Automatic detection method and apparatus for next generation firewall

By generating SKB messages to perform multiple security checks and log abnormal modules, the problem of difficult troubleshooting of next-generation firewalls has been solved, enabling rapid fault recovery and efficient diagnosis.

CN117955715BActive Publication Date: 2026-06-19HANGZHOU DPTECH TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
HANGZHOU DPTECH TECH
Filing Date
2024-01-25
Publication Date
2026-06-19

Smart Images

  • Figure CN117955715B_ABST
    Figure CN117955715B_ABST
Patent Text Reader

Abstract

This application relates to an automatic detection method and apparatus for next-generation firewalls. The method includes: generating SKB packets based on packet header information and a probe table; periodically sending the SKB packets to the software packet receiving entry point of the next-generation firewall; the next-generation firewall performing multiple security checks on the SKB packets based on a preset policy; storing the detection results of the multiple security checks in the probe table; identifying abnormal software modules based on the detection results in the probe table; and generating alarm logs based on the abnormal software modules to automatically notify users. This application can automatically detect each software module in the forwarding path of a next-generation firewall and can automatically record abnormal modules, thereby enabling automatic and rapid network recovery in the event of a firewall failure, and also providing fault diagnosis efficiency.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of computer information processing, and more specifically, to an automatic detection method and apparatus for next-generation firewalls. Background Technology

[0002] In the network security hardware sub-market, firewalls are the largest single product with the widest range of applications. Even today, amidst the cloudification trend, firewalls still hold the top position in terms of market share. Firewalls are deployed extensively at network boundaries. As the internet becomes increasingly prosperous, the types and number of network applications have increased dramatically, the number of internet users has surged, and bandwidth has also increased significantly. Simultaneously, network applications have become increasingly complex, making boundary security protection increasingly complex. This often requires a combination of firewalls, IPS, WAF, auditing, and scrubbing devices to form boundary security protection. Multiple security devices are serially deployed at the boundary to implement various security protection services. However, this deployment poses significant challenges to network maintenance and failure rates. In this context, next-generation firewalls have emerged. Next-generation firewalls can inherit the routing and switching functions of basic network devices while adding rich application-layer protection functions, enabling a boundary security pool with rich security protection functions to be achieved by deploying only a single next-generation firewall at the boundary.

[0003] Next-generation firewalls integrate a wealth of network and security features. When packets are forwarded via software within a next-generation firewall, they not only have to go through necessary routing and switching and traditional firewall protection, but also through numerous security protection processes. This increases the probability of failure for the next-generation firewall. Failure in any software component will lead to abnormal network transmission. Furthermore, since packets are forwarded between software components, fault location is very difficult. Simple packet capture is no longer sufficient for diagnosis. Software methods can only be used for post-incident analysis, and the time to restore services is too long. This undoubtedly fails to meet the high real-time requirements of current networks.

[0004] Therefore, a new automatic detection method and device are needed for next-generation firewalls.

[0005] The information disclosed in the background section is only intended to enhance the understanding of the background of this application, and therefore may include information that does not constitute prior art known to those skilled in the art. Summary of the Invention

[0006] In view of this, this application provides an automatic detection method and apparatus for next-generation firewalls, which can automatically detect each software module of the forwarding path in the next-generation firewall and can automatically record abnormal modules, thereby enabling automatic and rapid network recovery when firewall failure occurs, and can also provide the cause of the failure to improve diagnostic efficiency.

[0007] Other features and advantages of this application will become apparent from the following detailed description, or may be learned in part from practice of this application.

[0008] According to one aspect of this application, an automatic detection method for a next-generation firewall is proposed. The method includes: generating SKB packets based on packet header information and a probe table; periodically sending the SKB packets to the software packet receiving entry of the next-generation firewall; the next-generation firewall performing multiple security checks on the SKB packets based on a preset policy; storing the detection results of the multiple security checks in the probe table; identifying abnormal software modules based on the detection results in the probe table; and generating alarm logs based on the abnormal software modules to automatically notify users.

[0009] In one exemplary embodiment of this application, generating an SKB packet based on packet header information and a probe table includes: generating packet header information through configuration information of a next-generation firewall; determining probe table fields based on entries in the probe table; and generating the SKB packet using the packet header information and the probe table fields.

[0010] In one exemplary embodiment of this application, generating packet header information through the configuration information of a next-generation firewall includes: extracting the forwarding software module identifier and forwarding principle through the configuration information of the next-generation firewall; and generating the packet header information through the software module identifier and forwarding principle.

[0011] In one exemplary embodiment of this application, generating the SKB message using the message header information and the probe table field includes: determining data segment information; determining a probe identifier; and assembling the message header information, the data segment information, the probe table field, and the probe identifier to generate the SKB message.

[0012] In one exemplary embodiment of this application, sending the SKB message to the software packet receiving port of the next-generation firewall at regular intervals includes: the network card driver periodically sending the SKB message to the software packet receiving port of the next-generation firewall.

