packets,

a layer 4 classifier module that is configured to parse the flow statistics packets at layer 3 and validate Transmission Control
Protocol (TCP) and User Datagram Protocol (UDP) packets;

a layer 7 classifier module that is configured to parse the flow statistics packets at layer 7 and validate protocol data
units associated with one or more flow statistics protocols;

wherein a rate anomaly meter module within the layer 3 rate anomaly module, the layer 4 rate anomaly module and the layer
7 rate anomaly module further comprises a metering module configured to derive relevant fields from the layer 3 classifier
module, the layer 4 classifier module and the layer 7 classifier module, respectively, and increment and calculate the layer
3 granular rates, the layer 4 granular rates and the layer 7 granular rates, respectively, and enforce the layer 3 granular
rates, the layer 4 granular rates and the layer 7 granular rates, respectively, using a combination of a meter and an ager;

wherein the host interface is configured to interrupt the flow controller when it is determined by the packet processing module
that the at least one monitored destination is under attack;

wherein, responsive to the interrupt, the flow controller informs a route reflector within the network of the DDoS attack
status; and

wherein the route reflector is configured to divert traffic destined for the monitored destination to a DDoS attack mitigation
appliance within the network.

US Pat. No. 9,167,016

SCALABLE IP-SERVICES ENABLED MULTICAST FORWARDING WITH EFFICIENT RESOURCE UTILIZATION

Fortinet, Inc., Sunnyval...

1. A method of managing multicast Internet Protocol (IP) sessions, the method comprising:
identifying, by a network device, active multicast IP sessions; and
maintaining, by the network device, a data structure within a memory of the network device containing therein information
regarding the active multicast IP sessions;

wherein the data structure includes:
a plurality of pairs of a source field and a group field ({S, G} pairs), in which each pair of the plurality of {S, G} pairs
defines a multicast IP session of the active multicast IP sessions, wherein the source field defines a source of a multicast
transmission of the multicast IP session and the group field defines a group corresponding to the multicast IP session;

a first value associated with each of the plurality of {S, G} pairs that is indicative of a dynamically allocated set of outbound
interface (OIF) blocks, wherein a number OIF blocks in the dynamically allocated set of OIF blocks is dependent upon a number
of OIFs of the network device that are participating in the IP multicast session and the number of OIF blocks in the dynamically
allocated set of OIF blocks defines a number of times packets of the IP multicast session are to be replicated;

a set of slots for each OIF block of the set of dynamically allocated OIF blocks, each slot of the set of slots having stored
therein a second value indicative of a transmit control block (TCB) data structure which services one or more users participating
in the IP multicast session and which has stored therein control information to process or route packets of the IP multicast
session, including information regarding an OIF of the network device through which the packets are to be transmitted;

a third value associated with each OIF block of the set of dynamically allocated OIF blocks that links together the set of
dynamically allocated OIF blocks and facilitates dynamic addition or removal of OIF blocks to or from the set of dynamically
allocated OIF blocks responsive to users joining or leaving the IP multicast session.

US Pat. No. 9,246,927

DATA LEAK PROTECTION

Fortinet, Inc., Sunnyval...

1. A data leak protection method comprising:
receiving, by a network device, information regarding a watermark filtering rule, including a sensitivity level and an action
to be applied to files observed by the network device matching the watermark filtering rule;

receiving, by the network device, a file attempted to be passed through the network device;
detecting, by the network device, a watermark embedded within the received file;
comparing, by the network device, a sensitivity level associated with the watermark to the sensitivity level of the watermark
filtering rule after the watermark is detected; and

if the comparing results in a match, then performing, by the network device, the action specified by the watermark filtering
rule.

US Pat. No. 9,294,286

COMPUTERIZED SYSTEM AND METHOD FOR DEPLOYMENT OF MANAGEMENT TUNNELS

Fortinet, Inc., Sunnyval...

1. A system comprising:
a plurality of network hardware devices, including one or more peer managed hardware devices and one or more management hardware
devices, deployed within a network;

wherein the plurality of network hardware devices are pre-configured, by a manufacturer or a distributor of the plurality
of network hardware devices prior to being installed within the network, to form a web of trust by storing within each network
hardware device of the plurality of network hardware devices (i) a digital certificate signed by the manufacturer or the distributor
and (ii) a unique identifier of the network hardware device, the unique identifier individually identifying each of the one
or more peer managed hardware devices and each of the one or more management hardware devices;

wherein a peer managed hardware device of the one or more peer managed hardware devices is configured to establish a management
tunnel with a management hardware device of the one or more management hardware devices based on an address of the management
hardware device received from a trusted peer managed hardware device of the one or more peer managed hardware devices; and

wherein, prior to allowing the management hardware device to use the management tunnel to perform management functionality
in relation to the peer managed hardware device, the peer managed hardware device is configured to verify credentials of the
management hardware device by causing the unique identifier of the management hardware device to be confirmed with reference
to a pre-configured identifier of an authorized management hardware device stored within the peer managed hardware device.

US Pat. No. 9,294,494

CLOUD BASED LOGGING SERVICE

Fortinet, Inc., Sunnyval...

1. A network security appliance comprising:
one or more processors; and
one or more internal data storage devices operatively coupled to the one or more processors and having stored therein:
a cloud-based logging service settings module including instructions, which when executed by the one or more processors, facilitate
accessibility to a cloud-based logging service by an administrator of the network security appliance via a graphical user
interface (GUI) presented by the network security appliance by integrating and customizing the cloud-based logging service
within the network security appliance, including registering a user account for the network security appliance with the cloud-based
logging service;

a cloud-based logging service access module, providing a basic level of access to the cloud-based logging service without
requiring separate registration of the administrator with the cloud-based logging service, the cloud-based logging service
including instructions, which when executed by the one or more processors:

receive, via the GUI, a request to access the cloud-based logging service from the administrator;
responsive to the request, cause one or more logs created by the network security appliance containing information regarding
events or traffic observed by the network security appliance within a network protected by the network security appliance
to be retrieved from the cloud-based logging service; and

an output module, including instructions, which when executed by the one or more processors:
receive the retrieved one or more logs at the network security appliance; and
display the retrieved one or more logs to the administrator via the GUI.

US Pat. No. 9,237,132

LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a session-aware switching device, for each of a plurality of ports of the session-aware switching device,
session data including a plurality of session entries each of which represent a previously established traffic session by
the session-aware switching device from a particular source device to a particular destination device and each of which form
an association between the previously established traffic session and a particular firewall security device of a plurality
of firewall security devices associated with the session-aware switching device, wherein the plurality of session entries
contain information regarding a source Internet Protocol (IP) address, a destination IP address, a protocol field, a source
port number, a destination port number and a Virtual Local Area Network identifier (VLAN ID) and wherein the plurality of
firewall security devices are categorized into one or more service groups by associating each of the plurality of firewall
security devices with a particular VLAN ID;

responsive to receiving, at a first port of the plurality of ports of the session-aware switching device, a Transmission Control
Protocol (TCP) SYN packet of a forward traffic session from a source device directed to a target device:

reducing vulnerability of the session-aware switching device to a denial of service (DoS) attack, by the session-aware switching
device, by foregoing installation of a forward session entry for the forward traffic session within the session data for the
first port;

selecting, by the session-aware switching device, a firewall security device from among the plurality of firewall security
devices to associate with the forward traffic session and a corresponding reverse traffic session from the target device to
the source device by performing a load balancing function on at least a portion of the TCP SYN packet;

based on a result of the load balancing function, assigning a Virtual Local Area Network (VLAN) tag to the TCP SYN packet
corresponding to the particular VLAN ID with which the selected firewall security device is associated; and

causing the TCP SYN packet to be processed by the selected firewall security device;
responsive to receipt from the selected firewall security device the processed TCP SYN packet on a second port of the session-aware
switching device, installing, by the session-aware switching device, a reverse session entry for the corresponding reverse
traffic session within the session data for the second port with the target device identified as the particular source device
and with the source device identified as the particular destination device; and

responsive to receipt from the selected firewall security device a processed TCP SYN/ACK packet associated with the corresponding
reverse traffic session on the first port of the session-aware switching device, installing, by the session-aware switching
device, the forward session entry for the forward traffic session within the session data for the first port with the target
device identified as the particular destination device and with the source device identified as the particular source device.

US Pat. No. 9,049,173

CLOUD BASED LOGGING SERVICE

Fortinet, Inc., Sunnyval...

1. A system for managing access to a cloud-based logging service through a network security gateway appliance comprising:
one or more processors;
a communication interface device;
one or more internal data storage devices operatively coupled to the one or more processors and storing:
a cloud-based logging service settings module configured to make the cloud-based logging service accessible to an administrator
of the network security gateway appliance via an interface of the network security gateway appliance by integrating and customizing
the cloud-based logging service within the network security gateway appliance, the integrating and customizing including creating
an account within the cloud-based logging service by registering the network security gateway appliance itself as a user of
the cloud-based logging service in order to allow the network security gateway appliance access to the cloud-based logging
service;

a cloud-based logging service access module configured to receive, via the interface, a request to access the cloud-based
logging service from the administrator, wherein the cloud-based logging service access module is further configured to analyze
the request and retrieve logs from the cloud-based logging service for processing, wherein registration of the network security
gateway appliance with the cloud-based logging service allows the administrator to access the cloud-based logging service
via the interface without separately registering with the cloud-based logging service; and

an output module configured to receive processed logs at the network security gateway appliance and output the processed logs
to the administrator.

US Pat. No. 9,225,683

INTEGRATED SECURITY SWITCH

Fortinet, Inc., Sunnyval...

1. A method for managing connectivity and security among networks, the method comprising:
providing a security module in connection with a first switch module via a first dedicated network traffic data interconnection
and a second switch module via a second dedicated network traffic data interconnection;

managing the first switch module via a first management path dedicated between the security module and the first switching
module;

managing the second switch module via a second management path dedicated between the security module and the second switching
module;

a unified interface for managing the first and second switch modules via the first and second management paths;
enabling network traffic via the first dedicated network traffic data interconnection between the first switch module function
and the security module, the traffic being a flow between a first network and a second network;

enabling network traffic via the second dedicated network traffic data interconnection between the second switch module function
and the security module, the traffic being a flow between the first network and a third network; and

wherein the first and second management paths are distinct from one another and distinct from the first and second dedicated
network traffic interconnections and each of the first and second management paths and the first and second dedicated network
traffic interconnections are physical paths and interconnections, respectively.

US Pat. No. 9,264,509

DIRECT CACHE ACCESS FOR NETWORK INPUT/OUTPUT DEVICES

Fortinet, Inc., Sunnyval...

1. A method comprising:
defining, by a network Input/Output (I/O) device of a network security device, a direct cache access (DCA) control for an
I/O device queue that corresponds to a central processing unit (CPU) of a host processor of the network security device based
on a type of network security functionality performed by the CPU, wherein the DCA control indicates a part of an incoming
packet that is to be copied to a cache of the CPU to facilitate efficient performance of the network security functionality
by the CPU;

parsing, by the network I/O device, the incoming packet based on one or more of packet analysis, packet protocol, header format,
and payload data information;

transferring, from the I/O device queue, the parsed incoming packet to a host queue of a host memory of the network security
device, wherein the host memory is operatively coupled with the host processor; and

copying, by a host controller, only the part of the parsed incoming packet to the cache of the CPU based on the DCA control.

US Pat. No. 9,141,799

OPERATION OF A DUAL INSTRUCTION PIPE VIRUS CO-PROCESSOR

Fortinet, Inc., Sunnyval...

1. A system comprising:
a system memory;
a general purpose processor, wherein the general purpose processor is communicably coupled to the system memory, and wherein
the general purpose processor is operable to store a data segment to the system memory;

an instruction memory, wherein the instruction memory includes at least one virus signature for detection of a computer virus,
the at least one virus signature comprising a first instruction of a first instruction type and a second instruction of a
second instruction type;

a virus co-processor communicably coupled to the instruction memory and the system memory, wherein the virus co-processor
is operable to access the data segment from the system memory, wherein the virus co-processor includes at least a first instruction
pipe and a second instruction pipe, wherein the first instruction pipe is operable to execute the first instruction type,
and wherein the second instruction pipe is operable to execute the second instruction type; and

wherein the first instruction pipe includes a first write back circuit, wherein the second instruction pipe includes a second
write back circuit, and wherein the first write back circuit and the second write back circuit are linked such that a write
back of a preceding instruction occurs before a write back of a succeeding instruction.

US Pat. No. 9,237,160

SYSTEMS AND METHODS FOR CATEGORIZING NETWORK TRAFFIC CONTENT

Fortinet, Inc., Sunnyval...

1. A method for categorizing network traffic content, comprising:
receiving, via a network interface device of a networked device on which the method is implemented through instructions executable
by at least one processor, network traffic content including an electronic message;

determining, through execution of instructions of an electronic message content categorization module on the at least one
processor, a first characterization of the network traffic content, the first characterization including that the electronic
message likely includes undesirable content, the determining performed according to at least one analysis technique to obtain
at least one categorization of the electronic message indicating the electronic message likely includes undesirable content,
the at least one analysis performed as a function of a database of known categorization properties of electronic message content;

determining a first probability of accuracy associated with the first characterization;
categorizing the network traffic content based at least in part on the first characterization and the first probability of
accuracy; and

storing, on a data storage device, by the electronic message content categorization module, a representation of the determination
that the electronic message likely includes undesirable content and data derived from the electronic message such that the
stored representation is available to assist in processing subsequently received electronic messages included in network traffic
content.

US Pat. No. 9,225,734

DATA LEAK PROTECTION IN UPPER LAYER PROTOCOLS

Fortinet, Inc., Sunnyval...

1. A data leak protection method comprising:
receiving, by a network security appliance, a data packet originated by a first networking device within a network protected
by the network security appliance and directed to a second networking device that is outside the network;

decoding, by the network security appliance, the data packet in accordance with an upper layer protocol through which the
data packet is being transmitted, wherein the upper layer protocol comprises domain name system (DNS) protocol, file transfer
protocol (FTP), telnet protocol or hypertext transfer protocol (HTTP);

determining, by the network security appliance, a command, request or method of the upper layer protocol that is specified
by or represented by the data packet;

when the determined command, request or method of the upper layer protocol comprises a DNS query request, an FTP command associated
with a file download, an FTP command associated with a file upload, an FTP command associated with a directory operation,
a telnet command, an authentication request or an HTTP GET method, then scanning, by the network security appliance, a field
of the command, request or method for sensitive or confidential information based on a sensor rule that is configured to detect
a particular format and type of data associated with sensitive information, wherein the sensitive or confidential information
comprises one or more of a payment card number, a personal identification number, a social security number; and

when the scanning results in a match, then performing, by the network security appliance, an action associated with the sensor
rule, wherein the sensor rule comprises a regular expression or a string match.

US Pat. No. 9,299,079

NETWORK ADVERTISING SYSTEM

Fortinet, Inc., Sunnyval...

1. A system for transmitting content to a client via the Internet, comprising:
a content server configured to store and select substitute or supplemental content;
an insertion server, associated with an Internet Service Provider (ISP), configured to (i) detect an active communication
protocol connection between a client and a destination by examining packets as they pass through the ISP and pass by the insertion
server and observing a transport communication protocol request from the client to the destination (ii) determine a policy
associated with the transport communication protocol request; (iii) selectively negate the transport communication protocol
request by causing a canceling message to be sent to the destination based on the policy and (iv) selectively send the selected
substitute or supplemental content retrieved from the content server to the client in lieu of or in addition to content requested
by the transport communication protocol request based on the policy;

a policy server configured to provide instructions to the insertion server with respect to the policy; and
wherein one or more of the content server, the insertion server and the policy server comprise a hardware server computer
system.

US Pat. No. 9,231,910

HUMAN USER VERIFICATION OF HIGH-RISK NETWORK ACCESS

Fortinet, Inc., Sunnyval...

1. A method comprising:
capturing, by an intermediary security device logically interposed between a client and a server, a request that is sent from
the client to the server;

determining, by the intermediary security device, if the request represents a high-risk network access that poses a risk to
the client, a human user of the client, a private network within which the client is operating or an entity that owns the
client;

sending, by the intermediary security device, a human user test message to the client to verify that the request was initiated
by the human user;

receiving, by the intermediary security device, a response to the human user test message;
determining, by the intermediary security device, if the response is a correct response to the human user test message;
when said determining is affirmative, then allowing, by the intermediary security device, the request to pass through the
intermediary security device and to be delivered to the server; and

wherein said determining if the request represents a high-risk network access is based on one or more of:
an outcome of an antivirus scan of a resource specified in the request that is performed by the intermediary security device;
an outcome of an intrusion detection system/intrusion protection system (IDS/IPS) scan of the request or a corresponding response
that is performed by the intermediary security device;

an outcome of a reputation-based evaluation of characteristics of an access performed by the intermediary security device;
an outcome of a cloud-based evaluation of the characteristics of the access performed by a remote computer as requested by
the intermediary security device;

an outcome of a scan based on policies and rules configured on the intermediary security device; and
an outcome of a scan based on characteristics of one or more previous access requests and user verifications.

US Pat. No. 9,154,523

POLICY-BASED SELECTION OF REMEDIATION

Fortinet, Inc., Sunnyval...

1. A computer-implemented method comprising:
receiving, by a first computer system, information regarding an operational state of a second computer system at a particular
time;

determining whether the operational state of the second computer system represents a violation of one or more security policies
that have been applied to or are active in regard to the second computer system by evaluating, by the first computer system,
the received information with respect to the one or more security policies, wherein each security policy of the one or more
security policies defines at least one parameter condition violation of which is potentially indicative of unauthorized activity
on the second computer system or manipulation of the second computer system to make the second computer system vulnerable
to attack; and

when a result of the determining is affirmative, then:
identifying, by the first computer system, a remediation that can be applied to the second computer system to address the
violation; and

causing, by the first computer system, the remediation to be deployed to the second computer system.

US Pat. No. 9,137,251

INHERITANCE BASED NETWORK MANAGEMENT

Fortinet, Inc., Sunnyval...

1. A computer-implemented method of provisioning and managing network devices comprising:
via a user interface, enabling a network manager to (i) view and control virtualization of similar physical attributes, including
different physical interfaces, of a plurality of intermediate network devices having identical function, the plurality of
intermediate network devices associated with a private computer network that are logically interposed between client systems
of the private computer network and an external computer network, (ii) enabling the network manager to set policies applicable
to virtualized interfaces and (iii) enabling the network manager to cause the plurality of intermediate network devices to
be installed on the private computer network;

virtualizing a first physical interface of a first intermediate network device of the plurality of intermediate network devices
and a second physical interface of a second intermediate network device of the plurality of intermediate network devices by
creating a virtual interface to which both the first physical interface and the second physical interface correspond;

receiving information regarding a policy applicable to the virtual interface;
responsive to said receiving information regarding a policy applicable to the virtual interface, creating or modifying a first
configuration file for the first intermediate network device while the first intermediate network device is offline and creating
or modifying a second configuration file for the second intermediate network device while the second intermediate network
device is offline, wherein one or more policies or rules contained within the first configuration file and the second configuration
file are expressed in terms of the virtual interface; and

during installation of the first intermediate network device and the second intermediate network device, resolving references
to the virtual interface in the first configuration file into the first physical interface and resolving references to the
virtual interface in the second configuration file into the second physical interface, whereby policy configurations can be
applied to various of the plurality of intermediate network devices and physical interface configurations can be resolved
upon installation.

US Pat. No. 9,141,798

OPERATION OF A DUAL INSTRUCTION PIPE VIRUS CO-PROCESSOR

Fortinet, Inc., Sunnyval...

