DETAILED ACTION
Responsive to the Applicant reply filed on 10/15/2020, Applicant’s respective arguments carefully considered and responded in following.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments, see Applicant’s Remarks, Page 9-13, regarding the limitation “based on the security policy, capture the egress packet in an unencrypted form.” The arguments have been fully considered but they are not persuasive.
In response to applicant's argument, p.9-11, regarding
“First, it is noted herein that claim 1 does not simply recite "capturing the egress packet in an unencrypted form" as appears to have been interpreted by the Office Action, but rather, claim 1 recites "based on the security policy, capturing the egress packet in an unencrypted form" (emphasis ours). That is, for example, the "capturing" is based on what the security policy says/specifies or is otherwise related to the security policy. Lin does not teach or suggest any capturing that is "based on the security policy" as recited in claim 1.”

Examiner can see a typographical mistake of missing “based on the security policy” in the rejection for the claim 1. However, the independent claim 8, which is a network device claim that corresponds to the independent claim 1, is rejected with the whole limitation “based on the security policy, capturing the egress packet in an unencrypted form” (See p.7-9, Non-Final Office Action mailed on 07/15/2020). Examiner asserts that the limitation “based on the security policy, capture the egress packet in an unencrypted form” is considered in tandem.
In response to applicant’s argument, p.11, Line 15-28, regarding


Examiner respectfully disagrees with the arguments above. Applicant is arguing against a sequence of the capturing packets based on the security policy such as “first performs a capturing of a packet (by directing the packet to the security services via the SDN pipe 625), and then only after capturing the packet.” However, Examiner asserts that there is no specific languages about the sequence in limitation. The claim is interpreted in light of the specification, limitation from the specification is not read into the claims. In addition, Examiner disagrees with the applicant’s approaching for how/when the “capturing the egress packet” to be performed. In the art, capturing packet such as a packet analyzer or packet sniffer can intercept and log traffic that passes over a computer network or part of a network so that the packet is inspected to help diagnose and solve network problems and determine whether network security policies are being followed. Lin discloses that the security service 630 allows inspecting packets sent by or going to the sender component 622 (Column 4, line 63-65). Examiner agrees that the security service 630 receives the outgoing packets from the redirect port 623-2 (arrow 654). However, Examiner would like to bring to the attention of the Applicant that the security service may perform a security response (analogous to the limitation “based on the security policy”) on packets that fail inspection (See Fig. 9 and Column 9, line 41-54). For example, the security component (analogous to the limitation “based on the security policy”) may drop packets (analogous to the limitation “capture the egress packet in an unencrypted form”) that fail inspection. Examiner asserts that Lin also explicitly discloses the sequence as argued. 
In response to applicant’s argument, p.11, Line 15-28, regarding
“Second, the Examiner may perhaps hypothetically interpret Lin's capturing of a packet as being based on a security policy that specifies something to the effect of ‘intercept all packets for further checking.’ However, even with this hypothetical interpretation of Lin, Lin still would not teach or suggest the recitations of claim 1. … Thus, any such hypothetical security policy of Lin cannot correspond to both (a) the security policy being identified as applicable to an egress packet by comparing fields in the egress packet with fields in the security policy, and (b) the same thus-identified security policy being the basis for capturing the egress packet.

