CPC G06F 9/45558 (2013.01) [G06F 9/455 (2013.01); G06F 9/45533 (2013.01); G06F 15/177 (2013.01); H04L 41/08 (2013.01); H04L 41/0803 (2013.01); H04L 41/0806 (2013.01); H04L 41/0813 (2013.01); H04L 41/0823 (2013.01); H04L 41/0889 (2013.01); H04L 41/0893 (2013.01); H04L 41/12 (2013.01); H04L 45/64 (2013.01); H04L 45/74 (2013.01); H04L 49/70 (2013.01); H04L 61/2503 (2013.01); H04L 61/256 (2013.01); H04L 61/2517 (2013.01); H04L 61/2521 (2013.01); H04L 63/0218 (2013.01); H04L 67/1008 (2013.01); G06F 2009/4557 (2013.01); G06F 2009/45595 (2013.01); H04L 45/02 (2013.01); H04L 49/15 (2013.01)] | 17 Claims |
1. A method of performing firewall operations in a data center comprising a plurality of host computers that execute source and destination machines for data message flows, the method comprising:
deploying a set of two or more firewall modules to execute on a set of two or more host computers to implement a plurality of distributed logical firewalls for a plurality of logical networks, each distributed logical firewall for each logical network identified by a different tag, each distributed logical firewall implemented by at least two firewall modules executing on at least two host computers; and
distributing, to the set of host computers, firewall rules for the set of firewall modules executing on the set of host computers to process,
said distributing comprising distributing to at least one firewall module two different sets of firewall rules for two different logical networks, with each particular distributed set of firewall rules for each particular logical network associated with a particular tag of the particular logical network,
each firewall module processing flows associated with a machine that is associated with each particular logical network by using the particular tag of the particular logical network to identify the set of firewall rules for the particular logical network to examine for the flows.
|