1. A method comprising:
storing, by a general purpose processor, a content object that is to be virus processed to a system memory of the general
purpose processor;

setting up, by the general purpose processor, virus scan parameters associated with the content object;
reading, by a virus co-processor that is coupled to the general purpose processor via an interconnect bus, instructions from
a virus signature memory of the virus co-processor based on the virus scan parameters, wherein the instructions contain intermixed
op-codes of a first instruction type and op-codes of a second instruction type and wherein the op-codes of the first instruction
type are associated with primitive instructions and wherein the op-codes of the second instruction type are associated with
Content Pattern Recognition (CPR) instructions and;

assigning, by the virus co-processor, those of the instructions containing op-codes of the first instruction type to a first
instruction pipe of a plurality of instruction pipes of the virus co-processor for execution;

assigning, by the virus co-processor, those of the instructions containing op-codes of the second instruction type to a second
instruction pipe of the plurality of instruction pipes for execution;

executing, by the first instruction pipe, an instruction of the assigned instructions containing op-codes of the first instruction
type including accessing a portion of the content object from the system memory; and

determining if execution, by the second instruction pipe, of a particular instruction of the assigned instructions containing
op-codes of the second instruction type is to be delayed to assure ordered execution of the intermixed op-codes.

US Pat. No. 9,276,861

SELECTING AMONG MULTIPLE CONCURRENTLY ACTIVE PATHS THROUGH A NETWORK

Fortinet, Inc., Sunnyval...

1. In a system comprising a network, a destination node coupled to the network, a source node, and a network interface connecting
the source node with the network, wherein the network comprises a loop-free, reverse-path-learning network, and wherein the
network is divided into a plurality of virtual networks, a method performed by the network interface, comprising:
receiving from the source node a set of information that is destined for the destination node, wherein the set of information
specifies an address for the destination node or comprises information from which the address can be derived;

determining a set of virtual networks that can be used to transport the set of information from the source node to the destination
node, wherein the set of virtual networks comprises multiple virtual networks and is at least a subset of the plurality of
virtual networks, and wherein each virtual network in the set of virtual networks provides a different path through the network
from the source node to the destination node such that there are multiple selectable paths from the source node to the destination
node; and

selecting, after the address of the destination node is specified or derived, a particular virtual network from the set of
virtual networks, thereby, effectively selecting a particular path from the source node to the destination node.

US Pat. No. 9,270,639

LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES

Fortinet, Inc., Sunnyval...

1. A method for balancing load among firewall security devices in a network, the method comprising:
causing, by a switching device on the network, a plurality of firewall security devices arranged in one or more clusters on
the network to enter into a load balancing mode by sending one or more control messages to the plurality of firewall security
devices;

receiving, by the switching device, heartbeat signals from the plurality of firewall security devices;
including, by the switching device, information regarding the plurality of firewall security devices into a load balancing
table;

configuring a load balancing function in the switching device based on information received from a network administrator indicative
of (i) a number of bits to be used as an input to the load balancing function and (ii) bit positions of the number of bits
within one or more of a packet type, a source port, a destination port, a source address and a destination address of packets
to be load balanced, wherein the number of bits may be fewer than that of the source address or the destination address, wherein
the bit positions are not limited to being contiguous and wherein the load balancing function enables the switching device
to manage more than eight firewall security devices in a cluster;

receiving, by the switching device, a data packet from one or more client devices; and
forwarding, by the switching device, the data packet to a firewall security device of the plurality of firewall security devices
based on the load balancing function.

US Pat. No. 9,280,678

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
assigning to one or more users, by a gateway device, a policy for managing access to and processing a file to be stored on
one or more cloud platforms, wherein the policy defines access rights of the one or more users;

encrypting, by the gateway device, using cryptographic key information defined by the policy, content of the file to produce
a searchable encrypted file by:

dividing the file into a plurality of chunks;
creating namespaces for one or more of the plurality of chunks; and
configuring the namespaces of the one or more chunks such that content of the file is encrypted in a manner that makes it
searchable;

storing, by the gateway device, the searchable encrypted file on the one or more cloud platforms based on the policy; and
managing access to the searchable encrypted file by the one or more users based on the policy.

US Pat. No. 9,276,907

LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a session-aware switching device, for each of a plurality of ports of the session-aware switching device,
session data including a plurality of session entries each of which represent a previously established traffic session by
the session-aware switching device from a particular source device to a particular destination device and each of which form
an association between the previously established traffic session and a particular firewall security device of a plurality
of firewall security devices associated with the session-aware switching device;

responsive to receiving, at a first port of the plurality of ports of the session-aware switching device, a Transmission Control
Protocol (TCP) SYN packet of a forward traffic session from a source device directed to a target device:

reducing vulnerability of the session-aware switching device to a denial of service (DoS) attack, by the session-aware switching
device, by foregoing installation of a forward session entry for the forward traffic session within the session data for the
first port;

selecting, by the session-aware switching device, a firewall security device from among the plurality of firewall security
devices to associate with the forward traffic session and a corresponding reverse traffic session from the target device to
the source device by performing a load balancing function on at least a portion of the TCP SYN packet; and

causing the TCP SYN packet to be processed by the selected firewall security device;
responsive to receipt from the selected firewall security device the processed TCP SYN packet on a second port of the session-aware
switching device, installing, by the session-aware switching device, a reverse session entry for the corresponding reverse
traffic session within the session data for the second port with the target device identified as the particular source device
and with the source device identified as the particular destination device; and

responsive to receipt from the selected firewall security device a processed TCP SYN/ACK packet associated with the corresponding
reverse traffic session on the first port of the session-aware switching device, installing, by the session-aware switching
device, the forward session entry for the forward traffic session within the session data for the first port with the target
device identified as the particular destination device and with the source device identified as the particular source device.

US Pat. No. 9,166,805

SCALABLE IP-SERVICES ENABLED MULTICAST FORWARDING WITH EFFICIENT RESOURCE UTILIZATION

Fortinet, Inc., Sunnyval...

1. A network switch module comprising:
a memory partitioned among a plurality of virtual routers (VRs);
a plurality of processors partitioned among the plurality of VRs; and
wherein each VR of the plurality of VRs maintains a data structure in the memory, the data structure including information
relating to a set of multicast sessions being handled by the VR and including:

a plurality of pairs of a source field and a group field ({S, G} pairs) stored in the memory, in which each pair of the plurality
of {S, G} pairs defines a multicast session of the set of multicast sessions and wherein the source field defines a source
of a multicast transmission and the group field defines a group corresponding to the multicast session;

a first pointer associated with each of the plurality of {S, G} pairs that points to a dynamically allocated set of OIF blocks,
wherein a number of outbound interface (OIF) blocks in the set of OIF blocks is dependent upon how many of a plurality of
OIFs of the VR are currently participating in the multicast session and the number of OIF blocks in the set of OIF blocks
defines how many times packets associated with the multicast session are to be replicated;

a set of slots associated with each OIF block of the set of OIF blocks, each slot of the set of slots configured to store
a second pointer to a transmit control block (TCB) which services one or more users participating in the multicast session
and which represents a data structure configured to store control information relevant to processing or routing packets, including
information regarding an OIF of the plurality of OIFs through which the packets are to be transmitted;

a third pointer associated with each OIF block of the set of OIF blocks to chain together the set of OIF blocks, wherein only
one OIF block of the set of OIF blocks is updated responsive to users joining or leaving the multicast session.

US Pat. No. 9,455,980

MANAGEMENT OF CERTIFICATE AUTHORITY (CA) CERTIFICATES

Fortinet, Inc., Sunnyval...

1. A method of facilitating inline inspection of Secure Sockets Layer (SSL) traffic exchanged between an SSL client and an
SSL server by a network security appliance, the method comprising:
establishing, by a client security manager running on a client computer system, a connection with an endpoint control module
of the network security appliance through a network, wherein the client security manager manages security of the client computer
system and the network security appliance manages security of traffic passing through the network;

downloading via the connection, by the client security manager, from the network security appliance a certificate authority
(CA) certificate by which a server certificate is signed, wherein the server certificate is used to establish an SSL session
between a transparent SSL proxy running within the network security appliance and the client computer system;

causing the client computer system to trust the server certificate when the server certificate is subsequently received from
the network security appliance during establishment of the SSL session by installing, by the client security manager, the
CA certificate into a certificate store of the client computer system.

US Pat. No. 9,300,632

EXAMINING AND CONTROLLING IPV6 EXTENSION HEADERS

Fortinet, Inc., Sunnyval...

1. A method comprising
receiving, by a traversing device, an Internet Protocol (IP) version 6 (IPv6) packet or packet fragment;
applying, by the traversing device, one or more security checks to extension headers of the IPv6 packet or packet fragment;
responsive to determining a security check of the one or more security checks is violated by the extension headers, identifying
and performing, by the traversing device, one or more appropriate countermeasures;

wherein the violated security check relates to a limit on a number of extension headers that may be included within a received
packet or fragment based on an application or a protocol with which the received packet or fragment is associated; and

wherein the one or more appropriate countermeasures include (i) blocking the IPv6 packet or packet fragment or (ii) modifying
the IPv6 packet or packet fragment by removing the extension headers.

US Pat. No. 9,495,556

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
establishing and maintaining, by a trusted gateway device logically interposed between an enterprise network and a plurality
of third-party cloud storage services, a plurality of cryptographic keys;

receiving, by the trusted gateway device, a request from a user of the enterprise network to store a file;
partitioning, by the trusted gateway device, the file into a plurality of chunks of a predefined or configurable size;
causing to be created, by the trusted gateway device, a directory within one or more cloud storage services of the plurality
of third-party cloud storage services, wherein a name attribute of the directory is set based on an encrypted version of a
name of the file; and

for each chunk of the plurality of chunks:
selecting, by the trusted gateway device, a cryptographic key of the plurality of cryptographic keys;
identifying, by the trusted gateway device, existence of data within the chunk associated with one or more predefined search
indices of a plurality of predefined searchable indices;

generating, by the trusted gateway device, searchable encrypted metadata based on the identified data and the selected cryptographic
key;

generating, by the trusted gateway device, an encrypted version of the chunk; and
causing to be created, by the trusted gateway device, a file within the directory, wherein a name attribute of the file includes
the searchable encrypted metadata and wherein a contents of the file includes the encrypted version of the chunk.

US Pat. No. 9,355,251

EFFICIENT DATA TRANSFER IN A VIRUS CO-PROCESSING SYSTEM

Fortinet, Inc., Sunnyval...

1. A method comprising:
storing, by a general purpose processor, a data segment to a system memory of the general purpose processor using a virtual
address, the system memory having stored therein a page directory and a page table containing information for translating
virtual addresses to physical addresses within a physical address space of the system memory;

translating, by a virus processing hardware accelerator, coupled in communication with the system memory and the general purpose
processor via an interconnect bus, the virtual address of the data segment to a physical address of the data segment based
on the page directory and the page table;

accessing the data segment, by the virus processing hardware accelerator, based on the physical address;
scanning, by the virus processing hardware accelerator, the data segment for viruses by executing a plurality of pattern comparisons
against the data segment; and

returning, by the virus processing hardware accelerator, a result of the scanning to the general purpose processor by writing
the result to the system memory.

US Pat. No. 9,349,013

VULNERABILITY-BASED REMEDIATION SELECTION

Fortinet, Inc., Sunnyval...

1. A host device comprising: at least one processor; at least one memory device; a network interface device;
a sensor program stored in the at least one memory device and executed by the at least one processor to: automatically assess
a current state of the host device to identify a plurality of T_ID fields that each denote an identification (ID) of a technology
species (T) present in the host device; automatically send information representative of the current state of the host device
to a server via the network interface device including the identified plurality of T_ID fields; automatically receive, via
the network interface device, vulnerability remediation information from the server, the vulnerability remediation information
including:

instructions executable by the processor though the sensor program, the instructions including at least one remediation for
at least one vulnerability of the host device and at least a subset of the plurality of identified T_ID fields, the at least
one

remediation determined by the server at least in part by AND operations comprising a first list of remediation identifications
(R IDs) identified using a vulnerability identification (V ID) of the at least one vulnerability as a database index for a
list of R_IDs ANDed second list of R_IDs identified using technology genus (T GEN) as an index wherein the T_GEN is determined
from at least one of the

T_ID fields, and further ANDed against a third R_IDs identified using the V_ID of the at least one vulnerability as an index;
and

for each of the T_ID fields of the subset of the plurality of the identified T_ID fields, a plurality of ACT_ID fields, wherein
the content of an ACT_ID field denotes an ID of an action (ACT); and

automatically implement the at least one remediation upon the host device through execution of the instructions of the received
remediation information to mitigate the at least one vulnerability of the host device.

US Pat. No. 9,306,907

LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES

Fortinet, Inc., Sunnyval...

1. A method comprising:
configuring a load balancing function in a switching device within a network based on information received from a network
administrator indicative of (i) a number of bits to be used as an input to the load balancing function and (ii) bit positions
of the number of bits within one or more of a type of service, a protocol, a source port, a destination port, a source address
and a destination address of packets to be load balanced, wherein the number of bits may be fewer than that of the source
address or the destination address and wherein the bit positions are not limited to being contiguous;

causing, by a switching device, a plurality of firewall security devices within the network and operating as part of a cluster
to enter into a load balancing mode by sending one or more control messages to the plurality of firewall security devices;

responsive to receiving, by the switching device, a heartbeat signal on a port of a plurality of ports of the switching device
from a firewall security device of the plurality of firewall security devices, including information regarding the firewall
security device and the port into a load balancing table maintained by the switching device that maps a plurality of hash
values or emulated hash values output by the load balancing function to the plurality of ports;

receiving, by the switching device, a packet from a client device associated with the network; and
forwarding, by the switching device, the packet to a firewall security device of the cluster by:
determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit
positions of the number of bits within the packet;

identifying a port of the plurality of ports to which the firewall security device is coupled based on the hash value or the
emulated hash value and the load balancing table; and

transmitting the packet to the firewall security device via the identified port.

US Pat. No. 9,160,716

TUNNEL INTERFACE FOR SECURING TRAFFIC OVER A NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, at a service management system (SMS) of a managed security service provider, a request to establish an Internet
Protocol (IP) connection between a first location of a first subscriber of a plurality of subscribers of the managed security
service provider and a second location of the first subscriber;

responsive to the request, the SMS causing a tunnel to be established between a first virtual router (VR) of a first service
processing switch of the managed service provider that is associated with the first location and a second VR of a second service
processing switch of the managed service provider that is associated with the second location, wherein the first service processing
switch and the second service processing switch are coupled in communication via a public network, wherein said causing a
tunnel to be established comprises:

binding an encryption configuration decision associated with the request with a routing configuration of the first VR, by,
when the request is to establish a secure IP connection, configuring, the first VR (i) to cause all packets transmitted from
the first location to the second location to be encrypted prior to transmission through the public network and (ii) to cause
all packets received from the second location to be decrypted after transmission through the public network; and

binding the encryption configuration decision with a routing configuration of the second VR, by, when the request is to establish
a secure IP connection, configuring, the second VR (i) to cause all packets transmitted from the second location to the first
location to be encrypted prior to transmission through the public network and (ii) to cause all packets received from the
first location to be decrypted after transmission through the public network.

US Pat. No. 9,986,576

STEERING CONNECTION REQUESTS FOR AN ACCESS POINT TO A BEST-SERVING ACCESS POINT

Fortinet, INC, Sunnyvale...

1. A computer-implemented method in an access point in a wireless network for steering connection requests from network devices to a preferred access point of a wireless network, comprising:connecting to the wireless network;
receiving a probe request for connection from a network device;
responsive to the probe request, generating a probability function that defines a likelihood of granting the network device a connection;
responsive to receiving one or more subsequent probe requests, applying a progressively less restrictive probability function, wherein the probability function comprise a set of probability curves; and
sending the probe response to the probe request and the one or more subsequent probe requests to the network device.

US Pat. No. 9,456,389

DYNAMIC GENERATION OF PER-STATION REALM LISTS FOR HOT SPOT CONNECTIONS

Fortinet, Inc., Sunnyval...

1. A computer-implemented method for generating a list of per-station NAI (Network Access Identifier) realms for a hot spot
WLAN connection, the method comprising the steps of:
receiving a query for a list of realms from a station during a connection to a hot spot;
responsive to detecting the request specifically from the station, retrieving a history of previous connections by the station,
generating the list of realms that are a subset of a list of realms available to the hot spot, and including at least one
realm from the history of previous connections in the list of realms;

receiving a selection from the list of realms;
authenticating the station with the selected realm; and
forwarding data traffic concerning the station through the hot spot on behalf of the selected realm.

US Pat. No. 9,413,724

CLOUD-BASED SECURITY POLICY CONFIGURATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
logging into a cloud account by a first network appliance;
synchronizing, by the first network appliance, one or more security parameters of the first network appliance with corresponding
one or more security parameters shared by a second network appliance to the cloud account;

automatically creating, by the first network appliance, a security policy that controls a connection between the first network
appliance and the second network appliance based at least in part on the one or more security parameters;

fetching from the cloud account, by the first network appliance, a modification of the one or more security parameters shared
by the second network appliance to the cloud account; and

updating, by the first network appliance, the security policy based at least in part on the modification of the one or more
security parameters.

US Pat. No. 9,743,418

AUTOMATIC CHANNEL SELECTION IN WIRELESS LOCAL AREA NETWORK (WLAN) CONTROLLER BASED DEPLOYMENTS USING COLOR GRAPHS

Fortinet, Inc., Sunnyval...

1. A computer-implemented method in a controller for automatically selecting Wi-Fi channels for a plurality access points
on a data communication network, the method comprising the steps of:
managing, with a processor of the controller, the plurality of access points utilizing a set of non-interfering channels on
the data communication network, wherein a lack of interference exists between the set of non-interfering channels;

receiving scan results from each of the plurality of access points, with a network interface of the controller, the scan results
comprising a list of neighboring access points from the plurality of access points relative to each access point;

responsive to a number of the plurality of access points exceeding a number of non-interfering channels, assigning, with a
processor of the controller, each of the plurality of access points to a non-interfering channel with sharing of at least
one of the non-interfering channels, using a GCA (Graph Coloring Algorithm) in which each color assignment corresponds to
a non-interfering channel assignment in order to prevent neighboring access points from sharing a non-interfering channel;
and

sending, with the network interface, the channel assignments to the plurality access point.

US Pat. No. 9,756,017

DATA LEAK PROTECTION IN UPPER LAYER PROTOCOLS

Fortinet, Inc., Sunnyval...

1. A data leak prevention (DLP) method comprising:
receiving, by a network security device associated with a private network, a packet originated by a host device within the
private network and directed to a destination device outside of the private network;

identifying, by the network security device, an upper layer protocol associated with the received packet;
determining, by the network security device, whether the identified upper layer protocol is one of a plurality of candidate
upper layer protocols having a potential to carry sensitive information out of the private network with reference to a database
containing therein information regarding the plurality of candidate upper layer protocols, one or more corresponding requests
or commands of interest for each of the plurality of candidate upper layer protocols and a corresponding suspect field within
each of the one or more corresponding requests or commands of interest that is to be subjected to DLP scanning;

when a result of the determining is affirmative and a request or command represented by the received packet is among those
of the one or more corresponding requests or commands of interest for the identified upper layer protocol, then performing,
by the network security device, a DLP scan on content contained within the corresponding suspect field of the received packet
by:

applying a plurality of DLP rules to the content, wherein each of the plurality of DLP rules include (i) a regular expression
or a string defining a search pattern indicative of existence of one of a plurality of forms of sensitive information and
(ii) information defining an action to take when the search pattern matches the content; and

when a match is found between the content and the search pattern of a DLP rule of the plurality of DLP rules, then performing,
by the network security device, the defined action of the DLP rule; and

when the result is negative or the request or command represented by the received packet is not among those of the one or
more corresponding requests or commands of interest for the identified upper layer protocol, then skipping performance, by
the network security device, the DLP scan for the received packet;

wherein the one or more corresponding requests or commands of interest for each of the plurality of candidate upper layer
protocols are configurable by a network administrator of the private network.

US Pat. No. 9,537,826

SYSTEMS AND METHODS FOR PASSING NETWORK TRAFFIC CONTENT

Fortinet, Inc., Sunnyval...

1. A computer-implemented method in a gateway device connected to a data communication network in between a data source device
and a user device, for transmitting files based on content type, the method comprising:
receiving data, in a network interface device of the gateway device, that corresponds to a file of a first type that was requested
by a user device and is subject to policy enforcement;

examining headers of the file, with a protocol differentiator electrically coupled to a processor of the gateway device, to
identify a type of content associated with the file from a plurality of content types;

based on the type of content associated with the file, from the network interface device, transmitting the file at a prescribed
data transmission rate for the content type before policy enforcement has been performed on the portion of the file and before
the entirety of the file has been received;

distinct from the transmitting of the file portion of the user, performing policy enforcement upon receipt of less than an
entirety of the file and at a data increment size of received data portions at least equal to a threshold of data; and

after policy enforcement is performed upon an entirety of the file, transmitting the remaining portion of the file that has
been received, but not yet transmitted to the user device.