In this case, Examiner establishes a prima facie case of obviousness. The requirements for obviousness are discussed in MPEP § 2142. As explained in the previous Office Action, Arangasamy discloses “identifying a security policy applicable to the egress packet” and the only difference between claim 1 and the disclosing of Arangasamy is “based on the security policy, capturing the egress packet in an unencrypted form” which is taught by Lin. Examiner asserts that one of ordinary skill in the art would have reasonably expected that implementing a method/system in which “based on the security policy, capturing the egress packet in an unencrypted form” would have been obvious to one of ordinary skill and would have resulted in a more secure method/system as suggested by Lin.
In response to applicant’s argument, p.12 Line18-p.13 Line 14, regarding “a software-defined networking (SDN) environment”, Examiner previously considered “a software-defined networking (SDN) environment” in the preamble but no patentable weight was given. However, Applicant’s arguments rely on language solely recited in preamble recitations in claim 1. When reading the preamble in the context of the entire claim, the recitation, software-defined networking (SDN) environment, is not limiting because the body of the claim describes a complete invention and the language recited solely in the preamble does not provide any distinct definition of any of the claimed invention’s limitations. Thus, the preamble of the claim is not considered a limitation and is of no significance to claim construction. See Pitney Bowes, Inc. v. Hewlett-Packard Co., 182 F.3d 1298, 1305, 51 USPQ2d 1161, 1165 (Fed. Cir. 1999). See MPEP § 2111.02. Therefore, further clarify and limiting the scope of the claim’s body is required to emphasize the inventive concepts.
In response to applicant’s argument, p.13, Line 15-22, regarding "in an unencrypted form", Examiner establishes a prima facie case of obviousness. The requirements for obviousness are discussed in MPEP § 2142. As explained in the previous Office Action, Arangasamy discloses “performing encryption on the egress packet to generate an encrypted packet”. According to paragraph 0095 and Figure 8, Arangasamy discloses, “an encryption engine/block 816 to perform MACsec encryption on various extracted fields according to the MACsec policy” after “a policy lookup block 812”. Examiner asserts that one of ordinary skill in the art would have reasonably expected that implementing a method/system in which “based on the security policy, capturing the egress packet in an unencrypted form with a software-defined networking (SDN) environment” would have been obvious to one of ordinary skill and would have resulted in a more secure method/system as suggested by Lin. However, the preamble of the claim is not considered a limitation and is of no significance to claim construction as stated above. Therefore, further clarify and limiting the scope of the claim’s body is required to emphasize the inventive concepts.
For the reasons stated above, Arangasamy-Lin discloses the aforementioned limitations of independent claims 1 and render the claim limitations obvious before the effective filing date of the claimed invention. The previous rejections are maintained.

Claim Rejections-35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


Claims 1, 5-8, 12-15 and 19-21 are rejected under 35 U.S.C. 103 as being unpatentable over Arangasamy et al. (US 20170104851 A1 hereinafter Arangasamy) in view of Lin et al.( US 9264400 B1 hereinafter Lin).
Regarding claim 1, (Previously Presented) Arangasamy discloses a method for a network device to perform packet capture in a 
detecting an egress packet that includes an inner header addressed from the first node to the second node, wherein the first node communicates with the second node via the network device (Fig. 15; par. 0209, egress processor 802 receives from a source device (e.g., host 102) an egress frame in the form of an Ethernet frame. The egress frame may be referred to as an input egress frame. The egress frame includes: an outer Ethernet frame or header including a MAC_SA, a MAC_DA, an Ethertype field; an IP header [inner header] defining an IP tunnel between the network device (e.g., network device 102) and a peer network device (e.g., network device 110) over a public wide area network (e.g., public network 106); an L2-over-L3 encapsulation field (i.e., also referred to as “an L3 encapsulation field” or more simply as an “L3 encapsulation”) identifying a tunnel protocol; and an inner Ethernet frame with a payload and that is demarcated by the L3 encapsulation); 
identifying a security policy applicable to the egress packet by comparing one or more fields in the inner header with one or more match fields specified by the security policy (Fig. 15; par. 0211, processor 802 determines a MACsec policy [security policy] that defines whether and how to MACsec protect the inner Ethernet frame. To do this, processor 802 (i) determines a 
performing encryption on the egress packet to generate an encrypted packet that includes the egress packet in an encrypted form (Fig. 15; par. 0214, To MACsec protect the inner Ethernet frame, processor 802 may authenticate, encrypt, or both authenticate and encrypt one or more the Ethernet header, the Ethernet type field, and the payload of the inner Ethernet frame according to the MACsec policy, and also insert a SecTag and an ICV into the inner Ethernet frame); and 
sending the encrypted packet to the second node (Fig. 15; par. 0215, processor 802 transmits the partly protected output egress frame to the peer network device over the IP tunnel of the public wide area network). 
Arangasamy may not explicitly teach, but Lin, which is in a same field of endeavor, discloses a software-defined networking (SDN) environment (See Abs.) and the method wherein, based on the security policy, capturing the egress packet in an unencrypted form (clm. 10, inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch).
It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of Arangasamy with Lin, to provide security service such as for presence of malicious code, compliance with firewall rules and access control lists, network intrusion detection, and other computer network security services  (col. 5, line 47-50).	