[0013] In one exemplary embodiment of this application, the next-generation firewall performs multiple security checks on the SKB packet based on a preset policy, including: the next-generation firewall performs packet legitimacy verification on the SKB packet; and / or the next-generation firewall matches the SKB packet with Layer 2 or Layer 3 entries; and / or the next-generation firewall matches the SKB packet with destination NAT; and / or the next-generation firewall performs protocol state detection on the SKB packet; and / or the next-generation firewall matches the SKB packet with blacklists and whitelists; and / or the next-generation firewall performs security domain detection on the SKB packet; and / or the next-generation firewall matches the SKB packet with packet filtering; and / or the next-generation firewall performs security protection detection on the SKB packet.

[0014] In one exemplary embodiment of this application, storing the detection results of the multiple security detections in the detection table includes: determining a detection identifier based on the detection items during the detection process of the multiple security detections; and updating the detection identifier based on the detection results. The detection identifier includes 1 and 0.

[0015] In one exemplary embodiment of this application, generating an alarm log based on the abnormal software module to automatically notify the user includes: generating an alarm log according to the identifier, probe table number, and error code of the abnormal software module; and automatically sending the alarm log to the associated user.

[0016] In one exemplary embodiment of this application, the method further includes: discarding the SKB message after multiple security checks have been completed.

[0017] According to one aspect of this application, an automatic detection device for a next-generation firewall is proposed. The device includes: a packet module for generating SKB packets based on packet header information and a probe table; a generation module for periodically sending the SKB packets to the software packet receiving entry point of the next-generation firewall; a detection module for performing multiple security checks on the SKB packets based on a preset policy; a storage module for storing the detection results of the multiple security checks in the probe table; a detection module for identifying abnormal software modules based on the detection results in the probe table; and an alarm module for generating alarm logs based on the abnormal software modules to automatically notify users.

[0018] According to one aspect of this application, an electronic device is provided, comprising: one or more processors; a storage device for storing one or more programs; and, when the one or more programs are executed by the one or more processors, causing the one or more processors to implement the method as described above.

[0019] According to one aspect of this application, a computer-readable medium is provided having a computer program stored thereon that, when executed by a processor, implements the method described above.

[0020] According to the automatic detection method and apparatus for next-generation firewalls of this application, SKB packets are generated based on packet header information and a probe table; the SKB packets are periodically sent to the software packet receiving entry of the next-generation firewall; the next-generation firewall performs multiple security checks on the SKB packets based on a preset policy; the detection results of the multiple security checks are stored in the probe table; abnormal software modules are identified based on the detection results in the probe table; and alarm logs are generated based on the abnormal software modules to automatically notify users. This method can automatically detect each software module in the forwarding path of the next-generation firewall and automatically record abnormal modules, thereby enabling automatic and rapid network recovery when firewall failures occur, and also providing fault cause and improving diagnostic efficiency.

[0021] It should be understood that the above general description and the following detailed description are merely exemplary and do not limit this application. Attached Figure Description

[0022] The above and other objects, features, and advantages of this application will become more apparent from the detailed description of exemplary embodiments with reference to the accompanying drawings. The drawings described below are merely some embodiments of this application, and those skilled in the art can obtain other drawings based on these drawings without any inventive effort.

[0023] Figure 1 This is a flowchart illustrating an automatic detection method for a next-generation firewall according to an exemplary embodiment.

[0024] Figure 2 This is a flowchart illustrating an automatic detection method for a next-generation firewall according to another exemplary embodiment.

[0025] Figure 3 This is a flowchart illustrating an automatic detection method for a next-generation firewall according to another exemplary embodiment.

[0026] Figure 4 This is a block diagram illustrating an automatic detection device for a next-generation firewall according to an exemplary embodiment.

[0027] Figure 5 This is a block diagram illustrating an electronic device according to an exemplary embodiment.

[0028] Figure 6 This is a block diagram illustrating a computer-readable medium according to an exemplary embodiment. Detailed Implementation

[0029] Exemplary embodiments will now be described more fully with reference to the accompanying drawings. However, these exemplary embodiments can be implemented in many forms and should not be construed as limited to the embodiments set forth herein; rather, they are provided so that this application will be thorough and complete, and will fully convey the concept of the exemplary embodiments to those skilled in the art. The same reference numerals in the drawings denote the same or similar parts, and therefore repeated descriptions of them will be omitted.

[0030] Furthermore, the described features, structures, or characteristics can be combined in any suitable manner in one or more embodiments. Numerous specific details are provided in the following description to give a thorough understanding of embodiments of this application. However, those skilled in the art will recognize that the technical solutions of this application can be practiced without one or more of the specific details, or other methods, components, apparatuses, steps, etc., can be employed. In other instances, well-known methods, apparatuses, implementations, or operations are not shown or described in detail to avoid obscuring various aspects of this application.

[0031] The block diagrams shown in the accompanying drawings are merely functional entities and do not necessarily correspond to physically independent entities. That is, these functional entities can be implemented in software, in one or more hardware modules or integrated circuits, or in different network and / or processor devices and / or microcontroller devices.

[0032] The flowcharts shown in the accompanying drawings are merely illustrative and do not necessarily include all content and operations / steps, nor do they necessarily have to be performed in the described order. For example, some operations / steps can be broken down, while others can be combined or partially combined; therefore, the actual execution order may change depending on the specific circumstances.