US Pat. No. 9,391,964

TUNNEL INTERFACE FOR SECURING TRAFFIC OVER A NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:
instantiating, within each of a plurality of service processing switches of a service provider, a plurality of virtual routers
(VRs), wherein each VR of the plurality of VRs is supported by an object group and each object of the object group supports
a network service;

assigning one or more VRs of the plurality of VRs to a subscriber of a plurality of subscribers of the service provider;
receiving, by a service management system (SMS) of the service provider, a request to establish an Internet Protocol (IP)
connection between a first location of the subscriber and a second location of the subscriber; and

establishing a tunnel between a first service processing switch of the plurality of service processing switches and a second
service processing switch of the plurality of service processing switches coupled in communication with the first service
processing switch through a public network, including:

binding an encryption configuration decision associated with the request with a routing configuration of a first packet routing
node of the first service processing switch, by, when the request is to establish a secure IP connection, configuring, the
first packet routing node (i) to cause all packets transmitted from the first location to the second location to be encrypted
prior to transmission through the public network and (ii) to cause all packets received from the second location to be decrypted
after transmission through the public network; and

binding the encryption configuration decision with a routing configuration of a second packet routing node of the second service
processing switch, by, when the request is to establish a secure IP connection, configuring, the second packet routing node
(i) to cause all packets transmitted from the second location to the first location to be encrypted prior to transmission
through the public network and (ii) to cause all packets received from the first location to be decrypted after transmission
through the public network.

US Pat. No. 9,497,162

INTERFACE GROUPS FOR RULE-BASED NETWORK SECURITY

Fortinet, Inc., Sunnyval...

1. A method comprising:
causing to be displayed, by a network security appliance, a security rule configuration interface through which a network
administrator can specify parameters of a plurality of security rules to be applied to network traffic attempting to traverse
the network security appliance through one or more of a plurality of interfaces of the network security appliance;

receiving, by the network security appliance via the security rule configuration interface, parameters defining a traffic
flow to be controlled by a security rule of the plurality of security rules, wherein the parameters defining the traffic flow
include:

a set of source interfaces of the plurality of interfaces, representing a proper subset of the plurality of interfaces, from
which traffic associated with the traffic flow being defined can be received by the network security appliance;

a set of destination interfaces of the plurality of interfaces, representing a proper subset of the plurality of interfaces,
through which traffic associated with the traffic flow being defined can be transmitted by the network security appliance
if the security rule allows the traffic flow; and

wherein at least one of the set of source interfaces and the set of destination interfaces includes multiple interfaces of
the plurality of interfaces such that the security rule permits the traffic flow to be defined, at least in terms of multiple
source interfaces and multiple destination interfaces; and

receiving, by the network security appliance via the security rule configuration interface, information regarding an action
to be performed on the network traffic when the network traffic matches the security rule;

storing, by the network security appliance, the security rule as part of a ruleset to be applied to the network traffic.

US Pat. No. 9,401,976

VIRTUAL MEMORY PROTOCOL SEGMENTATION OFFLOADING

Fortinet, Inc., Sunnyval...

1. A method comprising:
responsive to storage of outbound payload data within a user memory space of a system memory of a network device by a network
driver of the network device on behalf of a user process running on a host processor of the network device, determining, by
a bus/memory interface of the network device or a network interface unit of the network device, presence of the outbound payload
data, wherein the outbound payload data is to be delivered via an Internet Protocol (IP) network to a destination via a transport
layer protocol and is distributed across a plurality of payload buffers within the user memory space;

fetching, by the bus/memory interface on behalf of the network interface unit, the outbound payload data from the plurality
of payload buffers by performing direct virtual memory addressing of the user memory space including mapping physical addresses
of various portions of the outbound payload data to corresponding virtual addresses and accessing a plurality of buffer descriptors
created within the kernel memory space by the network driver, wherein the plurality of buffer descriptors include:

a first buffer descriptor including information indicative of a first starting address within the system memory of a first
payload buffer of the plurality of payload buffers containing therein a first portion of the outbound payload data; and

a second buffer descriptor including information indicative of a second starting address within the system memory of a second
payload buffer of the plurality of payload buffers containing therein a second portion of the outbound payload data; and

segmenting, by a network processor of the network interface unit, the outbound payload data across one or more transport layer
protocol packets.

US Pat. No. 9,374,384

HARDWARE BASED DETECTION DEVICES FOR DETECTING NETWORK TRAFFIC CONTENT AND METHODS OF USING THE SAME

Fortinet, Inc., Sunnyval...

1. A method for detecting network traffic content, the method comprising:
translating, by a network device, at least one signature codified with at least one predicate representative of at least one
function to be performed to detect network traffic content to be detected into a byte stream executable by a processor to
determine whether network traffic content matches content to be detected, the at least one signature is received via a first
input port of the network device;

receiving, by the network device via a second input port, network traffic content; and
processing, by the network device, received network traffic content to determine whether the network traffic content includes
the content to be detected as represented in the translated at least one signature.

US Pat. No. 9,351,166

BLOCKING COMMUNICATION BETWEEN ROGUE DEVICES ON WIRELESS LOCAL ACCESS NETWORKS (WLANS)

Fortinet, Inc., Sunnyval...

1. A computer-implemented method in a control element responsible for a plurality of access points in a wireless communication
network, the method for controlling rogue devices and including the steps of:
identifying a rogue device by the control element, comprising:
receiving a notification from an access point, the access point storing a plurality of BSSIDs (basic service set identifiers)
that are authorized on the wireless communication network in association with a plurality of MAC (media access control) addresses
authorized to use the BSSIDs, the frame being directed to a BSSID that is not associated with the access point, and

comparing the BSSID against a list of BSSIDs serviced by the plurality of access points on the wireless communication network
to determine if the BSSID is associated with any access point on the wireless communication network; and

blocking the rogue device by two or more access points as directed by the control element, comprising:
selecting the two or more access points from the plurality of access points to each send an ACK (acknowledgment frame) in
response to a frame sent by the rogue device, the frame sent by the rogue device having a destination other than said access
point,

wherein the ACK frame by the two or more access points interfere with an ACK frame from the destination.

US Pat. No. 9,338,134

FIREWALL POLICY MANAGEMENT

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a firewall device, a log of network traffic observed by the firewall device by storing, for each network traffic
flow, information regarding one or more of bandwidth usage, a source interface, a destination interface, a source Internet
Protocol (IP) address, a destination IP address, an event ID, an importance, application details, port information, traffic
details, timestamps, user details, source device details, destination device details, a level of trust, source operating system
details, a virus scan level and a schedule;

receiving, by the firewall device, an administrator request for a customized and interactive report to be generated based
on the log, the administrator request identifying report parameters including one or more of a specified time frame, a specified
user, a specified user group, a specified application and a specified type of application;

generating, by the firewall device, the customized and interactive report by extracting information from the log based on
the report parameters, wherein the customized and interactive report presents one or more network traffic items in aggregate
form corresponding to each of one or more traffic aggregation parameters and includes information identifying one or more
of total running time and total bandwidth usage for each of the one or more network traffic items and an action object corresponding
to each of the one or more network traffic items;

responsive to interaction with a particular action object, receiving, by the firewall device, a directive to implement an
appropriate firewall policy for the corresponding network traffic item of the one or more network traffic items; and

based on the directive and the information extracted from the log, the firewall device, defining and establishing the appropriate
firewall policy, wherein the appropriate firewall policy comprises one or more rules and one or more corresponding actions
for imposing time or bandwidth limitations on network traffic associated with the specified application or the specified type
of application by the specified user or the specified user group.

US Pat. No. 9,331,900

CENTRALIZED MANAGEMENT OF ACCESS POINTS

Fortinet, Inc., Sunnyval...

1. An Access Controller (AC) comprising:
one or more processors;
a communication interface device;
one or more internal data storage devices operatively coupled to the one or more processors and storing:
an identifier module configured to assign a unique identifier to each Access Point (AP) of a plurality of APs that are managed
by the AC, wherein the unique identifier is not an Internet Protocol (IP) address associated with the AP;

an interface module configured to present an interface to a user through which commands are provided by the user and to access
a first AP of the plurality of APs responsive to a command received from the user and based upon the first AP's assigned unique
identifier, wherein the interface comprises a command line interface (CLI); and

an access module configured to access the first AP responsive to the command, wherein the access to the first AP enables an
AP CLI of the first AP and displays a prompt associated with the AP CLI to the user through which said user may issue commands
to the first AP, wherein the AP CLI of the first AP further permits access to a second AP of the plurality of APs and wherein
the access to the second AP enables an AP CLI of the second AP and displays a prompt associated with the AP CLI of the second
AP to the user through which the user may issue commands to the second AP.

US Pat. No. 9,608,961

FIREWALL POLICY MANAGEMENT

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a firewall running on a network security device associated with a private network, a log of network traffic
observed by the firewall by storing, for each network traffic flow, information regarding one or more of a volume of traffic,
a source interface, a destination interface, a source Internet Protocol (IP) address, a destination IP address, an application
name, an application type, port information, a start time, an end time and a username associated with the network traffic
flow;

receiving, via a graphical user interface (GUI) associated with the firewall, a request from an administrator of the private
network for a report to be generated based on the log, the request containing information indicative of report parameters
including (i) a specified time frame, (ii) user information indicative of one or more users associated with the private network;
and (iii) application information indicative of one or more particular applications or one or more types of applications associated
with the logged network traffic;

extracting from the log, by the firewall, information regarding network traffic flows satisfying the report parameters;
presenting, by the firewall, via the GUI a customized and interactive hierarchical report to the administrator, wherein the
customized and interactive hierarchical report includes (i) a plurality of aggregated network traffic items; and (ii) a plurality
of action objects each corresponding to one of the plurality of aggregated network traffic items, wherein information associated
with the plurality of aggregated network traffic items is determined by individually aggregating each of a plurality of traffic
aggregation parameters for each observed value of a primary report parameter within the extracted information, wherein the
plurality of traffic aggregation parameters, include one or more of traffic volume and percentage of traffic volume; and

responsive to interaction by the administrator with a particular action object of the plurality of action objects and selection
by the administrator of an action to be taken on subsequently received network traffic matching the corresponding aggregated
network traffic item of the plurality of aggregated network traffic items, automatically defining and establishing, by the
firewall, an appropriate firewall policy including one or more rules identifying the matching network traffic and a corresponding
action to be taken on the matching network traffic based on the selection.

US Pat. No. 9,589,284

NETWORK ADVERTISING SYSTEM

Fortinet, Inc., Sunnyval...

1. A method comprising:
observing, by an insertion server running within a firewall device of a private Internet Protocol (IP) network, a content
request of an application protocol by monitoring or proxying a plurality of transport communication protocol connections established
through the firewall device, wherein the content request is (i) originated by a client device coupled to the private IP network,
(ii) directed to a destination device coupled to the private IP network and (iii) associated with a transport communication
protocol connection of the plurality of transport communication protocol connections;

negating the content request, by the insertion server, by causing a canceling message of the transport communication protocol
to be sent to the destination device;

causing, by the insertion server, unsolicited content to be selected for delivery to the client device; and
sending, by the insertion server, the selected unsolicited content to the client device via the application protocol.

US Pat. No. 9,419,998

FILTERING HIDDEN DATA EMBEDDED IN MEDIA FILES

Fortinet, Inc., Sunnyval...

1. A method comprising:
capturing network traffic by a network security appliance associated with a protected network, wherein the network traffic
is originated by a source external to the protected network and is directed to an intended recipient associated with the protected
network;

extracting, by the network security appliance, a media file from the network traffic;
determining, by the network security appliance, presence of a potentially malicious hidden data item embedded in the media
file in a form of encoded data within one or more of a digital watermark, steganography and a barcode by decoding the encoded
data by a decoding module of the network security appliance;

determining whether the decoded data violates one or more security policies of a plurality of security policies of the network
appliance by applying a Uniform Resource Locator (URL) filter to the decoded data by a content inspection engine of the network
security appliance; and

when said determining whether the decoded data violates one or more security policies is affirmative, then protecting the
intended recipient against the potentially malicious hidden data item by the network security appliance performing one or
more of (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient to be alerted
regarding the potentially malicious hidden data item and (iii) causing a network administrator of the protected network to
be alerted regarding the potentially malicious hidden data item.

US Pat. No. 9,602,498

INLINE INSPECTION OF SECURITY PROTOCOLS

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a security device, a handshake message from a security protocol client;
transmitting, by the security device, the handshake message to a security protocol server;
receiving, by the security device, a response including a certificate of the security protocol server;
transmitting, by the security device, a response including a certificate of the security device to the security protocol client;
receiving, by the security device, an encrypted packet from the security protocol client, wherein application data contained
in the encrypted packet is encrypted with a cipher suite deliberately caused to be selected for use in connection with both
(i) a first security protocol session established between the security protocol client and the security device and (ii) a
second security protocol session established between the security protocol server to which the encrypted packet is destined
and the security device;

buffering, by the security device, the encrypted packet in a buffer;
accessing, by an inspection module of the security device, the encrypted packet from the buffer;
decrypting the encrypted packet, by the inspection module, to produce a plain text version of the application data;
scanning, by the inspection module, the plain text version of the application data;
when a Transmission Control Protocol (TCP) sequence number of the first security protocol session is equivalent to a TCP sequence
number of the second security protocol session, transmitting, by the security device, the encrypted packet to the security
protocol server; and

when a size of the certificate of the security device is smaller than a size of the certificate of the security protocol server,
transmitting at least one more Secure Sockets Layer (SSL) record from the security device to the security protocol client
so that the TCP sequence number of the first security protocol session is equivalent to the TCP sequence number of the second
security protocol session.

US Pat. No. 9,602,535

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

Fortinet, Inc., Sunnyval...

1. A method for controlling a plurality of distributed denial of service (DDoS) mitigation appliances, comprising:
providing a distributed software defined networking (SDN) architectural solution to DDoS mitigation by decoupling a control
plane and a data plane for DDoS attack mitigation, wherein functionality associated with the control plane is implemented
within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based
on past traffic and management of DDoS attack mitigation policies and wherein functionality associated with the data plane
is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular
traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances;

configuring, by the DDoS attack mitigation central controller, the DDoS attack mitigation policies for the plurality of DDoS
attack mitigation appliances comprising collecting, by the DDoS attack mitigation central controller, the granular traffic
rate information, including traffic rates observed during a predetermined period of time for a plurality of predetermined
parameters of layer 2, layer 3, layer 4 or layer 7 of a network stack, from the plurality of DDoS attack mitigation appliances,
and estimating granular behavioral packet rate thresholds based on the granular traffic rate information; and

causing, by the DDoS attack mitigation central controller, the plurality of DDoS attack mitigation appliances to enforce the
granular behavioral packet rate thresholds by sending the DDoS attack mitigation policies to the plurality of DDoS attack
mitigation appliances through a network connecting the DDoS attack mitigation central controller and the plurality of DDoS
attack mitigation appliances.

US Pat. No. 9,584,478

EXAMINING AND CONTROLLING IPV6 EXTENSION HEADERS

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a traversing device within a protected network, a plurality of Internet Protocol (IP) version 6 (IPv6) packets
or packet fragments;

applying, by the traversing device, a set of security checks to extension headers within each of the plurality of IPv6 packets
or packet fragments, wherein the set of security checks includes a security check relating to a limit on a number of extension
headers that may be included within an IPv6 packet or packet fragment based on an application or a protocol with which the
IPv6 packet or packet fragment is associated;

based on results of the set of security checks, updating, by the traversing device, sender reputation information maintained
by the traversing device corresponding to senders of the plurality of IPv6 packets or packet fragments, wherein the sender
reputation information is indicative of observed conformity/non-conformity of IPv6 extension headers with one or more security
checks of the set of security checks; and

making use of the sender reputation information, by the traversing device, to drop, rate limit or quarantine one or more subsequently
received IPv6 packets or packet fragments.

US Pat. No. 9,331,961

HETEROGENEOUS MEDIA PACKET BRIDGING

Fortinet, Inc., Sunnyval...

1. A network routing/switching blade server comprising:
a plurality of network interfaces, including a first set of network interfaces implemented within a first server blade and
operable to receive network packets encapsulated within a first plurality of media transmissions each having a first framing
media format of a plurality of framing media formats and a second set of network interfaces implemented within a second server
blade and operable to transmit network packets encapsulated within a second plurality of media transmissions each having a
second framing media format of the plurality of framing media formats, wherein the plurality of framing media formats include
one or more of Asynchronous Transfer Mode (ATM), Gigabit Ethernet (GigE), Frame Relay (FR), Time-Division Multiplexing (TDM)
and a wireless media format;

a plurality of processing resources implemented within one or more server blades coupled to the plurality of network interfaces
and shared by the plurality of network interfaces, including a first processing resource upon which a virtual bridging application
executes, the virtual bridging application representing a single bridging domain for all network packets received by the network
routing/switching blade server;

a non-transitory memory, accessible to the first processing resource, having stored therein one or more translation data structures
defining translations between the first framing media format and an intermediate format and between the intermediate format
and the second framing media format;

a switching fabric server blade, coupled to the plurality of network interfaces, forwarding the network packets received from
the first set of network interfaces to one or more of the plurality of processing resources;

wherein responsive to receiving a network packet, the first set of network interfaces pass the network packet to the virtual
bridging application through the switching fabric server blade;

the virtual bridging application determines a relay location to which the network packet is to be relayed and whether the
relay location is among the second set of network interfaces, which are associated with a disparate framing media format and
a disparate media channel than that of the first set of network interfaces; and

responsive to an affirmative determination that the relay location is among the second set of network interfaces, the virtual
bridging application uses the one or more translation data structures to translate the network packet to the second framing
media format before relaying the network packet to the relay location.

US Pat. No. 9,313,183

POLICY-BASED CONFIGURATION OF INTERNET PROTOCOL SECURITY FOR A VIRTUAL PRIVATE NETWORK

Fortinet, Inc., Sunnyval...

1. A network device comprising
a non-transitory storage device having embodied therein one or more routines operable to facilitate policy-based configuration
of Internet Protocol Security (IPSec) for a Virtual Private Network (VPN) connection; and

one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines, where
the one or more routines cause a policy page to be displayed to a network administrator via a user interface of the network
device through which a policy, including a plurality of VPN settings for establishing the VPN connection, is viewed and configured,
the plurality of VPN settings including a type of IPSec tunnel to be established between the network device and a peer network
device;

the one or more routines receiving, via the user interface, a selection regarding the type of IPSec tunnel to be used for
the VPN connection; and

the one or more routines requesting the VPN connection be established between the network device and the peer network device
in accordance with the policy by sending a notification request, including parameter values associated with the plurality
of VPN settings, from the network device to the peer network device.

US Pat. No. 9,652,417

NETWORK INTERFACE CARD RATE LIMITING

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a network interface card (NIC), data packets from a network, wherein the NIC is coupled to a host central processing
unit (CPU) of a network appliance through a bus system;

monitoring, by the NIC, a status of the host CPU, including:
responsive to receiving a data packet, notifying the host CPU the data packet is available for processing by the host CPU,
by issuing, by the NIC, an interrupt to the host CPU;

disabling, by the NIC, the interrupt;
measuring, by the NIC, a time period during which the interrupt remains disabled by monitoring the interrupt; and
determining, by the NIC, the host CPU is busy when the time period exceeds a threshold;
setting, by the NIC, a rate limiting mode indicator based on the status;
when the rate limiting mode indicator indicates rate limiting is inactive, then transmitting, by the NIC, the received data
packets to the host CPU for processing; and

when the rate limiting mode indicator indicates rate limiting is active, then performing, by the NIC, rate limiting by temporarily
stopping or slowing transmission of the received data packets to the host CPU for processing.

