公开(公告)号：US12225013B2

公开(公告)日：2025-02-11

申请号：US18353238

申请日：2023-07-17

Applicant: Palo Alto Networks, Inc.

Inventor： Ory Segal ,  Yuri Shapira ,  Avraham Shulman ,  Benny Nissimov ,  Shaked Zin

IPC: H04L9/40 ,  G06N5/04 ,  G06N20/00 ,  H04L9/32

Abstract: A method for securing a serverless application including: (a) receiving a list of components which make up the serverless application and one or more intended usage flows of the serverless application; (b) creating and applying a security policy for each component of the serverless application, the security policy denying all access requests except from authorized components, wherein the authorized components are selected based on access requirements dictated by the one or more intended usage flows.

公开(公告)号：US11477168B2

公开(公告)日：2022-10-18

申请号：US17646522

申请日：2021-12-30

Applicant: Palo Alto Networks, Inc.

Inventor： Liron Levin ,  Isaac Schnitzer ,  Elad Shuster ,  Ory Segal

IPC: H04L9/40 ,  H04L67/10 ,  H04L67/02

Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.

公开(公告)号：US20230129362A1

公开(公告)日：2023-04-27

申请号：US18146658

申请日：2022-12-27

Applicant: Palo Alto Networks, Inc.

Inventor： Liron Levin ,  Isaac Schnitzer ,  Elad Shuster ,  Ory Segal

IPC: H04L9/40 ,  G06F9/50

Abstract: A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.

公开(公告)号：US11228565B1

公开(公告)日：2022-01-18

申请号：US17111733

申请日：2020-12-04

Applicant: Palo Alto Networks, Inc.

Inventor： Liron Levin ,  Isaac Schnitzer ,  Elad Shuster ,  Ory Segal

IPC: G06F9/00 ,  H04L29/06 ,  H04L29/08

Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.

公开(公告)号：US11575651B2

公开(公告)日：2023-02-07

申请号：US17139103

申请日：2020-12-31

Applicant: Palo Alto Networks, Inc.

Inventor： Liron Levin ,  Isaac Schnitzer ,  Elad Shuster ,  Ory Segal

IPC: H04L29/06 ,  H04L9/40 ,  G06F9/50

Abstract: A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.

公开(公告)号：US20220210122A1

公开(公告)日：2022-06-30

申请号：US17139103

申请日：2020-12-31

Applicant: Palo Alto Networks, Inc.

Inventor： Liron Levin ,  Isaac Schnitzer ,  Elad Shuster ,  Ory Segal

IPC: H04L29/06 ,  G06F9/50

Abstract: A configuration of a cloud application exposed via a public IP address is duplicated with modifications to include a private IP address to expose the application internally. The original configuration is updated so that external network traffic sent to the application is redirected to and distributed across agents running on nodes of a cloud cluster by which web application firewalls (WAFs) are implemented. A set of agents for which the respective WAFs should inspect the redirected network traffic are selected based on cluster metrics, such as network and resource utilization metrics. The redirected network traffic targets a port allocated to the agents that is unique to the application, where ports are allocated on a per-application basis so each of the agents can support WAF protection for multiple applications. Network traffic which a WAF allows to pass is directed from the agent to the application via its private IP address.

公开(公告)号：US20220182360A1

公开(公告)日：2022-06-09

申请号：US17646522

申请日：2021-12-30

Applicant: Palo Alto Networks, Inc.

Inventor： Liron Levin ,  Isaac Schnitzer ,  Elad Shuster ,  Ory Segal

IPC: H04L9/40 ,  H04L67/10 ,  H04L67/02

Abstract: To dynamically determine and apply WAF protections for an application deployed to the cloud, exposed entities, are identified. The identified entities are further evaluated to determine whether the application is eligible for WAF protection based on whether the application uses a protocol that is compatible with WAF protection. If the application is eligible for WAF protection, after instantiating a WAF, WAF protections that should be enabled or disabled are determined based on characteristics of the application that are identified at runtime. The WAF can then be configured based on the identified protections such that those which are pertinent to the application will be enabled, while those which are not applicable to the application and thus will not be used are disabled. As a result, security provided by the WAF for a cloud application is tailored to the application based on information about the application gathered in the cloud deployment environment.