Regarding claim 5, (Original) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 1 above. Lin further discloses the method of 

Regarding claim 6, (Previously Presented) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 5 above. Lin further the method of claim 5, wherein capturing the egress packet comprises (Fig. 1): collecting statistics associated with the egress packet or the security policy (col. 5, line 8-14, A flow table may include columns that indicate one or more conditions, a column that indicates an action to take when the conditions are met, and a column for statistics. A row on the flow table may comprise a flow rule. In the example of Table 1, the “Action” column indicates an action to take when conditions are met, and the “Count” column indicates statistics, such as byte count); and 
storing, in the packet capture database, the statistics in association with the identifier of the security policy (col. 4, line 23-27, a flow policy in the flow policy database 611 may indicate inspection of particular packets (e.g., those that meet one or more conditions) by a security service 630; col. 5, line 8-14, A flow table may include columns that indicate one or more conditions, a column that indicates an action to take when the conditions are met, and a column for statistics. A row on the flow table may comprise a flow rule. In the example of Table 1, the “Action” column indicates an action to take when conditions are met, and the “Count” column indicates statistics, such as byte count).

Regarding claim 7, (Previously Presented) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 1 above. Arangasamy discloses the method of claim 1, wherein the inner header includes a first inner header, and wherein the method further comprises (Fig. 1): 
detecting an ingress encrypted packet (Fig. 16; par. 0218, ingress processor 804 of a network device (e.g., network device 102) receives an ingress frame (referred to as an “ingress packet” above) transmitted by a peer network device (e.g., network device 110) to the network device over a public WAN (e.g., network 106) via an IP tunnel (e.g., tunnel 131)); 
performing decryption on the ingress encrypted packet to generate a decrypted packet that includes a second inner header addressed from the second node to the first node (Fig. 16; par. 0221, Removal of the MACsec protection may include authentication and decryption of one or more fields in the inner Ethernet frame, as well as removal of the SecTag and ICV); 
sending the decrypted packet to the first node (Fig. 16; par. 0222, At 1625, processor 804 transmits the inner Ethernet frame to a destination device, e.g., host device 114, if the payload of the inner Ethernet frame includes an IP packet with an IP header specifying a destination IP address corresponding to host device 114).
Arangasamy may not explicitly teach, but Lin, which is in a same field of endeavor, discloses the method, wherein based on the security policy, capturing the decrypted packet in an unencrypted form (clm. 10, inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch); and 