[0033] It should be understood that although the terms first, second, third, etc., may be used herein to describe various components, these components should not be limited by these terms. These terms are used to distinguish one component from another. Therefore, the first component discussed below may be referred to as the second component without departing from the teachings of this application. As used herein, the term "and / or" includes all combinations of any one and more of the associated listed items.

[0034] Those skilled in the art will understand that the accompanying drawings are merely schematic diagrams of exemplary embodiments, and the modules or processes in the drawings are not necessarily essential for implementing this application, and therefore cannot be used to limit the scope of protection of this application.

[0035] The technical abbreviations used in this application are explained as follows:

[0036] Next-Generation Firewall (NGFW) is a high-performance firewall capable of comprehensively addressing application-layer threats. Building upon the basic functions of traditional firewalls (packet filtering, NAT translation, protocol state inspection, VPN, etc.), it adds security protection against application-layer attacks. These attacks are a macro-level concept that can be broken down into various security protection services, such as attack defense, vulnerability protection, and virus protection. NGFW is a product that integrates multiple service functions, supporting both traditional routing and switching features and traditional firewall features, while also supporting rich application-layer security protection capabilities.

[0037] This application divides the next-generation firewall functionality into three main parts: routing and switching functions (Layer 2 and 3 forwarding), traditional firewall functions (packet filtering, NAT, protocol state inspection, blacklists and whitelists, VPN, etc.), and application security protection functions (traffic scrubbing, vulnerability protection, website protection, attack defense, virus protection, threat intelligence blocking, application access control, bandwidth management, behavior management, etc.).

[0038] Routing and switching function: This invention mainly refers to Layer 2 / 3 forwarding, which is the function of forwarding by matching MAC tables / routing tables.

[0039] Traditional FW functions: This invention mainly involves security domains, packet filtering, NAT, protocol state detection, and blacklists / whitelists.

[0040] Application security protection functions: This invention mainly involves traffic scrubbing, vulnerability protection, website protection, attack defense, virus protection, threat intelligence blocking, application access control, bandwidth management, and behavior management.

[0041] SKB message: SKB is short for Socket Buffer (sk_buff), a key data structure in the Linux TCP / IP protocol stack, representing the header information of received or sent data packets. In this application, SKB messages mainly refer to messages forwarded by the NGFW, containing complete header and data information.

[0042] The applicant in this case discovered that current main technical solutions rely on developing custom debugging methods for each software module, or on capturing packets after a failure to identify the fault, and then circumventing it by bypassing software modules or modifying configurations. Existing technical solutions can only diagnose network failures after they occur; NGFW software modules are numerous, making troubleshooting difficult and time-consuming.

[0043] In view of this, this application proposes an automatic detection method for next-generation firewalls. It periodically simulates the entire software forwarding process of SKB packets through software. If an anomaly occurs, the abnormal software module is automatically bypassed and the anomaly information is recorded. The detected SKB packets are mainly ICMP and TCP packets. Each ICMP probe includes request and reply packets, and each TCP probe involves a three-way handshake. The packet header information (Layer 2 MAC header, VLAN tag header, Layer 3 IP header, Layer 4 port number) is filtered based on Layer 2 and 3 forwarding table entries combined with security domains, packet filtering, NAT, and blacklists / whitelists. This application can solve the problems of difficult troubleshooting and slow recovery in NGFW networks. The following detailed description of this application is provided with reference to specific embodiments.

[0044] Figure 1 This is a flowchart illustrating an automatic detection method for a next-generation firewall according to an exemplary embodiment. The automatic detection method 10 for a next-generation firewall includes at least steps S102 to S112.

[0045] like Figure 1 As shown, in S102, an SKB packet is generated based on the packet header information and the probe table. For example, the packet header information can be generated using the configuration information of the next-generation firewall; the probe table fields can be determined according to the entries in the probe table; and the SKB packet can be generated using the packet header information and the probe table fields.

[0046] In S104, the SKB packets are periodically sent to the software packet receiving port of the next-generation firewall. The network card driver periodically sends the SKB packets to the software packet receiving port of the next-generation firewall.

[0047] More specifically, for example, a scheduled task can be implemented in the driver to periodically send SKB packets to the firewall. This can be done using timer mechanisms provided in the Linux kernel, such as the mod_timer function, or by registering a network protocol handling function responsible for passing the SKB to the firewall software's packet receiving entry point.

[0048] In S106, the next-generation firewall performs multiple security checks on the SKB packet based on preset policies. For example, the next-generation firewall may perform packet legitimacy checks; it may also match the SKB packet with Layer 2 or Layer 3 entries; it may match the SKB packet with destination NAT; it may perform protocol state checks; it may match the SKB packet with blacklists and whitelists; it may perform security domain checks; it may match packet filtering; and it may perform security protection checks.

[0049] In one embodiment, the method further includes discarding the SKB message after multiple security checks have been completed. The SKB message is discarded after completing the last check to avoid affecting normal message forwarding.

[0050] In this application, the software modules mainly include routing and switching functions (MAC table / routing table matching), traditional FW functions (security domain, packet filtering, NAT, protocol state detection, blacklists and whitelists), and application security protection functions (traffic scrubbing, vulnerability protection, website protection, attack defense, virus protection, threat intelligence blocking, application access control, bandwidth management, and behavior management).