US Pat. No. 9,491,143

CONTEXT-AWARE PATTERN MATCHING ACCELERATOR

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a first stage of a context-aware pattern matching and parsing (CPMP) hardware accelerator of a network device,
a packet stream;

performing, by the first stage, a pre-matching process, including string matching and overflow pattern matching, on packets
within the packet stream to identify a candidate packet within the packet stream that matches one or more strings or over-flow
patterns associated with a set of Intrusion Prevention System (IPS) or Application Delivery Controller (ADC) rules;

identifying, by the first stage, a candidate rule from the set of IPS or ADC rules based on a correlation of results of the
pre-matching process;

tokenizing, by the first stage, packet data of the candidate packet to produce matching tokens and corresponding locations
of the matching token within the candidate packet;

performing, by a second stage of the CPMP hardware accelerator including a plurality of CPMP processors, a full-match process
on the candidate packet to determine whether the candidate packet satisfies the candidate rule by fetching and executing special
purpose CPMP instructions to perform one or more of (i) context-aware pattern matching on one or more packet field values
of the candidate packet, (ii) context-aware string matching on packet data of the candidate packet and (iii) regular expression
matching on the packet data based on a plurality of predefined conditions associated with the candidate rule, corresponding
contextual information provided by the candidate rule, the matching tokens and the corresponding locations; and

providing, by the second stage, results of the full-match process to a general purpose processor of the network device.

US Pat. No. 9,331,979

FACILITATING CONTENT ACCESSIBILITY VIA DIFFERENT COMMUNICATION FORMATS

Fortinet, Inc., Sunnyval...

1. A system, comprising:
a processor configured to:
send a test content to a client to determine a communication format via which the client is capable of communication;
determine a communication format via which the client is capable of communication based on a response to the test content;
receive a content request from a client; and
direct the request to a content delivery network that supports the communication format via which the client is capable of
communication;

wherein the requested content comprises web page content published by a content publisher in one of Internet Protocol version
4 (IPv4) format and Internet Protocol version 6 (IPv6) format and obtained by the content delivery network from the content
publisher and translated into IPv6 format or IPv4 format, respectively, by the content delivery network prior to receiving
the content request based on the response to the test content; and

a memory coupled to the processor and configured to provide the processor with instructions.

US Pat. No. 9,609,021

SYSTEM AND METHOD FOR SECURING VIRTUALIZED NETWORKS

FORTINET, INC., Sunnyval...

1. A method of securing a dynamic virtualized network, the method comprising:
receiving, with a network automation device, a current network policy of the dynamic virtualized network, wherein the current
network policy includes a first plurality of network policy elements, each of the first plurality of network policy elements
identifies an authorized endpoint in the dynamic virtualized network, and the dynamic virtualized network is overlaid on a
physical network;

monitoring membership in the dynamic virtualized network;
in response to changes in the membership of the dynamic virtualized network,
determining a network security policy for the dynamic virtualized network from the current network policy, wherein the network
security policy includes one or more second network policy elements that is a different network policy element than one of
the plurality of first network policy elements of the current network policy, and each of the one or more second network policy
network elements adds an additional policy on how network traffic in the dynamic virtualized network is processed by a port
of one of a plurality of network access devices, and

applying the network security policy to each network access device of the plurality of network access devices that is affected
by the network security policy.

US Pat. No. 9,602,550

POLICY-BASED SELECTION OF REMEDIATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
collecting, by a light weigh sensor (LWS) running on a host asset of a plurality of monitored, networked host assets of an
enterprise network, survey data, which collectively characterize a program-code-based operational state of the host asset,
from a survey tool installed on the host asset;

transmitting, by the LWS, the survey data to a remote server that is in a client-server relationship with the LWS via an external
network coupling the enterprise network and the remote server in communication; and

enforcing, by the remote server, a plurality of security policies with respect to the host asset based on the survey data
including determining whether the program-code-based operational state of the host asset represents a violation of one or
more security policies of the plurality of security policies, by evaluating, the survey data with reference to the plurality
of security policies, wherein each security policy of the plurality of security policies defines at least one parameter condition
violation of which is potentially indicative of unauthorized activity on the host asset or manipulation of the host asset
making the host asset vulnerable to attack.

US Pat. No. 9,516,034

INHERITANCE BASED NETWORK MANAGEMENT

Fortinet, Inc., Sunnyval...

1. A method comprising:
presenting to a network manager, via a graphical user interface (GUI) of a network management system, information regarding
a plurality of network devices managed by the network management system, wherein the plurality of network devices are associated
with a private computer network and are logically interposed between client systems of the private computer network and an
external computer network;

receiving, via the GUI, from the network manager information indicative of a first physical interface of a first network device
of the plurality of network devices and a second physical interface of a second network device of the plurality of network
devices that are to be normalized, wherein the first physical interface and the second physical interface have different physical
attributes;

normalizing, by the network management system, the first physical interface and the second physical interface by creating
a virtual interface to which both the first physical interface and the second physical interface correspond;

receiving, via the GUI, from the network manager information regarding a policy applicable to the virtual interface;
responsive to said receiving, creating or modifying, by the network management system, a first configuration file for the
first network device while the first network device is in an offline state and creating or modifying a second configuration
file for the second network device while the second network device is in the offline state, wherein one or more policies or
rules contained within the first configuration file and the second configuration file are expressed in terms of the virtual
interface; and

applying policy configurations, by the network management system, to the first network device and the second network device
and resolving physical interface configurations for the first physical interface and the second physical interface during
installation of the first network device and the second network device by resolving references to the virtual interface in
the first configuration file into the first physical interface and resolving references to the virtual interface in the second
configuration file into the second physical interface.

US Pat. No. 9,455,956

LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a switching device within a protected network, session data including a plurality of session entries each
of which represent a previously observed traffic session by the switching device from a particular source device to a particular
destination device and each of which form an association between the previously observed traffic session and a particular
firewall security device of a plurality of firewall security devices within the protected network;

responsive to receiving, at a first port of the switching device, a Transmission Control Protocol (TCP) synchronize (SYN)
packet of a forward traffic session from a source device coupled to the first port and directed to a target device coupled
to a second port of the switching device:

reducing vulnerability of the switching device to a TCP SYN flooding attack, by the switching device, by foregoing installation
of a forward session entry for the forward traffic session within the session data;

selecting, by the switching device, a firewall security device from among the plurality of firewall security devices to associate
with the forward traffic session and a corresponding reverse traffic session from the target device to the source device by
performing a load balancing function on at least a portion of the TCP SYN packet; and

causing the TCP SYN packet to be processed by the selected firewall security device;
responsive to receipt from the selected firewall security device the processed TCP SYN packet on the second port, installing,
by the switching device, a reverse session entry for the corresponding reverse traffic session within the session data with
the target device identified as the particular source device and with the source device identified as the particular destination
device; and

responsive to receipt from the selected firewall security device a processed TCP SYN-acknowledgement (ACK) packet associated
with the corresponding reverse traffic session on the first port of the switching device, installing, by the switching device,
the forward session entry for the forward traffic session within the session data with the target device identified as the
particular destination device and with the source device identified as the particular source device.

US Pat. No. 9,374,338

REMOTELY PROCESSING DETECTION OF UNDESIRABLE NETWORK TRAFFIC CONTENT

Fortinet, Inc., Sunnyval...

1. A computer-implemented method at a first host of a data network for remotely processing security checks against a data
transfer at a second host, the method comprising:
receiving, by a network interface device of the first host coupled to the data network, electronic data intended for a user
device;

calculating a checksum value, through execution of instructions on a processor of the first host, based upon and at the time
of receipt of each incremental portion of electronic data received by the first host based on the received and all previously
received incremental portions of the electronic data;

sending, from the first host via the network interface coupled to the network, each checksum value to a second host, as each
checksum is calculated, to the second host that stores a plurality of signatures and processes each checksum value against
the plurality of signatures in determining whether electronic data is associated with content desired to be detected;

receiving, by the network interface device of the first host via the network, a result from the second host with regard to
each checksum value sent thereto, each respective result indicating the determination of whether the electronic data is associated
with content desired to be detected; and

rejecting electronic data determined to be associated with content desired to be detected from being sent to the user device.

US Pat. No. 9,306,976

METHOD, APPARATUS, SIGNALS AND MEDIUM FOR ENFORCING COMPLIANCE WITH A POLICY ON A CLIENT COMPUTER

Fortinet, Inc., Sunnyval...

1. A method for client computer policy compliance enforcement, the method comprising:
receiving a data transmission from a client computer on a network, said data transmission received by a gateway node and including
status information associated with a configuration and operational status of the client computer, the status information including
hashed representations of client computer configuration and operational status data of at least one program installed on the
client computer;

preventing, by the gateway node, said data transmission from continuing when said data transmission does not include status
information or fails to meet a criterion;

applying, by the gateway node, a temporary policy for the client computer that permits said data transmission to continue
when said status information meets a criterion as determined through a matching of the hashed representations of the client
computer configuration and operational status data with desired hash values stored in a memory of the gateway node, said temporary
policy including information identifying the client computer and wherein subsequent data transmissions from the client computer
are permitted to continue without reading status information associated with the configuration and operational status of the
client computer included in said subsequent data transmissions, while said temporary policy exists; and

wherein:
the gateway node is a network device that enforces at least one policy with regard to client computers communicating over
the network;

the data transmission includes a request;
permitting the data transmission to continue includes the gateway node forwarding the data transmission for processing of
the request; and

the temporary policy expires when either a first period expires or the client computer has not initiated any subsequent data
transmissions within a second period.

US Pat. No. 9,088,544

INTERFACE GROUPS FOR RULE-BASED NETWORK SECURITY

Fortinet, Inc., Sunnyval...

1. A method comprising:
providing, by a network security appliance, a security rule configuration interface through which a network administrator
can specify parameters of security rules to be applied to network traffic attempting to traverse the network security appliance
through one or more of a plurality of interfaces of the network security appliance;

receiving, by the network security appliance via the security rule configuration interface, interface information defining
a traffic flow to be controlled by a security rule of the security rules, wherein the interface information specifies (i)
a first set of multiple interfaces, representing a proper subset of the plurality of interfaces, as a source interface of
the traffic flow; and (ii) a second set of multiple interfaces, representing a proper subset of the plurality of interfaces,
as a destination interface of the traffic flow such that the security rule allows multiple selections for the source interface
and multiple selections for the destination interface;

receiving, by the network security appliance via the security rule configuration interface, information regarding an action
to be performed on the network traffic when the network traffic matches the security rule;

storing, by the network security appliance, the security rule as part of a rule set to be applied to the network traffic.

US Pat. No. 9,538,468

POWER SAVING IN WI-FI DEVICES UTILIZING BLUETOOTH

Fortinet, Inc., Sunnyval...

1. A computer-implemented method for power saving in a Wi-Fi device of a wireless network utilizing Bluetooth, comprising
the steps of:
sending a notification of deep sleep mode to an access point currently associated with a Wi-Fi radio;
transitioning the Wi-Fi radio to deep sleep mode from active mode while a Bluetooth radio remains active;
maintaining an active connection to the access point while in deep sleep mode, comprising transmitting at least one packet
concerning the Wi-Fi radio connection to the access point using the Bluetooth radio;

receiving an indication, over the Bluetooth radio, of data packets addressed to the Wi-Fi radio;
responsive to the indication of data packets, transitioning the Wi-Fi radio from the deep sleep mode to the active mode; and
sending a notification of active mode to the access point currently associated with the Wi-Fi radio.

US Pat. No. 9,460,287

EFFICIENT DATA TRANSFER IN A VIRUS CO-PROCESSING SYSTEM

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a general purpose processor, a page directory and a page table within a system memory of the general purpose
processor, the page directory and the page table containing therein information for translating virtual addresses to physical
addresses within a physical address space of the system memory;

offloading, by the general purpose processor, virus processing of a content object to a hardware accelerator coupled to the
general purpose processor by storing virus scanning parameters, including the content object and information regarding a type
of the content object, to the system memory using one or more virtual addresses and indicating to the hardware accelerator
that the content object is available for virus processing;

responsive to said indicating, the hardware accelerator:
translating the one or more virtual addresses to one or more corresponding physical addresses based on the page directory
and the page table;

accessing the virus scanning parameters based on the one or more corresponding physical addresses;
scanning the content object for viruses by applying a plurality of virus signatures against the content object based on the
type of the content object; and

returning a result of the scanning to the general purpose processor by writing the result to the system memory.

US Pat. No. 9,774,724

INTELLIGENT TELEPHONE CALL ROUTING

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a call monitor of a telephone system, a session log containing information regarding sessions between internal
extension numbers and external telephone numbers, wherein each of the internal extension numbers is associated with a telephone
extension within the telephone system and each of external telephone numbers is associated with a telephone outside the telephone
system;

receiving, by the call monitor, an incoming telephone call from a telephone outside the telephone system that is associated
with an external telephone number;

determining, by the call monitor, whether the incoming call represents a call-back to an internal extension number based on
the session log by calculating a probability score that the incoming telephone call is a call-back to an internal extension
number within one or more call session records of the session log containing the external telephone number and comparing the
probability score to a predetermined threshold;

playing a prompt message back to the external telephone number indicating that the incoming phone call is to be routed to
the internal extension number determined by the call monitor; and

when a result of said determining is affirmative, then causing, by the call monitor, the incoming telephone call to be routed
by a switch to the internal extension number.

US Pat. No. 9,602,527

SECURITY THREAT DETECTION

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a network security device, a network traffic log, wherein the network traffic log includes a plurality of
entries each including features associated with one of a plurality of network activities observed within a private network,
wherein the network activities include a plurality of interactions, including requests and responses relating to web resources,
between hosts associated with the private network and external servers hosting the web resources, wherein the features include,
for each of the network activities: (i) a hash of a received file or a hash of a requested Uniform Resource Identifier (URI);
(ii) one or more of a source Internet Protocol (IP) address and a destination IP address and (iii) information regarding a
user within the private network associated with the network activity;

responsive to an event, retrospectively scanning, by the network security device, a subset of the plurality of entries of
the network traffic log in an attempt to identify a threat that was missed by a previous real-time signature-based scan or
a previous real-time reputation-based scan of the observed network activities, wherein the subset of the plurality of entries
includes only those entries of the plurality of entries corresponding to those of the network activities observed within a
particular timeframe; and

when the threat is identified as a result of said retrospectively scanning, then performing, by the network security device,
one or more of a remedial action and a preventive action with respect to the threat.

US Pat. No. 9,503,421

SECURITY INFORMATION AND EVENT MANAGEMENT

Fortinet, Inc., Sunnyval...

1. A method comprising:
creating, by a security information and event management (SIEM) device associated with a private network, a work flow, said
work flow including information defining a plurality of security tasks that are to be performed by one or more security devices
associated with the private network and managed by the SIEM device, wherein the plurality of security tasks include operations
that are intended to protect the private network against attacks;

starting, by the SIEM device, the work flow by scheduling the one or more security devices to perform the plurality of security
tasks defined in the work flow; and

collecting, by the SIEM device, results of the plurality of security tasks after they are performed by the one or more security
devices.

US Pat. No. 9,503,477

NETWORK POLICY ASSIGNMENT BASED ON USER REPUTATION SCORE

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a network controller for a protected network having a plurality of users, an association between a plurality
of Virtual Local Area Networks (VLANs) into which the protected network is divided and a plurality of security policies;

retrieving, by a network controller, for a user of the plurality of users, a reputation score associated with said user, wherein
said reputation score is generated based on activities of said user within the protected network;

evaluating, by said network controller, said reputation score; and
assigning, by said network controller, a security policy of the plurality of security policies to the user by assigning the
user to a VLAN of the plurality of VLANs that is associated with the security policy based on evaluation of said reputation
score, wherein the security policy governs a manner in which said user is permitted to interact with the protected network.

US Pat. No. 9,438,612

CALCULATING CONSECUTIVE MATCHES USING PARALLEL COMPUTING

Fortinet, Inc., Sunnyval...

1. A system comprising:
a non-transitory storage device having embodied therein one or more routines; and
one or more processors coupled to the non-transitory storage device and operable to execute the one or more routines, wherein
the one or more routines include:

a data stream and class definition receive module, which when executed by the one or more processors, receives a data stream
having a defined number of data segments and a class definition for the data stream;

a data stream partition module, which when executed by the one or more processors, partitions said received data stream into
a set of data blocks, wherein each data block comprises N data segments;

a data block processing module, which when executed by the one or more processors, processes each data block in parallel,
and for each data block, compute the following in parallel:

a first integer value based on whether each segment value of the data block forms part of the class definition;
a second integer value based on a number of consecutive data segment values that form part of the class definition starting
from a left-hand side of the data block;

a third integer value based on a maximum number of consecutive data segment values in the data block that form part of the
class definition; and

a fourth integer value based on a number of consecutive data segment values that form part of the class definition starting
from a right-hand side of the data block;

a data block integration module, which when executed by the one or more processors, aggregates the first integer value, the
second integer value, the third integer value, and the fourth integer value for each data block in a sequential and associative
manner to determine, for the received data stream, a maximum number of consecutive data segment values in the received data
stream that form part of the class definition, wherein said data block integration module associatively integrates integer
values of a first data block of the set of data blocks with integer values of a second data block of the set of data blocks
to generate updated integer values that are then processed with integer values of a next data block of the set of data blocks,
wherein the first updated integer value represents a result of multiplying the first integer value of said first data block
and the first integer value of said second data block and wherein the second updated integer value represents a result of
multiplying the first integer value of said first data block and the second integer value of said second data block, and adding
the result to the second integer value of said first data block.

US Pat. No. 9,413,716

SECURING EMAIL COMMUNICATIONS

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining within a private network a database including information regarding each of a plurality of domains, including
legitimate domains and doppelganger domains, wherein the doppelganger domains represent potential malicious domains and include
one or more of a mistyped variation of a fully qualified domain name (FQDN) of a well-known domain and an FQDN spelled identically
to a legitimate FQDN but without a dot between a hostname portion and a domain name portion of the legitimate FQDN, wherein
the information includes an indication regarding perceived legitimacy of the domain and one or more of an indication regarding
configuration status of a mail server associated with the domain, an indication of a registered owner of the domain and an
indication regarding how long the domain has been registered;

receiving, by an email security appliance within the private network, an outbound email message originated by a host computing
system of the private network and directed to a destination external to the private network;

evaluating, by the email security appliance, each of a plurality of target domains specified within a plurality of address
fields of the outbound email message by accessing the database;

when the indication regarding perceived legitimacy for each of the plurality of target domains identifies the target domain
as acceptable to access, then allowing transmission of the outbound email message to the desination; and

when the indication regarding perceived legitimacy for one or more target domains of the plurality of target domains identifies
the one or more target domains as unacceptable to access, then preventing transmission of the outbound email message to the
destination.

US Pat. No. 9,411,960

VIRUS CO-PROCESSOR INSTRUCTIONS AND METHODS FOR USING SUCH

Fortinet, Inc., Sunnyval...

1. A virus processing system, the virus processing system comprising:
a virus co-processor;
a first memory associated with the virus co-processor and communicably coupled to the virus co-processor via a first memory
interface, wherein the first memory includes a first virus signature compiled for execution on the virus co-processor, wherein
the first virus signature includes at least one primitive instruction and at least one Content Pattern Recognition (CPR) instruction;

a general purpose processor, wherein the general purpose processor is communicably coupled to the virus co-processor;
a second memory associated with the general purpose processor and communicably coupled to the virus co-processor via a second
memory interface and to the general purpose processor, wherein the second memory includes a second virus signature compiled
for execution on the general purpose processor and wherein the second memory includes a page directory and a page table containing
information for translating virtual addresses to physical addresses;

wherein the virus co-processor is operable to retrieve the first virus signature stored within the first memory through an
instruction cache;

wherein the virus co-processor is operable to retrieve a data segment to be scanned for viruses stored within the second memory
through a data cache, wherein retrieving the data segment to be scanned for viruses stored to the second memory by the co-processor
is based on a virtual address and cached information, stored within one or more translation lookaside buffers local to the
virus co-processor, relating to a plurality of most recently used entries of the page directory and the page table; and

wherein the instruction cache and the data cache are separate.

US Pat. No. 9,774,621

UPDATING CONTENT DETECTION DEVICES AND SYSTEMS

Fortinet, Inc., Sunnyval...