Regarding claim 8, (Previously Presented) Arangasamy discloses a network device configured to perform packet capture in a 
a processor (Fig. 8); and 
a non-transitory computer-readable medium having stored thereon instructions that, in response to execution by the processor, cause the processor to (par. 264, a non-transitory processor readable medium storing instructions is provided): 
detect an egress packet that includes an inner header addressed from the first node to the second node, wherein the first node communicates with the second node via the network device (Fig. 15; par. 0209, egress processor 802 receives from a source device (e.g., host 102) an egress frame in the form of an Ethernet frame. The egress frame may be referred to as an input egress frame. The egress frame includes: an outer Ethernet frame or header including a MAC_SA, a MAC_DA, an Ethertype field; an IP header [inner header] defining an IP tunnel between the network device (e.g., network device 102) and a peer network device (e.g., network device 110) over a public wide area network (e.g., public network 106); an L2-over-L3 encapsulation field (i.e., also referred to as “an L3 encapsulation field” or more simply as an “L3 encapsulation”) identifying a tunnel protocol; and an inner Ethernet frame with a payload and that is demarcated by the L3 encapsulation); 
identify a security policy applicable to the egress packet by comparing one or more fields in the inner header with one or more match fields specified by the security policy (Fig. 15; par. 0211, processor 802 determines a MACsec policy [security policy] that defines whether and how to MACsec protect the inner Ethernet frame. To do this, processor 802 (i) determines a SecY based on a destination IP address of the IP tunnel (extracted in the parsing) and optionally on a physical port at which the network device received the Ethernet frame, (ii) determines an SA and an SC based on at least the MACsec entity, and (iii) determines the MACsec policy based on the SecY, the SA, and the SC); 
encrypt one or more the Ethernet header, the Ethernet type field, and the payload of the inner Ethernet frame according to the MACsec policy, and also insert a SecTag and an ICV into the inner Ethernet frame); and
send the encrypted packet to the second node (Fig. 15; par. 0215, processor 802 transmits the partly protected output egress frame to the peer network device over the IP tunnel of the public wide area network).
Arangasamy may not explicitly teach, but Lin, which is in a same field of endeavor, discloses a software-defined networking (SDN) environment (See Abs.) and the method wherein, based on the security policy, capture the egress packet in an unencrypted form (clm. 10, inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch).
It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of Arangasamy with Lin, to provide security service such as for presence of malicious code, compliance with firewall rules and access control lists, network intrusion detection, and other computer network security services  (col. 5, line 47-50).	

Regarding claim 12, (Previously Presented) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 8 above. Lin further discloses the network device of claim 8, wherein the instructions that cause the processor to capture the egress packet cause the processor to (par. 264, a non-transitory processor readable medium storing instructions is provided): store, in a packet capture database, content of the egress packet in association with an identifier of the security policy (col. 4, line 23-27, a flow policy in 

Regarding claim 13, (Previously Presented) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 12 above. Lin further the network device of claim 12, wherein the instructions that cause the processor to capture the egress packet cause the processor to (Fig. 1): collect statistics associated with the egress packet or the security policy (col. 5, line 8-14, A flow table may include columns that indicate one or more conditions, a column that indicates an action to take when the conditions are met, and a column for statistics. A row on the flow table may comprise a flow rule. In the example of Table 1, the “Action” column indicates an action to take when conditions are met, and the “Count” column indicates statistics, such as byte count); and 
store, in the packet capture database, the statistics in association with the identifier of the security policy (col. 4, line 23-27, a flow policy in the flow policy database 611 may indicate inspection of particular packets (e.g., those that meet one or more conditions) by a security service 630; col. 5, line 8-14, A flow table may include columns that indicate one or more conditions, a column that indicates an action to take when the conditions are met, and a column for statistics. A row on the flow table may comprise a flow rule. In the example of Table 1, the “Action” column indicates an action to take when conditions are met, and the “Count” column indicates statistics, such as byte count).

Regarding claim 14, (Previously Presented) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 8 above. Arangasamy discloses the network device of claim 8, wherein the inner header comprises a first inner header, and wherein the instructions further cause the processor to (Fig. 1):
detect an ingress encrypted packet (Fig. 16; par. 0218, ingress processor 804 of a network device (e.g., network device 102) receives an ingress frame (referred to as an “ingress packet” above) transmitted by a peer network device (e.g., network device 110) to the network device over a public WAN (e.g., network 106) via an IP tunnel (e.g., tunnel 131)); 
perform decryption on the ingress encrypted packet to generate a decrypted packet that includes a second inner header addressed from the second node to the first node (Fig. 16; par. 0221, Removal of the MACsec protection may include authentication and decryption of one or more fields in the inner Ethernet frame, as well as removal of the SecTag and ICV); 
send the decrypted packet to the first node (Fig. 16; par. 0222, At 1625, processor 804 transmits the inner Ethernet frame to a destination device, e.g., host device 114, if the payload of the inner Ethernet frame includes an IP packet with an IP header specifying a destination IP address corresponding to host device 114).
Arangasamy may not explicitly teach, but Lin, which is in a same field of endeavor, discloses the method, wherein based on the security policy, capture the decrypted packet in an unencrypted form (clm. 10, inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch); and 
It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of Arangasamy with Lin, to provide security service such as for presence of malicious code, compliance with firewall rules and access control lists, network intrusion detection, and other computer network security services  (col. 5, line 47-50).	