[0051] In step S108, the detection results of the multiple security checks are stored in the detection table. For example, during the detection process of multiple security checks, a detection identifier is determined based on the detection items; the detection identifier is updated based on the detection results, and the detection identifier includes 1 and 0.

[0052] In S110, the abnormal software module is determined based on the detection results in the detection table. For example, based on abnormal conditions, query and filtering rules are formulated to extract records related to the abnormality from the detection table. For instance, records marked as 1 or records with error codes within a certain range are filtered out. The abnormal records are associated with specific software modules. By using a number or other identifier, it is determined which software module's forwarding result is abnormal.

[0053] In specific application scenarios, after the probe message completes the last forwarding module, based on the probe table information in SKB, the software modules marked as abnormal are marked as bypass and the probe table information is logged to the user. Subsequent business messages skip the corresponding modules. However, the routing and switching function and the NAT module cannot be skipped because they involve forwarding path lookup; they can only be logged.

[0054] In S112, an alarm log is generated based on the abnormal software module to automatically notify the user. The alarm log is generated according to the identifier, probe table number, and error code of the abnormal software module; the alarm log is then automatically sent to the associated user.

[0055] More specifically, the alarm log can contain detailed information about each anomaly, including the software module identifier, the time of occurrence, and the error code. Further in-depth analysis of the anomalies can be performed to determine their root cause. This may involve reviewing relevant logs, examining the software module's code, and debugging.

[0056] In practical applications, appropriate measures can be taken to resolve problems based on the results of anomaly analysis. This may include fixing errors in software modules, optimizing configurations, and updating software versions.

[0057] According to the automatic detection method for next-generation firewalls of this application, SKB packets are generated based on packet header information and a probe table; the SKB packets are periodically sent to the software packet receiving entry of the next-generation firewall; the next-generation firewall performs multiple security checks on the SKB packets based on a preset policy; the detection results of the multiple security checks are stored in the probe table; abnormal software modules are identified based on the detection results in the probe table; and alarm logs are generated based on the abnormal software modules to automatically notify users. This method can automatically detect each software module in the forwarding path of the next-generation firewall and can automatically record abnormal modules, thereby enabling automatic and rapid network recovery when firewall failures occur, and also providing fault cause and improving diagnostic efficiency.

[0058] The automatic detection method for next-generation firewalls according to this application can establish a continuous monitoring mechanism to ensure timely detection and resolution of anomalies. This may include periodically analyzing probe tables and setting automatic alerts. The anomaly detection system can also be optimized and improved based on the results of continuous monitoring. This may require adjusting anomaly conditions and improving data analysis methods.

[0059] It should be clearly understood that this application describes how specific examples are formed and used, but the principles of this application are not limited to any details of these examples. Rather, based on the teachings of the disclosure of this application, these principles can be applied to many other embodiments.

[0060] Figure 2 This is a flowchart illustrating an automatic detection method for a next-generation firewall according to an exemplary embodiment. Figure 2 The process shown in step 20 is... Figure 1 The flowchart shown includes a detailed description of step S102, "Generate SKB message based on message header information and probe table".

[0061] like Figure 2As shown, in S202, packet header information is generated using the configuration information of the next-generation firewall. The forwarding software module identifier and forwarding principles can be extracted from the configuration information of the next-generation firewall; the packet header information is then generated using the software module identifier and forwarding principles.

[0062] In one embodiment, the header information of probe packets can be filtered through configuration information for the probe packet sending module to assemble probe packets. The filtering principle is that the packet must be able to pass through all forwarding software modules, such as conforming to the security domain forwarding principle, passing packet filtering, having Layer 2 and Layer 3 entries, and matching NAT if it is a Layer 3 packet.

[0063] In S204, the probe table fields are determined based on the entries in the probe table.

[0064] In practical applications, probe tables can be used to record the results of probe messages during the forwarding process. The format of the probe table is shown in the table below. The number, flag, and error code in the probe table can completely record the forwarding results of each module. SKB will add a probe table field to store this table entry.

[0065] Number: The code corresponds one-to-one with each software module. The number can be used to confirm whose forwarding result the current record belongs to.

[0066] Flags: Flags indicate whether there is an anomaly. 0 indicates normal forwarding, and 1 indicates abnormal forwarding.

[0067] Error codes: Error codes represent error types and are defined by each module. They can be used as data support for subsequent problem analysis.

[0068] Below is an example of a probe table:

[0069] serial number mark Error code 0-Second-level table 0or 1 X (defined by the software module) 1- Routing Table 0or 1 X (defined by the software module) 2-Destination NAT 0or 1 X (defined by the software module) 3-State Detection 0or 1 X (defined by the software module) 4-Blacklists and whitelists 0or 1 X (defined by the software module) 5-Security Domain 0or 1 X (defined by the software module) 6-packet filter 0or 1 X (defined by the software module) 7-Flow Cleaning 0or 1 X (defined by the software module) 8- Vulnerability Protection 0or 1 X (defined by the software module) 9-Website Protection 0or 1 X (defined by the software module) 10-Attack and Defense 0or 1 X (defined by the software module) 11-Virus Protection 0or 1 X (defined by the software module) 12-Threat Intelligence 0or 1 X (defined by the software module) 13-Application Access Control 0or 1 X (defined by the software module) 14-Bandwidth Management 0or 1 X (defined by the software module) 15-Behavior Management 0or 1 X (defined by the software module)

[0070] In S206, the SKB message is generated using the message header information and the probe table field. For example, this can be achieved by determining data segment information; determining a probe identifier; and assembling the message header information, the data segment information, the probe table field, and the probe identifier to generate the SKB message.

