US 11,750,563 B2
Flow metadata exchanges between network and security functions for a security service
Anand Oswal, Pleasanton, CA (US); Arivu Mani Ramasamy, San Jose, CA (US); Bhaskar Bhupalam, Fremont, CA (US); and Shu Lin, Saratoga, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Jul. 14, 2021, as Appl. No. 17/376,033.
Application 17/376,033 is a continuation of application No. 17/086,186, filed on Oct. 30, 2020, granted, now 11,095,612.
Prior Publication US 2022/0141184 A1, May 5, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 45/00 (2022.01)
CPC H04L 63/0245 (2013.01) [H04L 45/38 (2013.01); H04L 63/0876 (2013.01); H04L 63/20 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system comprising:
a processor configured to:
receive a flow at a network gateway of a security service from a software-defined wide area network (SD-WAN) device, wherein the flow includes a set of network packets associated with a session;
inspect the flow to determine and extract meta information associated with the flow using the network gateway of the security service; and
communicate, from the network gateway of the security service, the meta information associated with the flow in-band on the flow to the SD-WAN device, wherein the meta information is communicated in-band on the flow using encapsulated packet header information, wherein the SD-WAN utilizes the meta information associated with the flow based on a policy without having to use computing resources of the SD-WAN device to perform deep packet inspection in order to obtain the meta information associated with the flow, wherein the policy includes a routing policy or a security policy, and wherein the SD-WAN device enforces the routing policy or the security policy using the meta information associated with the flow; and
a memory coupled to the processor and configured to provide the processor with instructions.