Regarding claim 15, (Previously Presented) Arangasamy discloses a non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a network device, cause the processor to perform a method of packet capture in a 
detecting an ingress encrypted packet (Fig. 16; par. 0218, ingress processor 804 of a network device (e.g., network device 102) receives an ingress frame (referred to as an “ingress packet” above) transmitted by a peer network device (e.g., network device 110) to the network device over a public WAN (e.g., network 106) via an IP tunnel (e.g., tunnel 131)); 
performing decryption on the ingress encrypted packet to generate a decrypted packet that includes an inner header addressed from the first node to the second node, wherein the first node communicates with the second node via the network device (Fig. 16; par. 0221, Removal of the MACsec protection may include authentication and decryption of one or more fields in the inner Ethernet frame, as well as removal of the SecTag and ICV); 
identifying a security policy applicable to the decrypted packet (Fig. 16; par. 0220, processor 804 determines a MACsec policy [security policy] that defines the MACsec protection on the MACsec protected inner Ethernet frame. To do this, processor 804 performs similar operations used by processor 802 at operation 1515, described above. The MACsec policy defines the MACsec protection on an Ethernet header, an Ethernet type field, and the payload of the inner Ethernet frame); 
sending the decrypted packet to the second node (Fig. 16; par. 0222, At 1625, processor 804 transmits the inner Ethernet frame to a destination device, e.g., host device 114, if the payload of the inner Ethernet frame includes an IP packet with an IP header specifying a destination IP address corresponding to host device 114).

It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of Arangasamy with Lin, to provide security service such as for presence of malicious code, compliance with firewall rules and access control lists, network intrusion detection, and other computer network security services  (col. 5, line 47-50).	

Regarding claim 19, (Original) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 15 above. Lin further discloses the non-transitory computer-readable storage medium of claim 15, wherein capturing the decrypted packet comprises (par. 264, a non-transitory processor readable medium storing instructions is provided): 
storing, in a packet capture database, content of the decrypted packet in association with an identifier of the security policy (col. 4, line 23-27, a flow policy in the flow policy database 611 may indicate inspection of particular packets (e.g., those that meet one or more conditions) by a security service 630; col. 5, line 8-14, A flow table may include columns that indicate one or more conditions, a column that indicates an action to take when the conditions are met, and a column for statistics. A row on the flow table may comprise a flow rule. In the example of Table 1, the “Action” column indicates an action to take when conditions are met, and the “Count” column indicates statistics, such as byte count).

Regarding claim 20, (Previously Presented) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 19 above. Lin further discloses the non-transitory computer-readable storage medium of claim 19, wherein capturing the decrypted packet comprises: 
collecting statistics associated with the decrypted packet or the security policy (col. 5, line 8-14, A flow table may include columns that indicate one or more conditions, a column that indicates an action to take when the conditions are met, and a column for statistics. A row on the flow table may comprise a flow rule. In the example of Table 1, the “Action” column indicates an action to take when conditions are met, and the “Count” column indicates statistics, such as byte count); and
storing, in the packet capture database, the statistics in association with the identifier of the security policy (col. 4, line 23-27, a flow policy in the flow policy database 611 may indicate inspection of particular packets (e.g., those that meet one or more conditions) by a security service 630; col. 5, line 8-14, A flow table may include columns that indicate one or more conditions, a column that indicates an action to take when the conditions are met, and a column for statistics. A row on the flow table may comprise a flow rule. In the example of Table 1, the “Action” column indicates an action to take when conditions are met, and the “Count” column indicates statistics, such as byte count).