[0071] Assemble the messages to form a complete SKB. A complete SKB mainly includes:

[0072] Message header segment: The message header information filtered by the message header filtering module is filled into the SKB message header segment.

[0073] Data segment: ICMP request and reply, and TCP three-way handshake (SYN / SYN ACK / ACK).

[0074] Probe Table Fields: SKB adds probe table fields to populate SKB with probe tables.

[0075] Probe Identifier: SKB has added a probe identifier with a value of 1, indicating that this is a probe message.

[0076] The assembled packet (SKB) is periodically sent by the network card driver to the software forwarding entry (simulating a service packet).

[0077] Figure 3 This is a flowchart illustrating an automatic detection method for a next-generation firewall according to another exemplary embodiment. Figure 3 The process shown in step 30 is... Figure 2 The process shown is described in detail for S102 "".

[0078] like Figure 3 As shown, in S302, the header information of the probe message is filtered out.

[0079] In S304, the detection table data is defined.

[0080] In S306, the packet header, data segment, probe table field, and probe identifier are assembled into an SKB packet, which is then periodically sent to the software packet receiving entry by the network card driver.

[0081] In S308, determine whether to forward at Layer 2 or Layer 3.

[0082] In S310, if it is a two-layer system, the MAC table entry is matched, the exit information is filled into SKB, and the matching result is stored in the probe table of SKB.

[0083] In S312, the destination NAT is matched, destination NAT translation is performed, and the result is stored in the probe table of SKB.

[0084] In S314, the routing table structure is matched, and the matching results are stored in the probe table of SKB.

[0085] In S316, protocol status is detected, and the results are stored in the probe table of SKB.

[0086] In S318, the blacklist and whitelist are matched, and the results are stored in the probe table of SKB.

[0087] In S320, security domain detection stores the results in the probe table of SKB.

[0088] In S322, the matching packets are filtered, and the results are stored in the probe table of SKB.

[0089] In S324, other security protection detections can be performed sequentially, such as traffic scrubbing, vulnerability protection, website protection, attack defense, virus protection, threat intelligence blocking, application access control, bandwidth management, behavior management, etc., and the results are stored in the SKB probe table.

[0090] In S326, it determines whether to forward at Layer 2 or Layer 3.

[0091] In S328, the source NAT is matched, source NAT translation is performed, and the result is stored in the probe table of SKB.

[0092] In S330, the automatic bypass module checks the probe table in SKB. When the mark is 1, it is considered that the software module corresponding to the number is abnormal. The software module is marked as bypassed, and the probe table number, mark, and error code are notified to the user through the log.

[0093] In S332, the probe flag of SKB is detected. If it is 1, then 330 will be activated.

[0094] According to the automatic detection method for next-generation firewalls in this application, packet headers, ICMP / TCP data content, probe tables, and probe identifiers are filtered and automatically assembled, thereby automatically bypassing faulty software modules and announcing fault information based on the probe table results.

[0095] Those skilled in the art will understand that all or part of the steps of the above embodiments are implemented as a computer program executed by a CPU. When the computer program is executed by the CPU, it performs the functions defined by the method provided in this application. The program can be stored in a computer-readable storage medium, such as a read-only memory, a magnetic disk, or an optical disk.

[0096] Furthermore, it should be noted that the above figures are merely illustrative representations of the processes included in the method according to exemplary embodiments of this application, and are not intended to be limiting. It is readily understood that the processes shown in the above figures do not indicate or limit the temporal order of these processes. Additionally, it is readily understood that these processes may be executed synchronously or asynchronously, for example, in multiple modules.

[0097] The following are embodiments of the apparatus described in this application, which can be used to execute the embodiments of the method described in this application. For details not disclosed in the apparatus embodiments of this application, please refer to the embodiments of the method described in this application.

[0098] Figure 4 This is a block diagram illustrating an automatic detection device for a next-generation firewall according to an exemplary embodiment. Figure 4As shown, the automatic detection device 40 for next-generation firewalls includes: a packet module 402, a generation module 404, a detection module 406, a storage module 408, a probe module 410, and an alarm module 412.

[0099] The message module 402 is used to generate SKB messages based on message header information and probe tables; the message module 402 is also used to generate message header information through the configuration information of the next-generation firewall; determine probe table fields according to the entries of the probe table; and generate the SKB message through the message header information and the probe table fields.

[0100] The generation module 404 is used to periodically send the SKB packets to the software packet receiving entry of the next-generation firewall; the generation module 404 is also used to control the network card driver to periodically send the SKB packets to the software packet receiving entry of the next-generation firewall.