1. A content detection system, comprising:
a processor;
a communication interface device;
a content detection module; and
a data storage device storing:
content detection data received by the content detection module of a first update station to detect content and for forwarding
by the first update station to at least a second update station;

instructions to process content received via the communication interface device to:
determine whether received content contains suspicious content data or the suspicious content data is a threat to detect;
generate content detection data as a function of the received data when the suspicious content data contains or is a threat;
based on a list of prescribed geographic locations of the plurality of update stations to receive content detection data updates,
identify, through execution of instructions on the processor, the first update station to receive the content detection data
update;

identify, through execution of instructions on the processor of the network device, the at least one second update station
to receive the content detection data update based on the list of prescribed geographic locations of the plurality of update
stations to receive content detection data updates;

send, from the first update station via the communication interface device, the content detection data update to the at least
one second update stations including data identifying at least one content detection module of a plurality of content detection
modules, coupled through the network to the plurality of update stations, to receive the content detection data update and
at least one instruction to distribute the content detection data update to the identified at least one content detection
module, wherein the distribution is performed not in response to a request from the at least one content detection module.

US Pat. No. 9,742,872

CONFIGURING INITIAL SETTINGS OF A NETWORK SECURITY DEVICE VIA A HAND-HELD COMPUTING DEVICE

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a mobile application running on a hand-held computing device, default initial settings for a network security
device, the default initial settings representing settings that allow the network security device to be remotely managed via
a network to which the network security device is coupled;

displaying, by the mobile application, the default initial settings to a network administrator via a display of the hand-held
computing device;

receiving, by the mobile application, revisions to or acceptance of the default initial settings;
causing, by the mobile application, the network security device to be configured with the revised or accepted default initial
settings by delivering information regarding the revised or accepted default initial settings to the network security device
via a management interface to which the hand-held computing device is coupled via a connecting cable.

US Pat. No. 9,628,292

INTELLIGENT BRIDGING OF WI-FI FLOWS IN A SOFTWARE-DEFINED NETWORK (SDN)

Fortinet, Inc., Sunnyval...

1. A computer-implemented method for intelligent bridging of Wi-Fi flows in a software-defined network (SDN) controller in
a wireless communication network by centrally coordinating data plane behavior, the method comprising the steps of:
receiving a bridging policy of a plurality of policies concerning bridging of at least one specific type of traffic flow for
the wireless communication network;

centrally monitoring data plane traffic flow at each of the plurality of access points distributed around the wireless communication
network;

receiving a new data stream at the SDN controller from an access point of the plurality of access points, the new data stream
being tunneled from the access point in a default tunneling mode for new data streams at the access point, the new data stream
comprising at least one packet sent from a first station to a second station;

matching the bridging policy to the new data stream by identifying characteristics of the new data stream with deep packet
inspection on the at least one packet from the new data stream; and

responsive to matching the new data stream to the bridging policy, converting the tunnel mode to a bridge mode by sending
a rule concerning the new data stream to the access point so that subsequent packets of the new data stream are transferred
at the access point without tunneling additional packets to the SDN controller.

US Pat. No. 9,622,263

EMULATING VIRTUAL PORT CONTROL OF AIRTIME FAIRNESS USING PER STATION ENHANCED DISTRIBUTED CHANNEL ACCESS (EDCA) PARAMETERS

Fortinet, Inc., Sunnyval...

1. A computer-implemented method in access points for controlling uplink medium access of wireless stations connected to a
wireless communication network, comprising:
receiving a specific parameter for each of a plurality of stations connected to the access point;
setting an EDCA (Enhanced Distributed Channel Access) field of a beacon that stores a general EDCA parameter to an empty state;
broadcasting the beacon to a plurality stations on the wireless communication network and within range of an access point,
the beacon comprising a BSSID (Basic Service Set Identifier) for use by the plurality of stations to connect with the access
point for access to the wireless communication network, wherein the beacon also comprises the empty EDCA field;

in response to broadcasting the empty EDCA parameter, receiving a direct inquiry from each of the plurality of stations for
the general EDCA parameter;

responding to each of the plurality of stations with a direct communication of a specific parameter corresponding to each
station; and

receiving a transmission from at least one of the plurality of stations that complies with the respective specific parameter.

US Pat. No. 9,609,078

HTTP PROXY

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a hypertext transfer protocol version 2 (HTTP/2)-hypertext transfer protocol version 1 (HTTP/1) proxy, an HTTP/2
request message from an HTTP/2-enabled client and directed to an HTTP/1-only server;

translating, by the HTTP/2-HTTP/1 proxy, the HTTP/2 request message into an HTTP/1 request message;
sending, by the HTTP/2-HTTP/1 proxy, the HTTP/1 request message to the HTTP/1-only server;
receiving, by the HTTP/2-HTTP/1 proxy, an HTTP/1 response message from the HTTP/1-only server;
translating, by the HTTP/2-HTTP/1 proxy, the HTTP/1 response message into an HTTP/2 response message; and
sending, by the HTTP/2-HTTP/1 proxy, the HTTP/2 response message to the HTTP/2-enabled client.

US Pat. No. 9,584,536

PRESENTATION OF THREAT HISTORY ASSOCIATED WITH NETWORK ACTIVITY

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a computing device, threat information in a database comprising one or more of firewall logs and historical
threat logs;

receiving information regarding a plurality of threat filtering parameters, by the computing device, wherein the information
includes one or more of types of threats to be extracted from the database, parameters of the threats, network-level details
of the threats, a time interval of detection of the threats and source-destination details of the threats;

extracting, by the computing device, information regarding a plurality of threats from the database based on the plurality
of threat filtering parameters; and

presenting, by the computing device, the extracted information in a form of a historical graph illustrating a number of threats
by type during a particular period of time; and

receiving from a user, by the computing device, an indication regarding a selected subset of the particular period of time
in which to zoom into for further details; and

responsive to the indication regarding the selected subset, presenting, by the computing device, the further details in a
form of a list of threats of the plurality of threats corresponding to the selected subset, wherein the list of threats is
presented in tabular form, grouped and counted by type of threat and ordered by group in accordance with associated risk levels
of the threats in the list of threats.

US Pat. No. 9,467,895

INCREASING ACCESS POINT THROUGHPUT BY EXCEEDING A-MPDU BUFFER SIZE LIMITATION IN A 802.11 COMPLIANT STATION

Fortinet, Inc., Sunnyval...

1. A computer-implemented method for exceeding A-MPDU buffer size limitation in a IEEE 802.11 compliant device, comprising:
storing a plurality of TCP packets or UDP packets received in a buffer for transmission;
aggregating the plurality of TCP packets as A-MSDU sub-frames to form a A-MSDU frame in accordance with an IEEE 802.11 standard;
aggregating a plurality of A-MSDU frames as A-MPDU sub-frames to form a A-MPDU frame, wherein the A-MPDU frame is compliant
with a number of allowable sub-frames and a maximum size in accordance with an IEEE 802.11 standard; and

sending the A-MPDU frame for transmission as an IEEE 802.11 packet; and
providing high throughput service to a virtual port by selecting a BSSID (Blind Service Set IDentifier) from a plurality of
BSSIDs managed by an access point, wherein the selected BBSID is unique to a single station and allows a high throughput service
by utilizing A-MSDU and A-MPDU frame aggregations, and wherein at least one of the plurality of BSSIDs managed by the access
point does not allow high throughput service.

US Pat. No. 9,438,563

FIREWALL POLICY MANAGEMENT

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a firewall device within a private Internet Protocol (IP) network of an enterprise, a log of network traffic
observed by the firewall device by storing, for each network traffic flow, information regarding one or more of traffic volume,
a source interface, a destination interface, a source IP address, a destination IP address, an application name, an application
type, port information, one or more timestamps and a username associated with the network traffic flow;

receiving, by the firewall device, a request from a network administrator for a report to be generated based on the log, the
request containing information indicative of report parameters including (i) a specified time frame, (ii) user information
indicative of an identity of one or more users within the enterprise; and (iii) application information indicative of one
or more particular applications or one or more types of applications associated with the logged network traffic;

extracting, by the firewall device, information regarding network traffic flows from the log satisfying the report parameters;
presenting, by the firewall device, a customized and interactive hierarchical report to the network administrator via a graphical
user interface (GUI) of the firewall device, the customized and interactive hierarchical report including (i) a plurality
of aggregated network traffic items; and (ii) a plurality of action objects each corresponding to one of the plurality of
aggregated network traffic items, wherein information associated with the plurality of aggregated network traffic items is
determined by individually aggregating each of a plurality of traffic aggregation parameters for each observed value of a
primary report parameter within the extracted information, wherein the plurality of traffic aggregation parameters, include
one or more traffic volume and percentage of traffic volume;

responsive to interaction by the network administrator with a particular action object of the plurality of action objects:
receiving, by the firewall device, a request to define an appropriate firewall policy for the corresponding aggregated network
traffic item of the plurality of aggregated network traffic items; and

presenting, by the firewall device, to the network administrator via the GUI a plurality of options regarding actions to be
taken on matching network traffic that is subsequently observed by the firewall device traffic, wherein the plurality of options
include one or more of blocking the matching network traffic, allowing the matching network traffic in accordance with a particular
schedule and enforcing a bandwidth limitation on the matching network traffic; and

responsive to receiving, by the firewall device, an indication from the network administrator regarding one or more selected
options of the plurality of options, defining and establishing the appropriate firewall policy, wherein the appropriate firewall
policy comprises one or more rules to identify the matching network traffic and one or more corresponding actions to be taken
on the matching network traffic based on the one or more selected options.

US Pat. No. 9,392,024

POLICY-BASED SELECTION OF REMEDIATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
collecting, by a light weigh sensor (LWS) running on a host asset of a plurality of monitored host assets within an enterprise
network, information regarding a program-code-based operational state of the host asset via a survey tool installed on the
host asset;

transmitting, by the LWS, the information to a remote server that is in a client-server relationship with the LWS via an external
network coupling the enterprise network and the remote server in communication; and

enforcing, by the remote server, a plurality of security policies with respect to the host asset based on the received information
including determining whether the program-code-based operational state of the host asset represents a violation of one or
more security policies of the plurality of security policies, by evaluating, the received information with respect to the
plurality of security policies, wherein each security policy of the plurality of security policies define at least one parameter
condition violation of which is potentially indicative of unauthorized activity on the host asset or manipulation of the host
asset making the host asset vulnerable to attack.

US Pat. No. 9,386,014

SOFT TOKEN SYSTEM

Fortinet, Inc., Sunnyval...

1. A method comprising:
obtaining, by a soft token application installed on a mobile device, via an Application Programming Interface (API) of an
operating system of the mobile device, a unique device ID of the mobile device that uniquely identifies the mobile device;

requesting, by the soft token application via an Internet Protocol (IP)-based network to which the mobile device is connected,
a seed from a provisioning server coupled to the IP-based network, wherein the seed is for generating a One-Time Password
(OTP) for accessing a secure network resource;

receiving, by the mobile device, the seed in encrypted form based on a secret key, the unique device ID and a hardcoded-pre-shared
key;

decrypting, by the soft token application, the received encrypted seed and installing the seed within the soft token application;
binding, by the soft token application, the seed to the mobile device by encrypting the seed with the unique device ID; and
generating, by the soft token application, the OTP based on the bound seed.

US Pat. No. 9,305,159

SECURE SYSTEM FOR ALLOWING THE EXECUTION OF AUTHORIZED COMPUTER PROGRAM CODE

Fortinet, Inc., Sunnyval...

1. A method comprising:
monitoring, by a kernel mode driver of a computer system, a set of events occurring within one or more of a file system accessible
by the computer system and an operating system that manages resources of the computer system;

in connection with said monitoring, responsive to observation, by the kernel mode driver, of an event of the set of events
performed by or initiated by an active process running on the computer system, wherein the active process corresponds to a
first code module stored within the file system and the event relates to a second code module stored within the file system,
performing or bypassing a real-time authentication process on the second code module with reference to a whitelist containing
content authenticators of approved code modules, which are known not to contain viruses or malicious code;

allowing, by the kernel mode driver, the active process to load the second code module into a memory of the computer system
(i) when the real-time authentication process is bypassed or (ii) when the real-time authentication process is performed and
determines a content authenticator of the code module matches one of the content authenticators of approved code modules within
the whitelist; and

preventing, by the kernel mode driver, the active process from loading the second code module into the memory when the real-time
authentication process is performed and determines the content authenticator does not match any of the content authenticators
of approved code modules within the whitelist.

US Pat. No. 9,948,576

MECHANISM FOR ENABLING LAYER TWO HOST ADDRESSES TO BE SHIELDED FROM THE SWITCHES IN A NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:receiving, by an edge network device interposed between a network of switches and a plurality of local hosts, from a first local host of the plurality of local hosts, a first packet destined for a first destination host, wherein the first local host has a first layer 2 (L2) address and a first layer 3 (L3) address associated therewith, and wherein the first packet includes the first L2 address as a source L2 address of the first packet, and includes the first L3 address as a source L3 address of the first packet;
reducing a number of L2 addresses that need to be stored by forwarding tables of the switches, by the edge network device, by exposing fewer L2 addresses to the switches, including replacing the source L2 address of the first packet with a first substitute L2 address that is shared by a first set of the plurality of local hosts associated with a first communication channel of the edge network device; and
transmitting, by the edge network device, the first packet to the network of switches via a first edge link coupled to the first communication channel.

US Pat. No. 9,948,607

SYSTEM AND METHOD FOR SECURING VIRTUALIZED NETWORKS

Fortinet, Inc., Sunnyval...

1. A method comprising:receiving, by a network automation engine of a software defined network (SDN) controller associated with a dynamic virtualized network that is overlaid on a physical network, a current network policy of the dynamic virtualized network, wherein the current network policy includes a plurality of network policy elements and each of the plurality of network policy elements identifies (i) an authorized endpoint of a plurality of authorized endpoints within the dynamic virtualized network, (ii) a network access device of a plurality of network access devices within the dynamic virtualized network, and (iii) a port of the network access device with which the authorized endpoint is associated;
generating, by the network automation engine, a network security policy for the dynamic virtualized network based on the current network policy, by, for each network access device of the plurality of network access devices:
determining whether to create one or more security measures for the network access device by evaluating those of the plurality of network policy elements involving the network access device, wherein each of the one or more security measures specifies how network traffic in the dynamic virtualized network is to be processed by a port of a plurality of ports of the network access device; and
when said determining is affirmative, creating the one or more security measures; and
applying, by the network automation engine, the network security policy to each network access device of the plurality of network access devices that is affected by the network security policy.

US Pat. No. 9,860,813

SEAMLESS MOBILITY IN WIRELESS NETWORKS

Fortinet, Inc., Sunnyval...

1. A computer-implemented method in a system coordinator on a wireless communication network and in communication remotely
with a plurality of access points, the method comprising the steps of:
connecting with the plurality of access points for management through a set of communication links between the plurality of
access points and the system coordinator,

wherein the plurality of access points sends beacon messages to be received by wireless devices, the beacon messages indicating
availability of multiple identifiers, wherein the access point customizes the beacon messages on a per-wireless-device-basis,
in response to different communication parameters to be assigned to different wireless devices, and wherein communication
parameters include at least one of access control, backoff or retry parameters, channel selection parameters, quality of service,
and transmit power;

coordinating connections with wireless devices desiring contact with that communication network through the plurality of access
points, wherein the plurality of access points on the wireless network appear to be identical to the wireless devices; and

conducting, by the system coordinator, a soft handoff to a particular access point of the plurality of access points from
a second access point of the plurality of access points, wherein in response to the soft handoff, the particular access point
maintains an identifier for the particular wireless device, the identifier being previously maintained at the second access
point that disassociates with the particular wireless device responsive to the soft handoff, wherein the soft handoff is transparent
to the particular wireless device,

wherein the particular access points associates with the particular wireless device by responding to a message sent by the
particular wireless device without any type of configuration by the particular wireless device.

US Pat. No. 9,860,212

FILTERING HIDDEN DATA EMBEDDED IN MEDIA FILES

Fortinet, Inc., Sunnyval...

1. A method comprising:
intercepting network traffic, by a network security device protecting a private network, directed to an intended recipient
associated with the private network;

identifying, by the network security device, existence of a media file within the network traffic;
performing a pre-match inspection, by the network security device, of the media file by:
generating a signature of the media file; and
detecting presence of a potentially malicious hidden data item in a form of encoded data within one or more of a digital watermark,
steganography and a barcode embedded in the media file by comparing the generated signature with a plurality of signatures
of known unsafe media files;

when no threat is identified as being associated with the media file by the pre-match inspection, then determining, by the
network security device, whether the potentially malicious hidden data item violates a security policy of a plurality of security
policies of the private network enforced by the network security device by performing local content inspection processing
of the media file by decoding the encoded data and applying a content filter to a result of said decoding;

when no threat is identified as being associated with the media file by the local content inspection processing, causing,
by the network security device, a remote or cloud-based network security appliance external to the private network to perform
further evaluation of the media file by sending the media file or the generated signature to the remote or cloud-based network
security appliance;

when no threat is identified as being associated with the media file by the remote or cloud-based network security appliance,
then allowing, by the network security device, the network traffic to be delivered to the intended recipient; and

when a threat is identified as being associated with the media file by any of the pre-match inspection, the local content
evaluation and the remote or cloud-based network security appliance, then blocking, by the network security device, delivery
of the network traffic to the intended recipient.

US Pat. No. 9,860,215

FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS

Fortinet, Inc., Sunnyval...

1. A method comprising:
providing, by a firewall interposed between a private network and an external network, network-layer protection against unauthorized
access by external hosts associated with the external network to a plurality of hosts associated with the private network
by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the plurality
of hosts;

providing, by the firewall, application-layer protection from the external network on behalf of the plurality of hosts and
supporting Voice over IP (VoIP) services by processing signaling protocols associated with VoIP sessions, including

distinguishing among VoIP packets and non-VoIP packets,
parsing the VoIP packets, and
enabling bi-directional VoIP communications among one or more of the plurality of hosts and one or more of the external hosts
by performing content-aware NAT, including changing data in headers of the VoIP packets and also changing data contents in
the VoIP packets corresponding to the data changed in the headers;

receiving, by an external VoIP interface of the firewall, a plurality of incoming VoIP packets each being associated with
one of a plurality of VoIP ports;

causing each of the plurality of incoming VoIP packets to be directed to an appropriate host of the plurality of hosts by
performing by the firewall port address forwarding based on a mapping of the plurality of VoIP ports to corresponding private
addresses of the plurality of hosts.

US Pat. No. 9,774,570

ACCELERATING DATA COMMUNICATION USING TUNNELS

Fortinet, Inc., Sunnyval...

1. A computer-implemented method comprising:
establishing, between a first wide are network (WAN) acceleration device operable at an edge of a first subnet of an enterprise
network and a second WAN acceleration device operable at an edge of a second subnet of the enterprise network, a private tunnel,
wherein the private tunnel is used by the first and second WAN acceleration devices to convey application layer data for a
particular connection-oriented application layer protocol of a plurality of connection-oriented application layer protocols
known to behave poorly within a WAN environment and that are capable of being accelerated by the first and second WAN acceleration
devices;

receiving, by a flow classification module executing on the first WAN acceleration device at an Internet Protocol (IP) layer
of a protocol stack of the first WAN acceleration device, packets from the second WAN acceleration device via the private
tunnel;

passing, by the flow classification module, the packets to a transport layer of the protocol stack via a WAN socket executing
on the first WAN acceleration device at the transport layer, wherein the WAN socket represents an interface between the first
and second WAN acceleration devices for connection-oriented application layer protocol traffic;

based on the particular application layer protocol with which the packets are associated, passing, by the WAN socket, the
packets to an application handler of a plurality of application handlers executing on the first WAN acceleration device at
an application layer of the protocol stack, each of the plurality of application handlers implementing one or more application
acceleration techniques for an associated application layer protocol of the plurality of connection-oriented application layer
protocols; and

securely accelerating the connection-oriented application layer protocol traffic, by the application handler, by performing
the one or more application acceleration techniques, classifying data streams into different stages including tagging a data
stream as being at a stage in which associated data is unlikely repeatable, repeatable but not stable or stable and applying
one or more security functions.

US Pat. No. 9,729,508

POLICY-BASED CONTENT FILTERING

Fortinet, Inc., Sunnyval...