Regarding claim 21, (Previously Presented) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 15 above. Arangasamy discloses the non-transitory computer-readable storage medium of claim 15, wherein the inner header includes a first inner header, and wherein the method further comprises (Fig. 1): 
detecting an egress packet that includes a second inner header that is addressed from the second node to the first node (Fig. 15; par. 0209, egress processor 802 receives from a source device (e.g., host 102) an egress frame in the form of an Ethernet frame. The egress inner header] defining an IP tunnel between the network device (e.g., network device 102) and a peer network device (e.g., network device 110) over a public wide area network (e.g., public network 106); an L2-over-L3 encapsulation field (i.e., also referred to as “an L3 encapsulation field” or more simply as an “L3 encapsulation”) identifying a tunnel protocol; and an inner Ethernet frame with a payload and that is demarcated by the L3 encapsulation); 
performing encryption on the egress packet to generate an egress encrypted packet that includes the egress packet in an encrypted form (Fig. 15; par. 0214, To MACsec protect the inner Ethernet frame, processor 802 may authenticate, encrypt, or both authenticate and encrypt one or more the Ethernet header, the Ethernet type field, and the payload of the inner Ethernet frame according to the MACsec policy, and also insert a SecTag and an ICV into the inner Ethernet frame); and 
sending the egress encrypted packet to the first node (Fig. 15; par. 0215, processor 802 transmits the partly protected output egress frame to the peer network device over the IP tunnel of the public wide area network).
Arangasamy may not explicitly teach, but Lin, which is in a same field of endeavor, discloses the method, wherein based on the security policy, capturing the egress packet in an unencrypted form (clm. 10, inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch).


Claims 2-4, 9-11 and 16-18 are rejected under 35 U.S.C. 103 as being unpatentable over Arangasamy et al. (US 20170104851 A1 hereinafter Arangasamy) in view of Lin et al.( US 9264400 B1 hereinafter Lin) as applied to claim 1 above, and further in view of Varadhan et al. (US 20100043068 A1 hereinafter Varadhan).
Regarding claim 2, (Original) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 1 above. Arangasamy further discloses the method of claim 1, wherein capturing the egress packet comprises (Fig. 1):
forwarding the egress packet via the particular logical interface to capture the egress packet (par. 0058, FIG. 5 is a diagram of network environment 100 expanded to show logical flows for multi-hop WAN MACsec transmit (egress) packet and receive (ingress) packet processing, according to an embodiment; par. 0060, network device 102 examines its internal route table to identify address prefix “3.0” as a destination network and address prefix “2.2” as a next hop, which is a tunnel interface [logical interface] for IP tunnel 131 between network devices 102 and 110; par. 0215, processor 802 transmits the partly protected output egress frame to the peer network device over the IP tunnel of the public wide area network).
The combination of Arangasamy and Lin may not explicitly teach, but Varadhan, which is in a same field of endeavor, discloses the method wherein, identifying, from multiple logical interfaces configured on the network device, a particular logical interface associated with the security policy (par. 0036, the user interface supports a command syntax that allows the logical interfaces for the individual customer VPNs 30 to be used in conjunction with the physical interfaces 27 of router 20 to define zones and corresponding security polices to be applied by FW 22 to those zones).
 It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of Arangasamy and Lin with Varadhan, to provide a user interface by which VPN tunnels can be defined as logical interfaces for purposes of security policies, and these logical interfaces can be used like other physical interfaces to define zones to which policies are to be applied by the device (par. 0012).

