	US 11,870,755 B2
	Dynamic intent-based firewall
Vamsidhar Valluri, Santa Clara, CA (US); Saravanan Radhakrishnan, Bangalore (IN); Anand Oswal, Pleasanton, CA (US); Vinay Prabhu, Milpitas, CA (US); Sarah Adelaide Evans, San Jose, CA (US); and Suraj Rangaswamy, San Jose, CA (US)
Assigned to Cisco Technology, Inc., San Jose, CA (US)
Filed by Cisco Technology, Inc., San Jose, CA (US)
Filed on Oct. 26, 2021, as Appl. No. 17/511,412.
Application 17/511,412 is a continuation of application No. 16/434,115, filed on Jun. 6, 2019, granted, now 11,201,854.
Claims priority of provisional application 62/774,103, filed on Nov. 30, 2018.
Prior Publication US 2022/0052984 A1, Feb. 17, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 12/46 (2006.01); H04L 9/40 (2022.01); H04L 45/02 (2022.01); H04L 45/745 (2022.01)

CPC H04L 63/0263 (2013.01) [H04L 12/4641 (2013.01); H04L 45/02 (2013.01); H04L 45/745 (2013.01); H04L 63/0218 (2013.01); H04L 63/0236 (2013.01); H04L 63/0272 (2013.01); H04L 63/20 (2013.01)]

20 Claims

1. A computer-implemented method comprising:

receiving zone definition information mapping the plurality of network segments into one or more zones, and one or more zone-based firewall (ZFW) policies to apply to traffic between a source zone and a destination zone specified by each ZFW policy;

evaluating a first ZFW policy to determine one or more first edge network devices that can reach one or more first network segments mapped to a first source zone specified by the first ZFW policy, one or more second edge network devices that can reach one or more second network segments mapped to a first destination zone specified by the first ZFW policy, and first routing information between the one or more first network segments, the one or more first edge network devices, the one or more second edge network devices, and the one or more second network segments; and

transmitting the first routing information to the one or more first edge network devices and the one or more second edge network devices.