1. A computer-implemented method comprising:
maintaining, by a firewall device within a user space of the firewall device, a plurality of configuration schemes, wherein
each of the plurality of configuration schemes comprises a listing of a plurality of network service protocols, and wherein
each of the plurality of configuration schemes defines, for each particular network service protocol in the plurality of network
service protocols, a set of administrator-configurable application-level content filtering process settings that indicates
one or more particular application-level content filtering processes to perform;

maintaining, by the firewall device within a kernel of the firewall device, a security policy database including information
defining a plurality of firewall security policies, wherein the information defining the plurality of firewall security policies
includes, for each one of the plurality of firewall security policies, information identifying an associated one of the plurality
of configuration schemes and an action to take with respect to a particular network session based on one or more of a set
of one or more source Internet Protocol (IP) addresses, a set of one or more destination IP addresses and a network service
protocol; and

performing, by the firewall device, policy-based application-level content filtering of a plurality of network sessions by,
for each network session of the plurality of network sessions:

identifying, by the kernel, a firewall security policy from among the plurality of firewall security policies that matches
traffic associated with the network session;

when the action to take of the matching firewall security policy indicates the network session is allowable, then:
redirecting, by the kernel, the network session to a proxy of a plurality of proxies running within the firewall device;
identifying, by the proxy, a plurality of application-level content filtering processes to be performed on the traffic as
specified by the configuration scheme specified by the matching firewall security policy; and

applying, by the proxy, the identified plurality of application-level content filtering processes to the traffic.

US Pat. No. 9,667,604

TUNNEL INTERFACE FOR SECURING TRAFFIC OVER A NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:
instantiating, within each of a plurality of service processing switches of a service provider, a plurality of virtual routers
(VRs), wherein each VR of the plurality of VRs is supported by an object group and each object of the object group supports
a network service;

assigning one or more VRs of the plurality of VRs to a subscriber of a plurality of subscribers of the service provider;
receiving, by a service management system (SMS) of the service provider, a request to establish a Virtual Private Network
(VPN) connection between a first premises of the subscriber and a second premises of the subscriber; and

establishing a tunnel in support of the VPN connection between a first service processing switch of the plurality of service
processing switches and a second service processing switch of the plurality of service processing switches coupled in communication
with the first service processing switch through a public Internet Protocol (IP) network, including:

configuring a first packet routing node of the first service processing switch, for as long as the VPN connection is maintained,
(i) to cause all packets transmitted via the tunnel from the first premises to the second premises to be encrypted prior to
transmission through the public IP network and (ii) to cause all packets received via the tunnel from the second premises
to be decrypted; and

configuring a second packet routing node of the second service processing switch, for as long as the VPN connection is maintained,
(i) to cause all packets transmitted via the tunnel from the second premises to the first premises to be encrypted prior to
transmission through the public IP network and (ii) to cause all packets received via the tunnel from the first premises to
be decrypted.

US Pat. No. 9,584,473

FACILITATING CONTENT ACCESSIBILITY VIA DIFFERENT COMMUNICATION FORMATS

Fortinet, Inc., Sunnyval...

1. A method comprising:
causing client requests for content published by a content publisher in Internet Protocol version 4 (IPv4) format and hosted
by an IPv4 server to be directed or redirected to a traffic management node of a plurality of geographically distributed traffic
management nodes by configuring a first domain name of the content publisher to point to a second domain name associated with
the traffic management node via a canonical name (CNAME) record of a domain name system (DNS);

receiving, by the traffic management node, a request for the content from a client that has been directed or redirected to
the traffic management node as a result of said configuring;

determining, by the traffic management node, communication capabilities of the client based on an ability of the client to
access a set of test content; and

based on the determined communication capabilities and a traffic management policy specified by the content publisher, directing,
by the traffic management node, the request to an Internet Protocol version 6 (IPv6) proxy server or the IPv4 server, wherein
the IPv6 proxy server hosts the web page content in IPv6 format, wherein the content was obtained by the IPv6 proxy server
from the IPv4 server and translated from the IPv4 format to the IPv6 format.

US Pat. No. 9,521,159

CLOUD BASED LOGGING SERVICE

Fortinet, Inc., Sunnyval...

1. A system for managing access to a cloud-based logging service through a network security gateway appliance comprising:
one or more mircoprocessors; and
one or more internal data storage devices operatively coupled to the one or more microprocessors and storing:
a cloud-based logging service settings module configured to make the cloud-based logging service accessible to the network
security gateway appliance via an interface of the network security gateway appliance by integrating the cloud-based logging
service within the network security gateway appliance, the integrating including creating an account within the cloud-based
logging service by registering the network security gateway appliance itself as a user of the cloud-based logging service
in order to allow the network security gateway appliance access to the cloud-based logging service;

a cloud-based logging service access module configured to receive, via the interface, a request to access the cloud-based
logging service, wherein the cloud-based logging service access module is further configured to analyze the request and retrieve
logs from the cloud-based logging service for processing, wherein registration of the network security gateway appliance with
the cloud-based logging service allows an administrator of the network security gateway appliance to access the cloud-based
logging service via the interface without separately registering with the cloud-based logging service; and

an output module configured to receive processed logs at the network security gateway appliance and output the processed logs
by the output module.

US Pat. No. 9,509,638

HETEROGENEOUS MEDIA PACKET BRIDGING

Fortinet, Inc., Sunnyval...

1. A network routing/switching blade server comprising:
a plurality of network modules, including:
a first set of network modules implemented within a first server blade and operable to receive, via a first set of line interface
ports, network packets having a first framing media format of a plurality of framing media formats; and

a second set of network modules implemented within a second server blade and operable to transmit, via a second set of line
interface ports, network packets having a second framing media format of the plurality of framing media formats;

a plurality of processing resources implemented within one or more server blades coupled to the plurality of network modules
and shared by the plurality of network modules, including a first processing resource upon which a virtual bridging application
executes, the virtual bridging application representing a single bridging domain for all network packets received by the network
routing/switching blade server;

a non-transitory memory, accessible to the first processing resource, having stored therein one or more translation data structures
defining translations between the first framing media format and an intermediate format and between the intermediate format
and the second framing media format;

a switching fabric server blade, coupled to the plurality of network modules, forwarding the network packets received from
the first set of network modules to one or more of the plurality of processing resources;

wherein responsive to receiving a network packet, the first set of network modules pass the network packet to the virtual
bridging application through the switching fabric server blade;

the virtual bridging application determines a relay location to which the network packet is to be relayed and whether the
relay location is among the second set of network modules, which are associated with a disparate framing media format and
a disparate media channel than that of the first set of network modules; and

responsive to an affirmative determination that the relay location is among the second set of network modules, the virtual
bridging application uses the one or more translation data structures to translate the network packet to the second framing
media format before relaying the network packet to the relay location.

US Pat. No. 9,497,192

DATA LEAK PROTECTION

Fortinet, Inc., Sunnyval...

1. A data leak protection method comprising:
receiving, by a network security device protecting an enterprise network, information regarding a watermark filtering rule,
including a sensitivity level and an action to be applied to files observed by the network security device satisfying the
watermark filtering rule;

receiving, by the network security device, network traffic originating within the enterprise network, directed to a destination
device residing outside of the enterprise network and containing a file attempted to be passed through the network security
device;

extracting, by the network security device, a watermark embedded within the received file;
comparing, by the network security device, a sensitivity level associated with the watermark to the sensitivity level of the
watermark filtering rule; and

when the comparing results in a match, then performing, by the network security device, the action specified by the watermark
filtering rule.

US Pat. No. 9,462,007

HUMAN USER VERIFICATION OF HIGH-RISK NETWORK ACCESS

Fortinet, Inc., Sunnyval...

1. A network security appliance comprising:
a non-transitory storage device having embodied therein one or more routines;
one or more hardware processors coupled to the non-transitory storage device and operable to execute the one or more routines;
and

wherein the one or more routines include:
a network traffic control module, which when executed by the one or more hardware processors, identifies a high-risk network
access initiated by a device associated with a private network protected by the network security appliance, wherein the high-risk
network access poses a risk to the device, a human user of the device or the private network;

a human user test engine, which when executed by the one or more hardware processors:
sends a human user test message to the human user of the device to verify that the high-risk network access was initiated
by or is otherwise authorized by the human user of the device;

sends a correct response to the human user of the device;
receives a response to the human user test message, wherein one or more of the correct response and the response is sent or
received, respectively, through an alternative channel different from a channel through which the high-risk network access
was initiated; and

determines whether the response is the correct response to the human user test message; and
a risk management module, which when executed by the one or more hardware processors, allows the high-risk network access
when the response is correct.

US Pat. No. 9,413,726

DIRECT CACHE ACCESS FOR NETWORK INPUT/OUTPUT DEVICES

Fortinet, Inc., Sunnyval...

1. A method comprising:
defining, by a network Input/Output (I/O) device of a network security device, a set of direct cache access (DCA) control
settings for each of a plurality of I/O device queues of the network I/O device based on network security functionality performed
by corresponding central processing units (CPUs) of a host processor of the network security device, wherein the set of DCA
control settings specifies one or more portions of network packets that are to be copied to a cache of the corresponding CPU
and wherein the network security functionality comprises one or more of firewall processing, virtual private networking (VPN),
antivirus processing, intrusion prevention processing, content filtering, data leak prevention, antispam processing and network
access control;

receiving, by the network I/O device, a packet;
queuing, by the network I/O device, information associated with the packet onto an I/O device queue of the plurality of I/O
device queues;

transferring, from the I/O device queue, the information associated with the packet to a host memory of the network security
device operatively coupled with the host processor; and

based on the set of DCA control settings for the I/O device queue, copying to the cache of the corresponding CPU, by a host
controller of the network security device, only those portions of the information corresponding to the one or more specified
portions.

US Pat. No. 9,363,277

SYSTEMS AND METHODS FOR DETECTING AND PREVENTING FLOODING ATTACKS IN A NETWORK ENVIRONMENT

Fortinet, Inc., Sunnyval...

1. A method for processing network traffic data, comprising:
receiving a packet to initiate a new session associated with an Internet Protocol (IP) address;
when the packet is not a previously dropped packet being retransmitted, dropping the packet;
when the packet is a previously dropped packet being retransmitted and when a number N of concurrent sessions for active concurrent
sessions associated with the IP address is less than a concurrent session threshold T1, passing the packet toward an intended recipient;

when the packet is a previously dropped packet being retransmitted and when the number N of concurrent sessions for active
concurrent sessions associated with the IP address is greater than a concurrent session threshold T1:

determining a rate R at which the number of sessions N are received within a time period t including a session of the received
packet, where R=N÷t;

when the session rate threshold R is less than the prescribed session rate threshold T2 (R
classifying the packet as possibly associated with a flooding attack when the session rate threshold R is greater than or
equal to the prescribed session rate threshold T2 (R>T2) and performing a preventative action with regard to the packet.

US Pat. No. 9,948,662

PROVIDING SECURITY IN A COMMUNICATION NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:receiving, by a network security device within an enterprise network, an application protocol request directed to an external network that is originated by a client device associated with the enterprise network;
determining, by the network security device, based on the application protocol request whether a network parameter of the external network is associated with a set of trusted networks; and
selectively disabling, by the network security device, application of a subset of security features of a plurality of security features to be applied to network traffic exchanged between the client device and the external network while the client device is accessing the external network when a result of said determining is affirmative, wherein the subset of security features are selected based on a trust level associated with the external network.

US Pat. No. 9,729,655

MANAGING TRANSFER OF DATA IN A DATA NETWORK

Fortinet, Inc., Sunnyval...

1. A network gateway device, implemented at least partially in hardware, for managing a transfer of data over the data network,
the network gateway device comprising:
a processor;
a signature analyzer comprising a policy manager to store policies and associated signatures, including a first policy that
diverts data transfers between a plurality of nodes on the data network to a proxy server which scans for malicious code associated
with at least one signature;

a network interface, communicatively coupled to the processor and the data network, to receive packets transmitted between
the plurality of nodes of the data network;

a session identifier communicatively coupled to receive the packet from the network interface and to identify data associated
with a first communication session between a first node and a second node of the data network,

wherein the signature analyzer further comprises a comparator, the signature analyzer to receive the identified data of the
first communication session and the comparator comparing the identified data against signatures from a signature database,
the signature analyzer to produce a control signal responsive to a policy associated with a signature matching the identified
data; and

a session controller, responsive to receiving the control signal indicating the signature match, to perform further processing
of the identified data, and responsive to the second input not receiving the control signal, the session controller sending
the identified data over the second output without further processing.

US Pat. No. 9,609,084

OPTIMIZING MULTIMEDIA STREAMING IN WLANS (WIRELESS LOCAL ACCESS NETWORKS) WITH A REMOTE SDN (SOFTWARE-DEFINED NETWORKING) CONTROLLER

Fortinet, Inc., Sunnyval...

1. A computer-implemented method in an access point of a communication network having a remote SDN (Software-Defined Networking)
controller for optimizing multimedia downloads at data planes of a plurality of network devices including the access point,
the method comprising the steps of:
detecting, by a processor of the access point, a new flow concerning a specific multimedia file being downloaded from the
access point to a station over a Wi-Fi connection;

sending, by network hardware of the access point, one or more packets from the new flow to the SDN controller;
receiving, by the network hardware, one or more OpenFlow rules to implement a specific treatment of the new flow responsive
to a determination of a characteristic of the specific multimedia file, the one or more OpenFlow rules being implemented at
the data plane of the access point;

adjusting, by the processor, treatment of the new flow at the data plane of the access point responsive to the the one or
more OpenFlow rules;

detecting, by the processor, subsequent packets from the new flow at the access point for download to the station; and
sending, by the network hardware, the subsequent packets to the station responsive to the one or more OpenFlow rules.

US Pat. No. 9,497,166

FIREWALL INTERFACE CONFIGURATION TO ENABLE BI-DIRECTIONAL VOIP TRAVERSAL COMMUNICATIONS

Fortinet, Inc., Sunnyval...

1. A method comprising:
providing, by a firewall interposed between an internal network and an external network, network-layer protection against
unauthorized access by hosts associated with the external network to a plurality of internal hosts associated with the internal
network by performing network address translation (NAT) processing of Internet Protocol (IP) addresses associated with the
plurality of internal hosts;

providing, by the firewall, application-layer protection from the external network on behalf of the plurality of internal
hosts and supporting Voice over IP (VoIP) services without compromising internal network security by actively processing signaling
protocols associated with VoIP sessions, including

distinguishing among VoIP packets and non-VoIP packets,
understanding and parsing the VoIP packets within the firewall, and
performing content-aware NAT within the firewall by changing data in headers of the VoIP packets and also changing data contents
in the VoIP packets corresponding to data changed in the headers to enable bi-directional VoIP communications among one or
more of the plurality of internal hosts and one or more of the hosts associated with the external network;

providing a plurality of VoIP ports to an external VoIP interface of the firewall;
receiving by the external VoIP interface incoming VoIP packets each having associated therewith one of the plurality of VoIP
ports;

causing each of said received multiple incoming VoIP packets to be directed to an appropriate internal host of the plurality
of internal hosts by performing by the firewall port address forwarding based on a mapping of the VoIP ports to private addresses
of the plurality of internal hosts.

US Pat. No. 9,497,212

DETECTING MALICIOUS RESOURCES IN A NETWORK BASED UPON ACTIVE CLIENT REPUTATION MONITORING

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a monitoring unit within a protected private network, a plurality of policies in a form of rules, wherein
each policy of the plurality of policies is configurable by a network administrator of the protected private network via a
browser-based interface provided by the monitoring unit and specifies (i) a perceived risky activity of a plurality of perceived
risky activities potentially indicative of malware activity and (ii) a corresponding score, wherein the plurality of perceived
risky activities include bad connection attempts, interactions with a hosts in particular geographic locations external to
the protected private network, interactions with undesired websites external to the protected network and failed Domain Name
Server (DNS) resolution requests;

observing, by the monitoring unit, activities relating to a plurality of monitored devices within the protected private network;
for each observed activity, assigning, by the monitoring unit, a score to the observed activity based upon a matching policy
of the plurality of polices;

for each of the plurality of monitored devices, maintaining, by the monitoring unit, a current reputation score for the monitored
device based upon the score and a historical score associated with the monitored device; and

classifying, by the monitoring unit, a monitored device of the plurality of monitored devices as potentially being a malicious
resource based upon the current reputation score for the monitored device.

US Pat. No. 9,413,718

LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES

Fortinet, Inc., Sunnyval...

1. A method comprising:
providing a network switching device within a private Internet Protocol (IP) network that is configured to distribute traffic
among a plurality of cluster units of a high availability cluster of firewall security devices within the private IP network;

configuring a load balancing function in the network switching device based on information received from a network administrator
of the network switching device indicative of (i) a number of bits to be used as an input to the load balancing function and
(ii) corresponding contiguous or non-contiguous bit positions within a packet header of packets to be load balanced;

directing, by the network switching device, the plurality of cluster units to enter into a load balancing mode by sending
one or more control messages to the plurality of cluster units;

responsive to receiving, by the network switching device, a heartbeat signal on a port of a plurality of ports of the network
switching device from a cluster unit of the plurality of cluster units, including information indicative of a state of the
cluster unit within a load balancing table maintained by the network switching device that forms an association between hash
values or emulated hash values output by the load balancing function and corresponding ports of the plurality of ports;

receiving, by the network switching device, a packet from a client device; and
directing, by the network switching device, the packet to an appropriate cluster unit of the plurality of cluster units based
on the packet and the load balancing function by:

determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit
positions of the number of bits within a header of the packet;

identifying a port of the plurality of ports to which the appropriate cluster unit is coupled based on the hash value or the
emulated hash value and the load balancing table; and

transmitting the packet to the appropriate cluster unit via the identified port.

US Pat. No. 9,319,491

VIRTUAL MEMORY PROTOCOL SEGMENTATION OFFLOADING

Fortinet, Inc., Sunnyval...

1. A method comprising:
determining, by a bus/memory interface of a network device or a network interface unit of the network device, presence of
outbound payload data within a user memory space of a system memory of the network device, wherein the outbound payload data
is originated by a user process running on a host processor of the network device and is to be delivered via an Internet Protocol
(IP) network to a destination via a transport layer protocol;

fetching, by the bus/memory interface on behalf of the network interface unit, the outbound payload data, wherein the outbound
payload data is distributed across a plurality of payload buffers within the system memory;

wherein the fetching involves performing direct virtual memory addressing of the user memory space, wherein the direct virtual
memory addressing maps physical addresses of various portions of the outbound payload data to corresponding virtual addresses
including accessing a plurality of buffer descriptors created within the system memory by a network driver running on the
host processor, wherein the plurality of buffer descriptors include:

a first buffer descriptor including information indicative of a first starting address within the system memory of a first
payload buffer of the plurality of payload buffers containing therein a first portion of the outbound payload data; and

a second buffer descriptor including information indicative of a second starting address within the system memory of a second
payload buffer of the plurality of payload buffers containing therein a second portion of the outbound payload data; and

segmenting, by the network interface unit, the outbound payload data across one or more transport layer protocol packets.

US Pat. No. 9,894,100

DYNAMICALLY OPTIMIZED SECURITY POLICY MANAGEMENT

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a network security management device, a request to add a new traffic flow policy rule to a plurality of policy
rules managed by the network security management device;

automatically determining, by the network security management device, dependencies of the new traffic flow policy rule on
one or more of the plurality of policy rules;

forming, by the network security management device, an updated set of policy rules by incorporating the new traffic flow policy
rule within the plurality of policy rules based on the determined dependencies; and

automatically optimizing, by the network security management device, the updated set of policy rules by grouping a first sub-set
of policy rules of the updated set of policy rules, reordering a second sub-set of policy rules of the updated set of policy
rules, and deleting a third sub-set of policy rules of the updated set of policy rules, wherein the optimizing is based on
one or more of weights assigned to particular types of traffic, preference settings, priority settings, network traffic characteristics
and usage statistics for each policy rule of the updated set of policy rules, wherein the optimizing by the network security
management device is performed in real time, wherein the network security management device is configured to maintain a log
of changes to the policy rules enabling the optimizing to be undone.

