	US 12,132,709 B2
	Firewall offloading
Tayfun Gol, Pittsburgh, PA (US); Christopher Adam Telfer, Windber, PA (US); and Gad Leshem, Mars, PA (US)
Assigned to Sophos Limited, Abingdon (GB)
Filed by Sophos Limited, Abingdon (GB)
Filed on Nov. 22, 2021, as Appl. No. 17/532,128.
Claims priority of provisional application 63/177,018, filed on Apr. 20, 2021.
Prior Publication US 2022/0337555 A1, Oct. 20, 2022
Int. Cl. H04L 9/40 (2022.01); H04L 101/622 (2022.01)

CPC H04L 63/0263 (2013.01) [H04L 63/0236 (2013.01); H04L 63/029 (2013.01); H04L 63/20 (2013.01); H04L 63/0272 (2013.01); H04L 2101/622 (2022.05)]

21 Claims

1. A method comprising:

providing a first path for network traffic through a firewall on a host device;

providing a second path for the network traffic that bypasses the firewall through an offload module, the offload module configured to receive a valid state for the network traffic from the firewall, to bypass the firewall for a network flow having the valid state, and to return the network flow to the firewall when the network flow does not match the valid state;

directing the network flow including one or more packets along the first path to the firewall;

applying one or more firewall rules to the network flow with the firewall;

in response to determining with the firewall that the network flow is permitted by the one or more firewall rules, communicating to the offload module (a) the valid state for the network flow including one or more properties of headers for packets in the network flow, and (b) an instruction for the offload module to handle the packets for the network flow along the second path subject to the valid state; and

in response to determining with the offload module that the network flow handled by the offload module on the second path does not match the valid state, invalidating a state stored by the offload module as corresponding to the network flow and returning the network flow to the first path through the firewall.