[0101] The detection module 406 is used by the next-generation firewall to perform multiple security checks on the SKB packet based on a preset policy; the detection module 406 is also used to control the next-generation firewall to perform packet legitimacy verification on the SKB packet; the detection module 406 is also used to control the next-generation firewall to match Layer 2 or Layer 3 entries for the SKB packet; the detection module 406 is also used to control the next-generation firewall to match destination NAT for the SKB packet; the detection module 406 is also used to control the next-generation firewall to perform protocol state detection on the SKB packet; the detection module 406 is also used to control the next-generation firewall to match blacklists and whitelists for the SKB packet; the detection module 406 is also used to control the next-generation firewall to perform security domain detection on the SKB packet; the detection module 406 is also used to control the next-generation firewall to match packet filtering for the SKB packet; the detection module 406 is also used to control the next-generation firewall to perform security protection detection on the SKB packet.

[0102] The storage module 408 is used to store the detection results of the multiple security detections into the detection table; the storage module 408 is also used to determine the detection identifier according to the detection items during the detection process of the multiple security detections; and to update the detection identifier according to the detection results, wherein the detection identifier includes 1 and 0.

[0103] The detection module 410 is used to determine the abnormal software module based on the detection results in the detection table;

[0104] The alarm module 412 is used to generate alarm logs based on the abnormal software module to automatically notify users. The alarm module 412 is also used to generate alarm logs according to the identifier, probe table number and error code of the abnormal software module; and automatically send the alarm logs to the associated users.

[0105] The automatic detection device for next-generation firewalls according to this application generates SKB packets based on packet header information and a probe table; the SKB packets are periodically sent to the software packet receiving entry of the next-generation firewall; the next-generation firewall performs multiple security checks on the SKB packets based on a preset policy; the detection results of the multiple security checks are stored in the probe table; abnormal software modules are identified based on the detection results in the probe table; alarm logs are generated based on the abnormal software modules to automatically notify users. This device can automatically detect each software module in the forwarding path of the next-generation firewall and automatically record abnormal modules, thereby enabling automatic and rapid network recovery in the event of a firewall failure, and also providing fault diagnosis efficiency.

[0106] Figure 5 This is a block diagram illustrating an electronic device according to an exemplary embodiment.

[0107] The following reference Figure 5 To describe an electronic device 500 according to this embodiment of the present application. Figure 5 The electronic device 600 shown is merely an example and should not impose any limitations on the functionality and scope of use of the embodiments of this application.

[0108] like Figure 5 As shown, the electronic device 600 is presented in the form of a general-purpose computing device. The components of the electronic device 600 may include, but are not limited to: at least one processing unit 610, at least one storage unit 620, a bus 630 connecting different system components (including storage unit 620 and processing unit 610), a display unit 640, etc.

[0109] The storage unit stores program code that can be executed by the processing unit 610, causing the processing unit 610 to perform the steps described in this specification according to various exemplary embodiments of this application. For example, the processing unit 610 can perform actions such as... Figure 2 , Figure 3 , Figure 4 The steps are shown in the figure.

[0110] The storage unit 620 may include a readable medium in the form of a volatile storage unit, such as a random access memory unit (RAM) 6201 and / or a cache storage unit 6202, and may further include a read-only memory unit (ROM) 6203.

[0111] The storage unit 620 may also include a program / utility 6204 having a set (at least one) program module 6205, such program module 6205 including but not limited to: an operating system, one or more application programs, other program modules and program data, each or some combination of these examples may include an implementation of a network environment.

[0112] Bus 630 can represent one or more of several types of bus structures, including a memory cell bus or memory cell controller, a peripheral bus, a graphics acceleration port, a processing unit, or a local bus using any of the various bus structures.

[0113] Electronic device 600 can also communicate with one or more external devices 600' (e.g., keyboard, pointing device, Bluetooth device, etc.), enabling users to communicate with devices that interact with electronic device 600, and / or any device that allows electronic device 600 to communicate with one or more other computing devices (e.g., router, modem, etc.). This communication can be performed via input / output (I / O) interface 650. Furthermore, electronic device 600 can also communicate with one or more networks (e.g., local area network (LAN), wide area network (WAN), and / or public networks, such as the Internet) via network adapter 660. Network adapter 660 can communicate with other modules of electronic device 600 via bus 630. It should be understood that, although not shown in the figures, other hardware and / or software modules can be used in conjunction with electronic device 600, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems.

[0114] From the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software, or by combining software with necessary hardware. Therefore, as... Figure 6 As shown, the technical solution according to the embodiments of this application can be embodied in the form of a software product. The software product can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, mobile hard drive, etc.) or on a network, and includes several instructions to cause a computing device (such as a personal computer, server, or network device, etc.) to execute the above-described method according to the embodiments of this application.