US Pat. No. 9,692,782

DETECTING MALICIOUS RESOURCES IN A NETWORK BASED UPON ACTIVE CLIENT REPUTATION MONITORING

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a monitoring unit within a protected private network, a plurality of policies in a form of rules, wherein
each policy of the plurality of policies is configurable by a network administrator of the protected private network via a
browser-based interface provided by the monitoring unit and specifies (i) a perceived risky activity of a plurality of perceived
risky activities potentially indicative of malware activity and (ii) a corresponding score, wherein the plurality of perceived
risky activities include bad connection attempts, interactions with a hosts in particular geographic locations external to
the protected private network, interactions with undesired websites external to the protected network and failed Domain Name
Server (DNS) resolution requests;

observing, by the monitoring unit, activities relating to a plurality of monitored devices within the protected private network;
for each observed activity, assigning, by the monitoring unit, a score to the observed activity based upon a matching policy
of the plurality of polices;

for each of the plurality of monitored devices, aggregating, by the monitoring unit, the score and a historical score associated
with the monitored device to identify a reputation score for the monitored device; and

classifying, by the monitoring unit, a monitored device of the plurality of monitored devices as potentially being a malicious
resource based upon the reputation score for the monitored device.

US Pat. No. 9,535,760

METHOD AND SYSTEM FOR DEDICATING PROCESSORS FOR DESIRED TASKS

Fortinet, Inc., Sunnyval...

1. A method for improving the performance of a multi-processor system, the method comprising:
bypassing a controller that is subject to context switching of an operating system to disable interrupts of the controller
for context switching;

initializing a pseudo controller in a memory that is not subject to context switching in performing on behalf of the bypassed
controller;

dedicating a subset of general-purpose processors from a plurality of general-purpose processors to perform a desired task,
wherein the pseudo controller in the memory facilitates performing the desired task in connection with the subset of general
purpose processors without the need for context switching; and

configuring the remaining general purpose processors to handle interrupts for context switching; and
performing the desired task.

US Pat. No. 9,537,871

SYSTEMS AND METHODS FOR CATEGORIZING NETWORK TRAFFIC CONTENT

Fortinet, Inc., Sunnyval...

1. A computer-implemented method of categorizing electronic message content comprising:
receiving, via a network interface device of a networked device on which the method is implemented through instructions executable
by at least one processor, an electronic message;

determining, through execution of instructions of an electronic message content categorization module on the at least one
processor, that the electronic message likely includes undesirable content, the determining performed according to at least
two different analysis techniques to obtain at least two different potential categorizations of the electronic message indicating
the electronic message likely includes undesirable content, the at least two different analyses performed as a function of
a database of known categorization properties of electronic message content;

in accordance with a determination that at least two or more categorizations are of the same categorization type, adding all
the probabilities of the at least two or more categorizations of the same categorization type creating a summation probability
for the same categorization type;

comparing the summation probability with the probabilities of all other categorizations;
selecting the categorization with the highest probability from all categorizations including the categorization assigned with
the summation probability; and

storing, on a data storage device, by the electronic message content categorization module, a representation of the determination
that the electronic message likely includes undesirable content and data derived from the electronic message such that the
stored representation is available to assist in processing subsequently received electronic messages.

US Pat. No. 9,536,103

SECURE CLOUD STORAGE DISTRIBUTION AND AGGREGATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
providing, by a cloud storage gateway device logically interposed between one or more third-party cloud storage platforms
and a plurality of users of an enterprise, a generalized application programming interface (API) through which the plurality
of users can store files to the one or more third-party cloud storage platforms, issue search requests against the files and
retrieve content of the files;

assigning, by the cloud storage gateway device, a file storage policy of a plurality of file storage policies to each user
of the plurality of users, the plurality of file storage policies defining access rights, storage diversity requirements and
a type of encryption to be applied to the files; and

responsive to receiving, via the generalized API, a request to store a file from a first user of the plurality of users:
creating, by the cloud storage gateway device, searchable encrypted data corresponding to one or more of (i) content of the
file and (ii) metadata associated with the file, wherein the searchable encrypted data is based on the type of encryption
defined by a first file storage policy of the plurality of file storage policies assigned to the first user;

distributing, by the cloud storage gateway device, the searchable encrypted data among the one or more third-party cloud storage
platforms based on the storage diversity requirements defined by the first file storage policy by uploading a subset of the
searchable encrypted data to each of the one or more third-party cloud storage platforms; and

randomly creating, by the cloud storage gateway device, empty files and distributing the empty files among the one or more
third-party cloud storage platforms.

US Pat. No. 9,461,963

SYSTEMS AND METHODS FOR DETECTING UNDESIRABLE NETWORK TRAFFIC CONTENT

Fortinet, Inc., Sunnyval...

1. A non-transitory device-readable medium, with instructions stored thereon, which when executed by at least one processor
of a processing station device of a plurality of processing stations geographically disbursed, cause the processing station
device to:
receive, via a network connection by a network interface device of the processing station device, updates to information regarding
electronic data desired to be detected, the information stored in a memory device of the processing station device;

receive, via the network interface device of the processing station device according to a geographical location of at least
one of the processing station device and a receiving station device, a representation of at least a portion of electronic
data from the receiving station device, the representation of the at least a portion of electronic data generated by the receiving
station device according to a hashing algorithm, wherein the processing station device does not store electronic data desired
to be detected and wherein the representation has a smaller data size than the at least a portion of electronic data;

compare the representation of the at least a portion of electronic data to a list of reference representations of electronic
data desired to be detected, the list of reference representations of electronic data desired to be detected stored in the
memory device;

generate, when the comparing identifies a match of the representation to a member of the list of reference representations
of electronic data desired to be detected, a message indicating the electronic data from which the representation was generated
is associated with content desired to be detected; and

transmitting, via the network interface device of the processing station device, the message to the receiving station device,
wherein content desired to be detected is prevented by the receiving station device from being sent to a user device.

US Pat. No. 9,407,449

HARDWARE-ACCELERATED PACKET MULTICASTING

Fortinet, Inc., Sunnyval...

1. In a virtual routing system having a plurality of virtual routers (VRs) instantiated by a virtual routing engine (VRE),
wherein the instantiation of each VR includes an associated routing context, a method of multicasting packets comprising:
receiving a first multicast packet to be multicast to a first multicast destination and a second multicast packet to be multicast
to a second multicast destination;

classifying the first received multicast packet and the second received multicast packet in accordance with different VRs
of the plurality of VRs by determining a first selected VR of the plurality of VRs to multicast the first received multicast
packet and a second selected VR of the plurality of VRs to multicast the second received multicast packet;

switching a routing context of the VRE to a routing context associated with the first selected VR for the first received multicast
packet; and

reading at least a portion of the first received multicast packet from one of a plurality of multicast address spaces associated
with the first selected VR to multicast the first received multicast packet;

forwarding the first received multicast packet to the first multicast destination;
switching the routing context of the VRE to a routing context associated with the second selected VR for the second received
multicast packet;

reading at least a portion of the second received multicast packet from a plurality of multicast address spaces associated
with the second selected VR to multicast the first received multicast packet; and

forwarding the second received multicast packet to the second multicast destination.

US Pat. No. 9,859,965

TELECOMMUNICATION TERMINAL

Fortinet, Inc., Sunnyval...

1. A telecommunication terminal comprising:
a local area network (LAN) port connectable to an enterprise computer network via an Ethernet cable;
an Internet Protocol (IP) phone unit;
a wireless access point unit that facilitates access to the enterprise computer network by wireless devices within a coverage
area of the wireless access point unit by providing wireless connections to the wireless devices;

a switch device interposed between each of the IP phone unit and the wireless access point unit and the LAN port, wherein
the IP phone unit and the wireless access point unit share the LAN port to access the enterprise computer network; and

a housing that encloses said IP phone unit, said wireless access point unit, said switch device and said LAN port, wherein
said IP phone unit, said access point unit, said switch device and said LAN port are an integral part of the telecommunication
terminal and contained within the housing.

US Pat. No. 9,853,944

CLOUD BASED LOGGING SERVICE

Fortinet, Inc., Sunnyval...

1. A network security gateway comprising:
one or more microprocessors; and
one or more internal data storage devices operatively coupled to the one or more microprocessors and storing:
a graphical user interface module, which when executed by the one or more microprocessors, allows a network administrator
to view and modify various configuration settings for the network security gateway, wherein a configuration screen associated
with logging and reporting settings has integrated therein one or more settings associated with a cloud-based logging service
provided by a vendor of the network security gateway, wherein by default a setting of the one or more settings associated
with logging and archiving of information regarding one or more of network traffic, system events and security events observed
by the network security gateway causes the network security gateway to use the cloud-based logging service as a logging device
for storage and retrieval of the information; and

a cloud-based logging service access module, which when executed by the one or microprocessors, automatically creates an account
within the cloud-based logging service by registering the network security gateway itself as a user of the cloud-based logging
service, thereby allowing the network security gateway to make use of the cloud-based logging service for purposes of logging
and reporting the information without requiring separate registration with the cloud-based logging service to be performed
by the network administrator.

US Pat. No. 9,825,992

CLOUD-BASED SECURITY POLICY CONFIGURATION

Fortinet, Inc., Sunnyval...

1. A method comprising:
sharing, by a first network security device of an enterprise, a plurality of security parameters associated with the first
network security device with a plurality of network security devices of the enterprise by logging into a shared enterprise
cloud account, wherein the first network security device is physically located at a first site of the enterprise and performs
one or more of network firewalling, intrusion prevention, content filtering and data leak prevention on behalf of the enterprise;

retrieving, by a second network security device of the plurality of network security devices, the plurality of shared security
parameters by logging into the shared enterprise cloud account, wherein the second network security device is physically located
at a second site of the enterprise and performs one or more of network firewalling, intrusion prevention, content filtering
and data leak prevention on behalf of the enterprise;

automatically creating, by the second network security device, a Virtual Private Network (VPN) client configuration that controls
a VPN connection between the first network security device and the second network security device based at least in part on
the plurality of shared security parameters; and

when the VPN client configuration permits network traffic to be exchanged between the first network security device and the
second network security device, dynamically establishing the VPN connection between the first network security device and
the second network security device based at least in part on the plurality of shared security parameters.

US Pat. No. 9,819,746

AUTOMATED CONFIGURATION OF ENDPOINT SECURITY MANAGEMENT

Fortinet, Inc., Sunnyval...

1. A method comprising:
during initialization of a client security application running on a client device:
determining, by the client security application, a network connection state of the client device with respect to a private
network;

selecting, by the client security application, a configuration for the client security application based on the determined
network connection state; and

launching, by the client security application, one or more functions of the client security application that are designated
by the selected configuration to be performed by the client security application, wherein the one or more functions include
one or more of web content filtering, anti-virus scanning and network access logging; and

wherein the network connection state of the client device with respect to the private network is determined by comparing a
media access control (MAC) address of a gateway to which the client security application is connected with a MAC address of
a network security device protecting the private network and with which the client security application is registered.

US Pat. No. 9,769,828

OPTIMIZATION OF MU-MIMO BEAMFORMING IN A WI-FI COMMUNICATION NETWORK BASED ON MOBILITY PROFILES

Fortinet, Inc., Sunnyval...

1. A computer-implemented method, in an access point having MU-MIMO capability, for automatically grouping stations into groups
to optimize Wi-Fi beamforming transmissions over a communication network, the method comprising the steps of:
associating with stations of a plurality of stations over a Wi-Fi portion of the communication network, wherein the stations
have MU-MIMO capability;

determining a mobility profile for each station of the plurality of stations, the mobility profile including factors that
characterize at least an amount of movement and current location for a station;

assigning each station to a beamforming group, each station of the beamforming group having similar mobility profiles;
selecting a type of beamforming transmission for each beamforming group based on mobility profiles of associated stations,
the type of beamforming transmissions including at least MU-MIMO and SU-MIMO; and

transmitting data to the stations of each beamforming group according to the selected type of beamforming transmissions.

US Pat. No. 9,635,085

OPTIMIZING MULTIMEDIA STREAMING IN WLANS (WIRELESS LOCAL ACCESS NETWORKS)

Fortinet, Inc., Sunnyval...

1. A computer-implemented method in an SDN (Software-Defined Networking) controller of a communication network for optimizing
multimedia downloads at a remote data plane responsive to user playback behavior, the method comprising the steps of:
detecting a progressive download of a multimedia file in progress to a station through a first access point;
examining packets of the multimedia file to determine a file name for the multimedia file;
determining that users discontinue playback of the multimedia file of the determined file name beyond a certain duration;
in response to surpassing the certain duration, generating one or more OpenFlow rules to implement a target download rate
at a data plane of the first access point, wherein the data plane is remote to the SDN controller, and wherein the target
download rate is reduced to reflect the tendency of uses to discontinue playback;

implementing the one or more OpenFlow rules at the data plane of the first access point to meet the target download rate.

US Pat. No. 9,602,303

IDENTIFYING NODES IN A RING NETWORK

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by a ring controller of a first blade of a plurality of blades participating in a ring network, an indication of
an event, wherein each blade of the plurality of blades has a priority;

when the event represents expiration of a token timeout period for receipt of an arbitration token, then transmitting, by
the ring controller, a new arbitration token onto the ring network, wherein possession of the arbitration token or the new
arbitration token by a blade of the plurality of blades represents permission for the blade to transmit a packet on the ring
network; and

when the event represents receipt of the arbitration token, then:
comparing, by the ring controller, the priority of an originating blade of the plurality of blades that originated the arbitration
token to the priority of the first blade;

when the priority of the originating blade is higher than the priority of the first blade, then transmitting, by the ring
controller, the arbitration token to a next blade of the plurality of blades;

when the priority of the originating blade is lower than the priority of the first blade, then setting, by the ring controller,
the first blade as the originating blade and transmitting the arbitration token to the next blade; and

when the priority of the originating blade is equal to the priority of the first blade, then assuming, by the ring controller,
a role of a token master, wherein the token master is responsible for periodically transmitting a discovery marker onto the
ring network, wherein the discovery marker facilitates topology discovery by the plurality of blades.

US Pat. No. 9,584,472

FACILITATING CONTENT ACCESSIBILITY VIA DIFFERENT COMMUNICATION FORMATS

Fortinet, Inc., Sunnyval...

1. A method comprising:
causing client requests for web page content published by a content publisher in Internet Protocol version 4 (IPv4) format
and hosted by an IPv4 server to be directed or redirected to a traffic management node by configuring a first domain name
of the content publisher to point to a second domain name associated with the traffic management node via a canonical name
(CNAME) record of a domain name system (DNS);

receiving, by the traffic management node, a request for the web page content from a client that has been directed or redirected
to the traffic management node as a result of said configuring;

determining, by the traffic management node, communication capabilities of the client based on an ability of the client to
access a set of test content, wherein the communication capabilities include IPv4 enabled, IPv6 enabled and dual stack; and

based on the determined communication capabilities and a traffic management policy specified by the content publisher, directing,
by the traffic management node, the request to an Internet Protocol version 6 (IPv6) proxy server or the IPv4 server, wherein
the IPv6 proxy server hosts the web page content in IPv6 format, wherein the web page content was obtained by the IPv6 proxy
server from the IPv4 server and translated from the IPv4 format to the IPv6 format.

US Pat. No. 9,584,587

MANAGING TRANSMISSION AND STORAGE OF SENSITIVE DATA

Fortinet, Inc., Sunnyval...

1. A method comprising:
intercepting, by a network security appliance logically interposed between a local client and a remote server, outgoing traffic
from the local client to the remote server;

identifying, by the network security appliance, a submission command contained within the outgoing traffic, wherein the submission
command is of a type that directs the network security appliance to submit sensitive data of a user of the local client to
the remote server on behalf of the user;

retrieving, by the network security appliance, the sensitive data from a storage device within or coupled to the network security
appliance;

modifying, by the network security appliance, the outgoing traffic by injecting the sensitive data into the outgoing traffic
to form modified outgoing traffic; and

sending, by the network security appliance, the modified outgoing traffic to the remote server.

US Pat. No. 9,537,820

FACILITATING CONTENT ACCESSIBILITY VIA DIFFERENT COMMUNICATION FORMATS

Fortinet, Inc., Sunnyval...

1. A traffic manager system comprising:
a memory having stored therein instructions;
a processor coupled to the memory and operable to execute the instructions to perform a method comprising:
causing to be stored on a client device information indicative of one or more communication formats via which a client device
is capable of communication by

sending to the client device a web page having embedded therein one or more of Internet Protocol version 4 (IPv4) test content
and Internet Protocol version 6 (IPv6) test content;

based on a response to the test content received from the client device, determining communication capabilities of the client
device in terms of whether the client device is capable of communicating via IPv4, IPv6 or both;

storing a result of said determining within a browser cookie; and
sending the browser cookie to the client device;
receiving a content request from the client device, wherein the content request includes the browser cookie; and
redirecting the content request to a server device appropriate for the communication capabilities of the client device based
at least in part on the browser cookie.

US Pat. No. 9,450,977

SYSTEMS AND METHODS FOR UPDATING CONTENT DETECTION DEVICES AND SYSTEMS

Fortinet, Inc., Sunnyval...

1. A method in a content detection system, the method comprising:
receiving content via a network interface device of the content detection system;
determining, through execution of instructions on a processor of the content detection system, whether received content contains
suspicious content data or the suspicious content data is a threat to detect;

when the suspicious content data contains or is a threat, generating, through execution of instructions on the processor of
the content detection system, content detection data as a function of the received data;

based on an ordered list of a plurality update stations to receive content detection data updates, identifying, through execution
of instructions on the processor, a primary update station to receive the content detection data update;

attempting to transmit, via the network interface device, the content detection data update to the primary update station;
upon failure of the transmission of the content data update to the primary update station, identify, through execution of
instructions on the processor of the network device, a secondary update station to receive the content detection data update
based on the ordered list of the plurality of update stations to receive content detection data updates, the primary and secondary
stations having different geographical locations;

sending from the central station via the network interface device, the content detection data update to the secondary update
station including data identifying at least one content detection module of a plurality of content detection modules, coupled
through the network to the plurality of update stations, to receive the content detection data update and at least one instruction
to distribute the content detection data update to the identified at least one content detection module, wherein the distribution
is performed not in response to a request from the at least one content detection module.

US Pat. No. 9,444,788

DATA LEAK PROTECTION IN UPPER LAYER PROTOCOLS

Fortinet, Inc., Sunnyval...

1. A data leak prevention (DLP) method comprising:
maintaining, by a network security appliance within a private network, a data structure identifying therein a plurality of
candidate upper layer protocols, one or more corresponding requests or commands of interest for each of the plurality of candidate
upper layer protocols and a corresponding suspect field contained within each of the one or more corresponding requests or
commands of interest that is to be subjected to DLP scanning as a result of its potential for carrying sensitive information
out of the network;

receiving, by the network security appliance, a packet originated by a host device within the private network and directed
to a destination device outside of the private network;

identifying, by the network security appliance, an upper layer protocol associated with the received packet based on a destination
port specified in a header of the received packet or information contained in a protocol field of the header;

determining, by the network security appliance, whether the identified upper layer protocol is among the plurality of candidate
upper layer protocols;

when a result of the determining is affirmative and a request or command represented by the received packet is among those
of the one or more corresponding requests or commands of interest for the identified upper layer protocol, then performing
a DLP scan on the received packet by:

extracting a content from the corresponding suspect field contained within the received packet;
applying a plurality of DLP rules to the extracted content, wherein each of the plurality of DLP rules are defined in terms
of (i) one or more of a regular expression and a string that are configured to detect existence of one or more forms of sensitive
information and (ii) information defining an action to take when one or more conditions associated with the DLP rule are satisfied;
and

when said applying results in a conclusion that the one or more forms of sensitive information are contained within the received
packet, then performing, by the network security appliance, the defined action; and

when the result is negative or the request or command represented by the received packet is not among those of the one or
more corresponding requests or commands of interest for the identified upper layer protocol, then allowing by, the network
security appliance, the received packet to pass through the network security appliance without performing the DLP scan on
the received packet.

US Pat. No. 10,033,527

DUAL-MODE PROCESSING OF CRYPTOGRAPHIC OPERATIONS

Fortinet, Inc., Sunnyval...

