Adding firewall security policy dynamically to support group VPN

摘要

A server device receives, from a member device, a registration request for a group virtual private network (VPN) and provides an initial firewall security policy for the group VPN. The server device receives instructions for a policy configuration change and sends, to the member device, a push message that includes dynamic policies to implement the policy configuration change. The dynamic policies are implemented as a subset of a template policy. The member device receives the push message with the dynamic policies, associates the dynamic policies with the template policy, and applies the initial security policy data and the dynamic policies to incoming traffic without the need for a reboot of the member device.

主权项

1. A method comprising:
sending, by a device, a registration request to register the device to be part of a group virtual private network (VPN); receiving, by the device, initial security policy data after sending the registration request,
the initial security policy data being associated with a first version; receiving, by the device, information regarding a policy change to be implemented by the device without rebooting or reconfiguring the device,
the policy change being associated with a second version that is different from the first version,the policy change being associated with one or more dynamic policies to be implemented as a subset of a template policy that is included in the initial security policy data, andthe template policy defining one or more ranges of addresses associated with the subset and one or more other subsets of the template policy; associating, by the device, the one or more dynamic policies with the template policy to obtain updated security policy data;
performing, by the device, a security policy lookup for an incoming packet; determining that there is no match with a configured policy based on the security policy lookup for the incoming packet;
determining whether the incoming packet is within a scope of the template policy in response to determining that there is no match with the configured policy; andselectively applying the template policy or a default policy to the incoming packet without rebooting the device by:
applying the template policy to the incoming packet in response to the incoming packet being within the scope of the template policy and without rebooting the device, orapplying the default policy to the incoming packet in response to the incoming packet not being within the scope of the template policy and without rebooting the device.