[0115] In general, this disclosure is mainly aimed at solving the difficulties in troubleshooting NGFW network faults and the inability to recover quickly. This invention provides a solution that can automatically detect and escape. The detection mainly covers the following software modules: routing and switching functions (MAC table / routing table matching), traditional FW functions (security domain, packet filtering, NAT, protocol status detection, blacklists and whitelists), and application security protection functions (traffic cleaning, vulnerability protection, website protection, attack defense, virus protection, threat intelligence blocking, application access control, bandwidth management, behavior management). (1) The network card driver parses the packet into SKB and enters the software forwarding entry. (2) Packet legality detection, such as VLAN tag, Layer 2 header, Layer 3 header, etc. (3) Determine whether it is Layer 2 or Layer 3. If it is Layer 2, match the MAC table entry and fill the exit information into SKB, and then execute step (5). If it is Layer 3, match the routing table entry and fill the exit information into SKB, and then execute step (4). (4) Match the destination NAT. If the match is successful, perform destination NAT translation. (5) Protocol status detection, mainly ICMP and TCP. (6) Match blacklists and whitelists. (7) Security domain detection. (8) Matching packet filtering. (9) Perform traffic cleaning -> vulnerability protection -> website protection -> attack defense -> virus protection -> threat intelligence blocking -> application access control -> bandwidth management -> behavior management in sequence. (10) If it is determined to be a layer 3 in step (3), match the source NAT. If the match is successful, perform source NAT translation. (11) The network card driver parses the SKB into a data frame format and sends it out. The software simulates the complete software forwarding process of the SKB packet at regular intervals. If an abnormal situation occurs, the abnormal software module is automatically bypassed and the abnormal situation information is recorded. The detected SKB packets are mainly ICMP and TCP packets. Each ICMP packet detection includes request and reply packets. Each TCP detection is a three-way handshake. The header information of the packet (layer 2 MAC header, VLAN tag header, layer 3 IP header, layer 4 port number) is filtered according to the layer 2 and 3 forwarding table entries combined with security domain, packet filtering, NAT, blacklist and whitelist. The header filtering module is primarily responsible for filtering the header information of probe packets based on configuration information, so that the probe packet sending module can assemble the probe packets. The filtering principle is that the packet must be able to pass all forwarding software modules, such as conforming to security domain forwarding principles, passing packet filtering, having Layer 2 and Layer 3 entries, and matching NAT if it is a Layer 3 packet. The probe table module is mainly responsible for recording the results of probe packets during the forwarding process. The format of the probe table is shown in the table below. The number, flag, and error code in the probe table can completely record the forwarding results of each module. SKB will add a probe table field to store this table entry. Number: The code corresponds one-to-one with each software module. The number can be used to identify whose forwarding result is being recorded. Flag: The flag indicates whether there is an anomaly. 0 represents normal forwarding, and 1 represents abnormal forwarding.Error Codes: Error codes represent error types and are defined by each module. They serve as data support for subsequent problem analysis. The probe packet sending module is primarily responsible for assembling packets into a complete SKB. A complete SKB mainly includes: Header: The header information filtered by the header filtering module is filled into the SKB header. Data Segment: ICMP request and reply, and TCP three-way handshake (SYN / SYN ACK / ACK). Probe Table Fields: A new probe table field is added to the SKB, and the probe table is filled into the SKB. Probe Identifier: A new probe identifier is added to the SKB, with a value of 1, indicating that this is a probe packet. The assembled packet (SKB) is periodically sent by the network card driver to the software forwarding entry point (simulating service packets). The automatic bypass module, after the probe packet completes the last forwarding module, sets a bypass flag for software modules marked with anomalies based on the probe table information in the SKB and logs the probe table information to the user. Subsequent service packets skip the corresponding modules. Routing and switching functions and NAT modules, due to their involvement in forwarding path lookup, cannot be skipped; they can only be logged. The packet loss detection module is mainly responsible for dropping the probe packets that have been forwarded. After the last check is completed, the packet is discarded to avoid affecting the normal packet forwarding. This disclosure includes the following process: (1) The packet header filtering module filters out the probe packet header information. (2) The probe table module formulates the probe table entry data. (3) The probe packet sending module assembles the packet header segment, data segment, probe table field, and probe identifier into SKB and sends it to the software packet receiving entry by the network card driver at regular intervals. (*******Start Probe (If the module fails and packet loss occurs, if the probe identifier is 1, skip the packet loss and continue probing subsequent modules)********)(4) Determine whether it is a Layer 2 or Layer 3 forwarding. If it is a Layer 2, match the MAC entry and fill the exit information into SKB. Store the matching result in the probe table of SKB and then execute (6). If it is a Layer 3, match the MAC entry and fill the exit information into SKB. Store the matching result in the probe table of SKB and then execute (5). (5) Match the destination NAT, perform destination NAT translation, and store the result in the SKB probe table. (6) Perform protocol state detection and store the result in the SKB probe table. (7) Match the blacklist and whitelist and store the result in the SKB probe table. (8) Perform security domain detection and store the result in the SKB probe table. (9) Match packet filtering and store the result in the SKB probe table. (10) Perform traffic cleaning -> vulnerability protection -> website protection -> attack defense -> virus protection -> threat intelligence blocking -> application access control -> bandwidth management -> behavior management in sequence, and store the results in the SKB probe table respectively. (11) If (4) determines that it is a layer 3 NAT, match the source NAT, perform source NAT translation, and store the result in the SKB probe table.(12) The automatic bypass module detects the probe table in SKB. When the flag is 1, it considers the software module corresponding to the number to be abnormal, sets the software module to bypass, and notifies the user of the probe table number, flag, and error code through the log. (13) The packet loss detection module detects the probe flag in SKB. If it is 1, it discards the packet.

