Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
                                                                DETAILED ACTION
This communication is in response to the Amendment filed on 02/02/2021. After thorough search, prosecution history, Applicant's remarks and in view of prior arts of the record, claims 1-20 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s amendment was given in a telephone interview with Raymond Wilbur Zenkert on 03/01/2021.
The application has been amended as follows: 
For the specification: in ¶ [00330]
application programming interface (API)

For the claims:
(Previously presented) A method by a computer processor comprising:
creating isolated overlay tunnels over a physical underlay and creating isolated network segments in a wide area network (WAN), wherein each of the tunnels is encrypted with a different set of keys;
exposing, by a multi-tenant controller, an application programming interface (API) through which a policy of a plurality of policies is defined; 
allocating a respective identity of a plurality of identities, a respective application of a plurality of applications, and a respective network-isolation identifier of a plurality of network-isolation identifiers to each of the plurality of policies for controlling a plurality of data flows in the wide area network (WAN), wherein each of the plurality of identities comprises at least a user identity for one user associated with an enterprise, wherein each of the plurality of applications comprises an application name, and wherein each of the network-isolation identifiers is a virtual WAN isolation identifier; 

transmitting, by the multi-tenant controller, the plurality of policies, and a plurality of application signatures for the plurality of applications, and a plurality of application definitions for the plurality of applications to a device, wherein each of the plurality of application signatures is based on one of: (a) a size pattern of encrypted flow transactions, and (b) a frequency pattern of the encrypted flow transactions; wherein each of the plurality of application definitions is customized for the device based on a location of the device by sending the device a customized domain name for each of the plurality of applications, wherein each of the plurality of applications has a plurality of domain names; 
identifying, by the device, a specific application out of the plurality of applications and a specific identity out of the plurality of identities for a data flow of the plurality of data flows, wherein the specific application and the specific identity are associated with the data flow, wherein the identifying includes analyzing the data flow to detect a presence of an application signature; and
applying, by the device, a policy of the plurality of policies to the data flow based on the specific application and the specific identity.

2. (Previously presented) The method of claim 1, wherein the wide area network comprises connectivity selected from a group including hybrid, physical, and logical.

3. (Previously presented) The method of claim 1, further comprising performing application analysis on application data flows on the network on a per session basis.

4. (Previously presented) The method of claim 1, wherein a policy string defines a business policy applicable to traffic associated with the specific application on the network.

5. (Previously presented) The method of claim 4, wherein the policy string comprises a policy string format.

6. (Previously presented) The method of claim 5, wherein the policy string format is standardized.

7. (Previously presented) The method of claim 1, wherein traffic associated with the specific application on the network is encrypted.

8. (Previously presented) A system comprising:
 	at least one processor and a memory coupled to the at least one processor;
a device; and  
a centrally controllable multi-tenant controller that executes on the at least one processor, wherein the memory is configured to store data, and the at least one processor is configured to control a plurality of assets across a plurality of distributed computing environments;
wherein the at least one processor coupled to the memory is configured to:
create isolated overlay tunnels over a physical underlay and create isolated network segments in a wide area network (WAN), wherein each of the tunnels is encrypted with a different set of keys, and the wide area network connects the plurality of distributed computing environments;
expose, via the multi-tenant controller, an application programmer interface (API) through which a policy of a plurality of policies is defined;
allocate a respective identity of a plurality of identities, a respective application of a plurality of applications, and a respective network-isolation identifier of a plurality of network-isolation identifiers to each of the plurality of policies for controlling a plurality of data flows in the wide area network (WAN), wherein each of the plurality of identities comprises at least a user identity for one user associated with an enterprise, wherein each of the plurality of applications comprises an application name, and wherein each of the network-isolation identifiers is a virtual WAN isolation identifier;
insert a specific network-isolation-identifier of the plurality of network-isolation identifiers at a network-entry and remove the specific network-isolation-identifier at a network-exit, wherein the specific network-isolation identifier is bidirectional for traffic in a virtual WAN; 
transmit, via the multi-tenant controller, the plurality of policies, and a plurality of application signatures for the plurality of applications, and a plurality of application definitions for the plurality of applications to the device, wherein each of the plurality of application signatures is based on one of: (a) a size pattern of encrypted flow transactions, and (b) a frequency pattern of the encrypted flow transactions, wherein each of the plurality of application definitions is customized for the device based on a location of the device by sending the device a customized domain name for each of the plurality of applications, wherein each of the plurality of applications has a plurality of domain names; 
identify, via the devices, a specific application out of the plurality of applications and a specific identity out of the plurality of identities for a data flow of the plurality of data flows, wherein the specific application and the specific identity are associated with the data flow, wherein the identifying includes analyzing the data flow to detect a presence of an application signature; and
apply, via the device, a policy of the plurality of policies to the data flow based on the specific application and the specific identity.