1. A method for performing an efficient execution of a cryptographic operation comprising:receiving, data upon which the cryptographic operation is to be performed by a computer system being configured with dual-mode cryptographic processing capabilities, wherein the computer system includes a host central processing unit (CPU) and a cryptographic hardware accelerator coupled to the host CPU;
dividing, by the CPU, the received data into a plurality of blocks with a block size according to the block size of a respective cryptographic algorithm being employed, wherein the cryptographic operation, in accordance with the configured dial-mode cryptographic processing capabilities, is performed on at least one of the plurality of blocks by the cryptographic hardware accelerator and is performed on at least another of the plurality of blocks by the CPU in a following sequence as directed by a scheduler running on the CPU:
offloading, by the CPU, performance of the cryptographic operation on a first block of the plurality of blocks to the cryptographic hardware accelerator; and subsequently,
for each remaining subsequent block of the plurality of blocks;
requesting, by the CPU, state information associated with the availability of the cryptographic hardware accelerator including at least a resource utilization;
when the state information satisfies a predetermined condition of the availability, then offloading, by the CPU, performance of the cryptographic operation on the remaining subsequent block to the cryptographic hardware accelerator;
when the state information does not satisfy the predetermined condition of the availability, then performing, by the CPU, the cryptographic operation on the remaining subsequent block by invoking a native hardware supported cryptographic instruction on the remaining subsequent block rather than waiting for the availability of the cryptographic hardware accelerator to facilitate the efficient execution of the cryptographic operation.

US Pat. No. 9,860,789

LOAD BALANCING FOR A CLOUD-BASED WI-FI CONTROLLER BASED ON LOCAL CONDITIONS

Fortinet, Inc., Sunnyval...

1. A computer-implemented method for load balancing in a cloud-based Wi-Fi controller device that remotely monitors Wi-Fi
devices for a plurality of WLANs (wireless local access networks), the method comprising the steps of:
receiving requests for connection from Wi-Fi devices of the plurality of WLANs, wherein the number of connection requests
within a time period exceeds a threshold;

receiving an indication of at least one condition for each of the WLANs;
prioritizing at least one Wi-Fi device based on a corresponding at least one condition;
scheduling future connections based on the prioritizing;
receiving monitoring data from the Wi-Fi device in accordance with the scheduling; and
performing at least one action with respect to operation of the Wi-Fi device on a corresponding WLAN based on the monitoring
data.

US Pat. No. 9,774,607

DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

Fortinet, Inc., Sunnyval...

1. A computer-implemented method comprising:
receiving, by an antivirus detection module running on a network gateway device logically interposed between an external network
and a plurality of host systems within a private network, a file having associated therewith a certificate chain;

identifying, by the antivirus detection module, a type and structure of the file, including checking relevant locations in
the file for one or more primary identification bytes that are indicative of the file being of a particular executable file
format;

determining, by the antivirus detection module, a location of the certificate chain with respect to the file based on the
identified type and structure;

forming, by the antivirus detection module, a signature of the file by extracting a targeted subset of information from the
certificate chain based on the type and structure of the file;

evaluating, by the antivirus detection module, the file by comparing the signature with a set signatures having a known desirable
or undesirable status;

classifying, by the antivirus detection module, the file into a category of a plurality of categories based on a result of
said evaluating, wherein one of the plurality of categories is indicative of an associated file being an undesired file or
a file suspected of being undesired; and

handling, by the antivirus detection module, the file in accordance with a policy associated with the category.

US Pat. No. 9,742,800

SYSTEM AND METHOD FOR SOFTWARE DEFINED BEHAVIORAL DDOS ATTACK MITIGATION

Fortinet, Inc., Sunnyval...

1. A method for mitigating distributed denial of service (DDoS) attacks, comprising:
providing a distributed software defined networking (SDN) architectural solution to DDoS mitigation by decoupling a control
plane and a data plane for DDoS attack mitigation, wherein functionality associated with the control plane is implemented
within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based
on past traffic and management of DDoS attack mitigation policies and wherein functionality associated with the data plane
is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular
traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances;

receiving, by a DDoS attack mitigation appliance of the plurality of DDoS attack mitigation appliances, the DDoS attack mitigation
policies through a network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance;
and

mitigating a DDoS attack based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies
are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated
based on the granular traffic rate information collected at least from the DDoS attack mitigation appliance.

US Pat. No. 9,729,511

FILTERING HIDDEN DATA EMBEDDED IN MEDIA FILES

Fortinet, Inc., Sunnyval...

1. A method comprising:
capturing network traffic, by a network security device protecting a private network, wherein the network traffic is directed
to an intended recipient associated with the private network;

extracting, by an Intrusion Prevention System (IPS) engine running on the network security device, a media file from the network
traffic;

determining, by the IPS engine, presence of a potentially malicious hidden data item embedded in the media file, wherein the
potentially malicious hidden data item comprises encoded data within one or more of a digital watermark, steganography and
a barcode;

determining, by the IPS engine, whether the potentially malicious hidden data item violates a security policy of a plurality
of security policies of the private network enforced by the network security device by decoding the encoded data and applying
a content filter to a result of the decoding; and

when said determining, by the IPS engine, whether the potentially malicious hidden data item violates a security policy is
affirmative, then (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient
to be alerted regarding the violated security policy and (iii) causing a network administrator of the private network to be
alerted regarding the violated security policy.

US Pat. No. 9,729,409

SYSTEM AND METHOD FOR DYNAMIC MANAGEMENT OF NETWORK DEVICE DATA

Fortinet, Inc., Sunnyval...

1. A method of managing management data communicated between a network management system and a network of a plurality of managed
nodes, the method comprising:
detecting an event occurring in the network;
determining the event triggers a system change in how frequent the management data about two or more of the plurality of managed
nodes is reported by the two or more of the plurality of managed nodes to the network management system, wherein the network
management system is communicatively coupled to the plurality of managed nodes and manages the plurality of managed nodes;
and,

identifying the two or more of the plurality of managed nodes affected by the system change and for each of the two or more
affected managed nodes,

determining, by the network management system, a command based on a rule matching that event from a set of rules for that
managed node that represents a specific change in how frequent the management data is reported from that managed node to the
network management system, and

sending the command from the network management system to an agent resident on that managed node, wherein the agent applies
the command to that managed node and the applied command implements the specific change in how frequent the management data
is reported from that managed node to the network management system.

US Pat. No. 9,720,739

METHOD AND SYSTEM FOR DEDICATING PROCESSORS FOR DESIRED TASKS

Fortinet, Inc., Sunnyval...

1. A method for improving the performance of a multi-processor system, the method comprising:
providing M general-purpose processors from N general-purpose processors to perform a network polling task, wherein N is greater
than M; and

modifying the M general-purpose processors, wherein the modification of the M general-purpose processors prevents the M general-purpose
processors to perform tasks other than the network polling task and the N?M (N minus M) processors continue to perform operating
system operations including context switching;

wherein the method further comprising:
bypassing a controller that is subject to context switching of an operating system to disable interrupts of the controller
for context switching;

initializing a pseudo controller in a memory that is not subject to context switching in performing on behalf of the bypassed
controller;

initializing the memory to provide additional packet information to the pseudo controller;
dedicating the M general-purpose processors to perform the network polling task, wherein the pseudo controller in the memory
facilitates performing the network polling task in connection with the M general-purpose processors without the need for context
switching;

at the M general-purpose processors, receiving additional packet information from the memory; and
based on the received additional packet information, performing the network polling task.

US Pat. No. 9,716,645

SYSTEMS AND METHODS FOR CONTENT TYPE CLASSIFICATION

Fortinet, Inc., Sunnyval...

1. A method for determining a type of content, comprising:
receiving a first packet of a session with which the first packet is associated, the first packet received in a data classification
module via a communication interface coupled to a network link;

determining, in the data classification module, a potential state of classification for the first packet of the session, a
determined potential classification indicating that at least one classification candidate has been ruled out;

receiving a second packet of the session, the second packet received in the data classification module via the communication
interface coupled to the network link;

determining, in the data classification module, a content type for the second packet based at least in part on the determined
potential state of classification for the first packet of the session without consideration of the at least one classification
candidate that has been ruled out; and

wherein packets associated with the session are transmitted by a sender via a data network to which the network link is connected
to a receiver and at least the first and second packets are processed by the data classification module after transmission
by the sender and prior to receipt by the receiver.

US Pat. No. 9,584,621

DIRECT CACHE ACCESS FOR NETWORK INPUT/OUTPUT DEVICES

Fortinet, Inc., Sunnyval...

1. A method comprising:
running a first network security application on a first central processing unit (CPU) of a plurality of CPUs of a host processor
of a network security appliance;

running a second network security application on a second CPU of the plurality of CPUs;
defining, by a network Input/Output (I/O) device of the network security appliance, a first direct cache access (DCA) control
for a first I/O device queue of a plurality of I/O device queues of the network I/O device corresponding to the first CPU,
wherein the first DCA control is indicative of a first set of one or more portions of a packet queued on the first I/O device
queue that are to be copied to a cache of the first CPU responsive to transfer of the packet queued on the first I/O device
queue to a portion of a host memory of the host processor accessible to the first CPU;

defining, by the network Input/Output (I/O) device, a second DCA control for a second I/O device queue of the plurality of
I/O device queues corresponding to the second CPU, wherein the second DCA control is indicative of a second set of one or
more portions of a packet queued on the second I/O device queue that are to be copied to a cache of the second CPU responsive
to transfer of the packet queued on the second I/O device queue to a portion of the host memory accessible to the second CPU;

receiving, by the network I/O device, an incoming packet;
identifying, by the network I/O device, boundaries of portions of the incoming packet by parsing the incoming packet; and
causing appropriate portions of the incoming packet to be processed in parallel by the first network security application
and the second network security application by:

queuing, by the network I/O device, the incoming packet on the first I/O device queue;
queuing, by the network I/O device, the incoming packet on the second I/O device queue;
transferring, by a host controller associated with the host memory, the incoming packet from the first I/O device queue to
the portion of the host memory accessible to the first CPU;

transferring, by the host controller, the incoming packet from the second I/O device queue to the portion of the host memory
accessible to the second CPU;

copying, by the host controller, the first set of one or more portions of the incoming packet to the cache of the first CPU;
and

copying, by the host controller, the second set of one or more portions of the incoming packet to the cache of the second
CPU.

US Pat. No. 10,051,093

HARDWARE ACCELERATOR FOR PACKET CLASSIFICATION

Fortinet, Inc., Sunnyval...

1. A packet classification hardware accelerator system comprising:a plurality of packet classification hardware units each capable of operation in parallel on a corresponding decision tree of a plurality of decision trees, wherein the plurality of decision trees are derived from respective subsets of a common ruleset defining packet classification rules based on header fields of packets;
a memory having stored therein non-leaf nodes, leaf nodes and rules associated with the plurality of decision trees;
a cache subsystem, coupled in communication with the plurality of packet classification hardware units and the memory, having stored therein (i) a cached portion of the non-leaf nodes distributed among a plurality of non-leaf node caches, (ii) a cached set of the leaf nodes in a leaf node cache and (iii) a cached set of the rules;
a level-two (L2) cache shared among the plurality of non-leaf node caches;
wherein a compiler marks each of the non-leaf nodes as either hot or cold; and
wherein only those of the non-leaf nodes marked as hot can be cached in the L2 cache.

US Pat. No. 9,853,855

STAND-BY CONTROLLER ASSISTED FAILOVER

Fortinet, Inc., Sunnyval...

1. A method comprising:
establishing via a management protocol, by an active access point controller (APC) of an enterprise network, an active control
channel and an active data channel with a managed access point (AP) of the enterprise network that is managed by the active
APC, wherein management protocol messages relating to control or provisioning of the managed AP are exchanged between the
active ACP and the managed AP via the active control channel;

establishing via the management protocol, by a standby APC of the enterprise network, a standby control channel and a standby
data channel with the managed AP;

providing prompt failure detection of the active APC with reduced consumption of bandwidth between the active APC and the
managed AP by keep-alive messages by:

monitoring, by the managed AP, a health status of the active APC by periodically transmitting a long-interval keep-alive message
to the active APC at a frequency of once every X seconds and tracking a first time for response thereto, if any; and

monitoring, by the standby APC, the health status of the active APC by periodically transmitting a short-interval keep-alive
message to the active APC at a frequency of once every Y seconds, where Y is less than X and tracking a second time for response
thereto, if any, wherein transmission of the short-interval keep-alive message does not consume any bandwidth of the active
data channel or the active control channel between the active APC and the managed AP; and

when the health status is indicative of a failure of the active APC, then initiating failover from the active APC to the standby
APC by causing the managed AP to direct subsequent management protocol messages to the standby APC via the standby control
channel.

US Pat. No. 9,774,569

DETECTION OF UNDESIRED COMPUTER FILES USING DIGITAL CERTIFICATES

Fortinet, Inc., Sunnyval...

1. A method comprising:
receiving, by an electronic mail (email) security system, logically interposed between an external network and a plurality
of host systems within a private network an inbound email message;

when the inbound email message includes an attachment, processing the attachment by an antivirus detection module running
on the electronic mail (email) security system, including:

identifying a type and structure of the attachment by examining relevant locations in the attachment for one or more primary
identification bytes that are indicative of the attachment being of a particular executable file format;

determining a location of the certificate chain with respect to the attachment based on the identified type and structure;
forming a signature of the attachment by extracting a targeted subset of information from the certificate chain based on the
type and structure of the attachment;

evaluating the attachment by comparing the signature with a set signatures having a known desirable or undesirable status;
classifying the attachment into a category of a plurality of categories based on a result of said evaluating; and
when the category of the attachment is indicative of files associated therewith being malicious or being suspected of being
malicious, a policy associated with the category causes the email security system to quarantine, block or otherwise attempt
to prevent the attachment from being delivered to an end user of one of the plurality of host systems to which the inbound
email message is addressed.

US Pat. No. 9,729,509

SYSTEM AND METHOD FOR INTEGRATED HEADER, STATE, RATE AND CONTENT ANOMALY PREVENTION FOR SESSION INITIATION PROTOCOL

Fortinet, Inc., Sunnyval...

1. An apparatus capable of enforcing network policies and preventing attacks related to header, state, rate and content anomalies,
wherein the attacks include Session Initiation Protocol (SIP) attacks, said apparatus comprising:
a) a Packet Interface that
receives inbound/outbound packets,
stores the packets in a memory buffer,
releases the packets with corresponding packet-ids to a plurality of decision-making blocks for inspection,
drops the packets altogether, and
sends the packets onto forensic ports based on a unified decision by the plurality of decision-making blocks;
b) a Classifier that comprises a SIP Classifier, that is coupled to the Packet Interface, and that classifies packets received
from the Packet Interface and retrieves layer 2, layer 3, layer 4, and layer 7 header information from the packets;

c) a Header and State Anomaly Prevention Engine that comprises a SIP State Anomaly Engine, that is coupled to the Classifier
via a classification bus, and that determines layers 2, 3, 4, and 7 header and state anomalies, including one or more of (1)
a Command Sequence (CSeq) header in a SIP request exceeding a first predetermined threshold; and (2) a mismatch between a
CSeq header method and a method name in a corresponding request line;

d) a Continuous and Adaptive Rate Anomaly Prevention Engine that comprises a SIP Rate Anomaly Engine, that is coupled to the
classification bus, and that determines and estimates rate thresholds for layers 2, 3, 4, and 7 parameters and subsequently
determines rate anomalies for these parameters;

e) a Recon Prevention Engine that is coupled to the classification bus and determines recon activities at layers 3 and 4;
f) a Content Anomaly Engine that comprises a SIP Content Anomaly Engine, that is coupled to the classification bus, and that
identifies attacks on SIP using signatures;

g) a Policy Lookup Engine that comprises a SIP Policy Engine, that is coupled to the classification bus, and that determines
policy violation in packets; and

h) a Decision Multiplexer for generating the unified decision about a packet-id based on information received from the plurality
of decision-making blocks including the Header and State Anomaly Prevention Engine, the Continuous and Adaptive Rate Anomaly
Prevention Engine, the Recon Prevention Engine, the Content Anomaly Engine, and the Policy Lookup Engine.

US Pat. No. 9,660,958

FILTERING HIDDEN DATA EMBEDDED IN MEDIA FILES

Fortinet, Inc., Sunnyval...

1. A method comprising:
capturing network traffic by a firewall device associated with a private network, wherein the network traffic is directed
to an intended recipient associated with the private network;

extracting, by the firewall device, a media file from the network traffic;
determining, by the firewall device, presence of a potentially malicious hidden data item embedded in the media file, wherein
the potentially malicious hidden data item comprises encoded data within one or more of a digital watermark, steganography
and a barcode;

determining whether the potentially malicious hidden data item violates a security policy of a plurality of security policies
of the private network enforced by the firewall device by decoding the encoded data and applying a content filter to a result
of the decoding, wherein the content filter comprises a Uniform Resource Locator (URL) filter and wherein the security policy
contains information indicative of a URL known to be associated with malicious activities; and

when said determining whether the potentially malicious hidden data item violates a security policy is affirmative, then performing
by the firewall device (i) blocking transmission of the media file to the intended recipient, (ii) causing the intended recipient
to be alerted regarding the violated security policy and (iii) causing a network administrator of the private network to be
alerted regarding the violated security policy.

US Pat. No. 9,667,647

DETECTING MALICIOUS RESOURCES IN A NETWORK BASED UPON ACTIVE CLIENT REPUTATION MONITORING

Fortinet, Inc., Sunnyval...

1. A method comprising:
maintaining, by a monitoring unit executing on a network security device protecting a private network, a plurality of policies
in a form of rules, wherein each policy of the plurality of policies is configurable by a network administrator of the private
network via a browser-based interface provided by the monitoring unit and specifies (i) a perceived risky activity of a plurality
of perceived risky activities potentially indicative of malware activity and (ii) a corresponding score, wherein the plurality
of perceived risky activities include bad connection attempts, interactions with a hosts in particular geographic locations
external to the private network, interactions with undesired websites external to the private network and failed Domain Name
Server (DNS) resolution requests;

observing, by the monitoring unit, activities relating to a plurality of monitored devices within the private network;
for each of the observed activities, assigning, by the monitoring unit, a score to the observed activity based upon a matching
policy of the plurality of polices;

for each of the plurality of monitored devices, maintaining, by the monitoring unit, a current reputation score for the monitored
device based upon the score and a historical score associated with the monitored device; and

classifying, by the monitoring unit, a monitored device of the plurality of monitored devices as potentially being a malicious
resource based upon the current reputation score for the monitored device.

US Pat. No. 9,369,744

OPTIMIZING MULTIMEDIA STREAMING IN WLANS (WIRELESS LOCAL ACCESS NETWORKS)

Fortinet, Inc., Sunnyval...

1. A computer-implemented method in an SDN (Software-Defined Networking) controller of a communication network for optimizing
multimedia downloads at a remote data plane, the method comprising the steps of:
detecting a progressive download of a multimedia file in progress to a station through a first access point;
examining packets of the multimedia file to determine an encoding rate of frames for the multimedia file;
determining a target download rate for the multimedia file at the access point based on the encoding rate;
generating one or more OpenFlow rules to implement the target download rate at a data plane of the first access point, wherein
the data plane is remote to the SDN controller;

implementing the one or more OpenFlow rules at the data plane of the first access point to meet the target download rate.

US Pat. No. 10,075,468

DENIAL-OF-SERVICE (DOS) MITIGATION APPROACH BASED ON CONNECTION CHARACTERISTICS

Fortinet, Inc., Sunnyval...

1. A method comprising:establishing, within a Denial-of-Service (DoS) mitigation device logically interposed between a protected resource of a private network (“protected network resource”) and a plurality of client devices residing external to the private network, a current threshold for a network connection characteristic;
tracking, by the DoS mitigation device, a number of connections between the plurality of client devices and the protected network resource; and
during a period of time in which the number of connections exceeds a connection count threshold:
comparing, by the DoS mitigation device, for each of the connections, a measured value for the network connection characteristic to the current threshold; and
responsive to a determination that the measured value exceeds the current threshold, dropping, by the DoS mitigation device, the connection; and
periodically reducing, by the DoS mitigation device, the current threshold by a predetermined amount, whereby, during the period of time, only those connections, if any, of the connections complying with the current threshold are maintained.