Regarding claim 3, (Original) the combination of Arangasamy, Lin and Varadhan teaches all elements of the current invention as stated in claim 2 above. Lin further discloses the method of claim 2, wherein capturing the egress packet comprises (Fig. 8):
capturing the egress packet in response to determination that packet capture is enabled on the logical interface (col. 4, line 23-27, a flow policy in the flow policy database 611 may indicate inspection of particular packets (e.g., those that meet one or more conditions) by a security service 630; col. 5, 38-45, The security service 630 may comprise a virtual machine that provides computer network security services, such as packet inspection, for the sender component 622 and other virtual machines. For example, the security service 630 may comprise a virtual machine with a virtual network interface card [logical interface] that is coupled to the redirect port 623-2 and re-inject port 623-3 of the SDN switch 620; clm. 10, inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch).

Regarding claim 4, (Previously Presented) the combination of Arangasamy, Lin and Varadhan teaches all elements of the current invention as stated in claim 2 above. Varadhan discloses the method of claim 2, further comprising (Fig. 8): 
prior to detecting the egress packet, configuring multiple security policies that include the security policy, and the multiple logical interfaces which are associated with the respective multiple security policies (par. 0036, the user interface supports a command syntax that allows the logical interfaces for the individual customer VPNs 30 to be used in conjunction with the physical interfaces 27 of router 20 to define zones and corresponding security polices to be applied by FW 22 to those zones).

Regarding claim 9, (Previously Presented) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 8 above. Arangasamy further 
forward the egress packet via the particular logical interface to capture the egress packet (par. 0058, FIG. 5 is a diagram of network environment 100 expanded to show logical flows for multi-hop WAN MACsec transmit (egress) packet and receive (ingress) packet processing, according to an embodiment; par. 0060, network device 102 examines its internal route table to identify address prefix “3.0” as a destination network and address prefix “2.2” as a next hop, which is a tunnel interface  [logical interface] for IP tunnel 131 between network devices 102 and 110; par. 0215, processor 802 transmits the partly protected output egress frame to the peer network device over the IP tunnel of the public wide area network).
The combination of Arangasamy and Lin may not explicitly teach, but Varadhan, which is in a same field of endeavor, discloses the network device wherein, identify, from multiple logical interfaces configured on the network device, a particular logical interface associated with the security policy (par. 0036, the user interface supports a command syntax that allows the logical interfaces for the individual customer VPNs 30 to be used in conjunction with the physical interfaces 27 of r outer 20 to define zones and corresponding security polices to be applied by FW 22 to those zones).
 It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of Arangasamy and Lin with Varadhan, to provide a user interface by which VPN tunnels can be defined as logical interfaces for purposes of security policies, and these logical interfaces can be used like other physical interfaces to define zones to which policies are to be applied by the device (par. 0012).

Regarding claim 10, (Previously Presented) the combination of Arangasamy, Lin and Varadhan teaches all elements of the current invention as stated in claim 9 above. Lin further 
capture the egress packet in response to determination that packet capture is enabled on the logical interface (col. 4, line 23-27, a flow policy in the flow policy database 611 may indicate inspection of particular packets (e.g., those that meet one or more conditions) by a security service 630; col. 5, 38-45, The security service 630 may comprise a virtual machine that provides computer network security services, such as packet inspection, for the sender component 622 and other virtual machines. For example, the security service 630 may comprise a virtual machine with a virtual network interface card [logical interface] that is coupled to the redirect port 623-2 and re-inject port 623-3 of the SDN switch 620; clm. 10, inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch).

Regarding claim 11, (Previously Presented) the combination of Arangasamy, Lin and Varadhan teaches all elements of the current invention as stated in claim 9 above. Varadhan discloses the network device of claim 9, wherein the instructions further cause the processor to (Fig. 8):
prior to detection of the egress packet, configure multiple security policies that include the security policy, and the multiple logical interfaces which are associated with the respective multiple security policies (par. 0036, the user interface supports a command syntax that allows the logical interfaces for the individual customer VPNs 30 to be used in conjunction with the physical interfaces 27 of r outer 20 to define zones and corresponding security polices to be applied by FW 22 to those zones).

