| CPC H04L 63/0236 (2013.01) [H04L 63/20 (2013.01)] | 20 Claims |
|
1. A non-transitory computer-readable storage medium having computer-readable code stored thereon for programming a host that includes one or more processors to perform steps of:
operating a local security agent that is configured to allow or block flows based on security policies, to implement microsegmentation where policies for allowing or blocking flows are determined and put in place by a cloud service and enforcement of the policies is performed locally in a plurality of hosts including the host, via the local security agent on the host and corresponding local security agents on the plurality of hosts;
responsive to a block of a flow, reconstructing a source and destination of the flow and creating a synthetic audit event based on the reconstructed source and destination that reflects what the flow would have been had it not been blocked, wherein the reconstructing the source and destination comprises using local host-state information without accessing a remote security policy store or a remote network security device, wherein the reconstructing the source and destination of the flow further comprises combining packet metadata, initial sequence numbers, source and destination addresses and ports, network topology information including address or ort mappings resulting from network address translation, and identity information of applications running on the source and destination hosts associated with the flow, and wherein the synthetic audit is configured for network debugging in an absence of network connectivity; and
providing the synthetic audit event to the cloud service for analyzing the policies related to the microsegmentation including analyzing the block of the flow.
|