| CPC H04L 63/0263 (2013.01) [G06F 9/45558 (2013.01); H04L 63/0236 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45595 (2013.01)] | 20 Claims |
|
1. A method for validating a firewall policy rule comprising a source, a destination, and an action, wherein the source or the destination is specified by an expression matching on a fully qualified domain name (FQDN), the expression having a corresponding expression identifier, the method comprising:
in response to detecting a new expression in a policy rule, updating a global version number to a new value;
identifying a particular IP address that corresponds to an FQDN matching on the new expression;
storing an entry comprising the particular IP address, the new expression, and an entry version number in a first data structure, the entry version number being assigned the new value;
in response to detecting a new connection to a destination IP address:
finding a matching entry in the first data structure corresponding to the destination IP address;
determining whether the global version number matches the entry version number for the matching entry; and
in response to determining that the global version number does not match the entry version number for the matching entry, sending update information to a slowpath process that associates an updated configuration information for the matching entry, the update information comprising the destination IP address and an expression of the matching entry to cause the slowpath process to update a second data structure.
|