SDN flow arbiter 504 may communicate with firewall flow master list 508 over link 518, and may communicate with SDN flow limiter 506 over link 514. SDN flow arbiter 504 may determine whether a data flow was recently forwarded to an SDN controller with a delay or wait period. The delay or wait period may account for the latency of the link 516 to the SDN controller, the SDN controller, and/or any subsequent links from the SDN controller. SDN flow arbiter 504 may also send the flow criteria to a firewall flow master list to determine whether the flow criteria matches an entry. A timestamp associated with the entry may be found based on a matching entry. The timestamp may be compared to a current timestamp to determination whether the flow criteria was recently inserted or updated in the list. Firewall flow master list 508 may communicate with SDN flow limiter 520 to avoid saturation of link 516 to an SDN controller and/or any other portion of the network. Although flow validation unit 502, SDN flow arbiter 504, SDN flow limiter 506, and firewall flow master list 508 are shown in communication in order, the elements of firewall 500 may be connected in any order suitable to validate unknown data flows and/or reduce the likelihood of network saturation.