Regarding claim 16, (Original) the combination of Arangasamy and Lin teaches all elements of the current invention as stated in claim 15 above. Arangasamy further discloses the 
forwarding the decrypted packet via the particular logical interface to capture the decrypted packet (par. 0058, FIG. 5 is a diagram of network environment 100 expanded to show logical flows for multi-hop WAN MACsec transmit (egress) packet and receive (ingress) packet processing, according to an embodiment; par. 0060, network device 102 examines its internal route table to identify address prefix “3.0” as a destination network and address prefix “2.2” as a next hop, which is a tunnel interface  [logical interface] for IP tunnel 131 between network devices 102 and 110; par. 0215, processor 802 transmits the partly protected output egress frame to the peer network device over the IP tunnel of the public wide area network).
The combination of Arangasamy and Lin may not explicitly teach, but Varadhan, which is in a same field of endeavor, discloses the method wherein, identifying, from multiple logical interfaces configured on the network device, a particular logical interface associated with the security policy (par. 0036, the user interface supports a command syntax that allows the logical interfaces for the individual customer VPNs 30 to be used in conjunction with the physical interfaces 27 of r outer 20 to define zones and corresponding security polices to be applied by FW 22 to those zones).
 It would have been obvious to one of ordinary skill in the art before the effective filing data of the claimed invention to combine the teachings of Arangasamy and Lin with Varadhan, to provide a user interface by which VPN tunnels can be defined as logical interfaces for purposes of security policies, and these logical interfaces can be used like other physical interfaces to define zones to which policies are to be applied by the device (par. 0012).

Regarding claim 17, (Original) the combination of Arangasamy, Lin and Varadhan teaches all elements of the current invention as stated in claim 16 above. Lin further discloses 
capturing the decrypted packet in response to determination that packet capture is enabled on the particular logical interface (col. 4, line 23-27, a flow policy in the flow policy database 611 may indicate inspection of particular packets (e.g., those that meet one or more conditions) by a security service 630; col. 5, 38-45, The security service 630 may comprise a virtual machine that provides computer network security services, such as packet inspection, for the sender component 622 and other virtual machines. For example, the security service 630 may comprise a virtual machine with a virtual network interface card [logical interface] that is coupled to the redirect port 623-2 and re-inject port 623-3 of the SDN switch 620; clm. 10, inspecting the outgoing packets in the security component for compliance with security policies; storing a copy of the outgoing packets in the SDN switch).

Regarding claim 18, (Currently Amended) the combination of Arangasamy, Lin and Varadhan teaches all elements of the current invention as stated in claim 16 above. Varadhan discloses the non-transitory computer-readable storage medium of claim 16, wherein the method further comprises (Fig. 8): 
prior to detecting the ingress encrypted packet, configuring multiple security policies that include the security policy, and the multiple logical interfaces which are associated with the respective multiple security policies (par. 0036, the user interface supports a command syntax that allows the logical interfaces for the individual customer VPNs 30 to be used in conjunction with the physical interfaces 27 of r outer 20 to define zones and corresponding security polices to be applied by FW 22 to those zones).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure
Chen (US 20100191958 A1)-Figure 4, “based on the security policy, capturing the egress packet in an unencrypted form.”
Without limiting the scope “SDN” of the body of the claim, the claims cannot emphasize the inventive concepts. For example, a newly found prior art, Chen (US 20100191958 A1, the prior art made of record and not relied upon is considered pertinent to applicant’s disclosure), discloses the limitation “based on the security policy, capture the egress packet in an unencrypted form” (See Figure 4). Therefore, Examiner recommends further clarify and limiting the scope of the claim’s body to emphasize the inventive concepts.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANDREW SUH whose telephone number is (571)270-5524.  The examiner can normally be reached on campus 7:00 AM- 4:30 PM, alternate Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on (571) 272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/A.S./            Examiner, Art Unit 2493                   


/CHAU LE/            Primary Examiner, Art Unit 2493