[0116] The software product may employ any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples of readable storage media (a non-exhaustive list) include: electrical connections with one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0117] The computer-readable storage medium may include data signals propagated in baseband or as part of a carrier wave, carrying readable program code. Such propagated data signals may take various forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination thereof. The readable storage medium may also be any readable medium other than a readable storage medium, capable of transmitting, propagating, or transmitting programs for use by or in connection with an instruction execution system, apparatus, or device. The program code contained on the readable storage medium may be transmitted using any suitable medium, including but not limited to wireless, wired, optical fiber, RF, etc., or any suitable combination thereof.

[0118] Program code for performing the operations of this application can be written in any combination of one or more programming languages, including object-oriented programming languages ​​such as Java and C++, and conventional procedural programming languages ​​such as C or similar languages. The program code can execute entirely on the user's computing device, partially on the user's device, as a standalone software package, partially on the user's computing device and partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0119] The aforementioned computer-readable medium carries one or more programs. When these programs are executed by a device, the computer-readable medium performs the following functions: generating SKB packets based on packet header information and a probe table; periodically sending the SKB packets to the software packet receiving entry point of a next-generation firewall; the next-generation firewall performing multiple security checks on the SKB packets based on a preset policy; storing the detection results of the multiple security checks in the probe table; identifying abnormal software modules based on the detection results in the probe table; and generating alarm logs based on the abnormal software modules to automatically notify users.

[0120] Those skilled in the art will understand that the above modules can be distributed in the device as described in the embodiments, or they can be modified accordingly and placed in one or more devices that are unique to this embodiment. The modules in the above embodiments can be combined into one module, or they can be further divided into multiple sub-modules.

[0121] Through the description of the above embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein can be implemented by software or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of this application can be embodied in the form of a software product, which can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, external hard drive, etc.) or on a network, including several instructions to cause a computing device (such as a personal computer, server, mobile terminal, or network device, etc.) to execute the methods according to the embodiments of this application.

[0122] Exemplary embodiments of this application have been specifically shown and described above. It should be understood that this application is not limited to the detailed structures, arrangements, or implementation methods described herein; rather, this application is intended to cover various modifications and equivalent arrangements contained within the spirit and scope of the appended claims.

Claims

1. An automatic detection method for next-generation firewalls, characterized in that, include: SKB messages are generated based on message header information and probe tables; The SKB messages are periodically sent to the software packet receiving port of the next-generation firewall; The next-generation firewall performs multiple security checks on the SKB packets based on preset policies; The detection results of the multiple security checks are stored in the detection table; The abnormal software module was identified based on the detection results in the detection table; The abnormal software module generates alarm logs to automatically notify users.

2. The method as described in claim 1, characterized in that, An SKB message is generated based on the message header information and the probe table, including: Generate packet header information using the configuration information of the next-generation firewall; Determine the probe table fields based on the probe table entries; The SKB message is generated using the message header information and the probe table fields.

3. The method as described in claim 2, characterized in that, The packet header information is generated using the configuration information of the next-generation firewall, including: Extract the forwarding software module identifier and forwarding rules from the configuration information of the next-generation firewall; The message header information is generated by identifying software modules and determining forwarding principles.

4. The method as described in claim 2, characterized in that, The SKB message is generated using the message header information and the probe table fields, including: Determine the data segment information; Identify the detection marker; The message header information, the data segment information, the probe table field, and the probe identifier are assembled to generate the SKB message.

5. The method as described in claim 1, characterized in that, The SKB packets are periodically sent to the software packet receiving entry point of the next-generation firewall, including: The network card driver periodically sends the SKB packets to the software packet receiving port of the next-generation firewall.

6. The method as described in claim 1, characterized in that, The next-generation firewall performs multiple security checks on the SKB packets based on preset policies, including: The next-generation firewall performs packet validity checks on the SKB packets; and / or The next-generation firewall matches the SKB packets with Layer 2 or Layer 3 entries; and / or The next-generation firewall matches the destination NAT for the SKB packet; and / or The next-generation firewall performs protocol state inspection on the SKB packets; and / or The next-generation firewall matches the SKB packets against blacklists and whitelists; and / or The next-generation firewall performs security domain inspection on the SKB packets; and / or The next-generation firewall performs packet matching filtering for the SKB packets; and / or The next-generation firewall performs security protection detection on the SKB packets.

7. The method as described in claim 1, characterized in that, The detection results of the multiple security checks are stored in the detection table, including: During the testing process of multiple security checks, the detection markers are determined according to the testing items; The detection identifier is updated based on the detection results. The detection identifier includes 1 and 0.

8. The method as described in claim 1, characterized in that, Based on the aforementioned abnormal software module, alarm logs are generated to automatically notify users, including: An alarm log is generated based on the identifier of the abnormal software module, the detection table number, and the error code. The alarm logs will be automatically sent to the associated users.

9. The method as described in claim 1, characterized in that, Also includes: After multiple security checks are completed, the SKB message is discarded.

10. An automatic detection device for next-generation firewalls, characterized in that, include: The message module is used to generate SKB messages based on message header information and the probe table; The generation module is used to periodically send the SKB packets to the software packet receiving entry of the next-generation firewall; The detection module is used by the next-generation firewall to perform multiple security checks on the SKB packets based on preset policies; A storage module is used to store the detection results of the multiple security detections into the detection table; The detection module is used to identify abnormal software modules based on the detection results in the detection table; The alarm module is used to generate alarm logs based on the abnormal software module to automatically notify users.