9. (Previously presented) The system of claim 8, wherein the wide area network comprises connectivity selected from a group including hybrid, physical, and logical.

10. (Previously presented) The system of claim 8, further configured to perform application analysis on application data flows on the network on a per session basis.

11. (Previously presented) The system of claim 8, wherein a policy string defines a business policy applicable to traffic associated with the specific application on the network.

12. (Previously presented) The system of claim 11, wherein the policy string comprises a policy string format.

13. (Previously presented) The system of claim 12, wherein the policy string format is standardized.

14. (Previously presented) The system of claim 8, wherein traffic associated with the specific application on the network is encrypted.

15. (Currently amended) A non-transitory computer-readable medium storing instructions that adapt at least one processor to:
create isolated overlay tunnels over a physical underlay and create isolated network segments in a wide area network (WAN), wherein each of the tunnels is encrypted with a different set of keys;
expose, by a multi-tenant controller, an application programmer interface (API) through which a policy of a plurality of policies is defined; 
allocate a respective identity of a plurality of identities, a respective application of a plurality of applications, and a respective network-isolation identifier of a plurality of network-isolation identifiers to each of the plurality of policies for controlling a plurality of data flows in the wide area network (WAN), wherein each of the plurality of identities comprises at least a user identity for one user associated with an enterprise, wherein each of the plurality of applications comprises an application name, and wherein each of the network-isolation identifiers is a virtual WAN isolation identifier; 
insert a specific network-isolation-identifier of the plurality of network-isolation identifiers at a network-entry and remove the specific network-isolation-identifier at a network-exit, wherein the specific network-isolation identifier is bidirectional for traffic in a virtual WAN; 
transmit, by the multi-tenant controller, the plurality of policies, and a plurality of application signatures for the plurality of applications, and a plurality of application definitions for the plurality of applications to a device, wherein each of the plurality of application signatures is based on one of: (a) a size pattern of encrypted flow transactions, and (b) a frequency pattern of the encrypted flow transactions; wherein each of the plurality of application definitions is customized for the device based on a location of the device by sending the device a customized domain name for each of the plurality of applications, wherein each of the plurality of applications has a plurality of domain names; 
identify, by the device, a specific application out of the plurality of applications and a specific identity out of the plurality of identities for a data flow of the plurality of data flows, wherein the specific application and the specific identity are associated with the data flow, wherein the identifying includes analyzing the data flow to detect a presence of an application signature; and
apply, by the device, a policy of the plurality of policies to the data flow based on the specific application and the specific identity.








16. (Currently amended) The non-transitory computer-readable medium of claim 15, wherein the wide area network comprises connectivity selected from a group including hybrid, physical, and logical.

17. (Currently amended) The non-transitory computer-readable medium of claim 15, wherein each policy comprises a policy string defining a business policy applicable to traffic associated with the specific application.

18. (Currently amended) The non-transitory computer-readable medium of claim 17, wherein the policy string comprises a policy string format.

19. (Currently amended) The non-transitory computer-readable medium of claim 18, wherein the policy string format is standardized.

20. (Currently amended) Thenon-transitory computer-readable medium of claim 17, wherein traffic associated with the application is encrypted.

21-27. (Canceled) 



               Reason for Allowance
The following is an examiner’s statement of reasons for allowance: 
Creating isolated network segments in a wide area network (WAN) with isolated overlay tunnels wherein each of the tunnels is encrypted with different keys; inserting a bidirectional network-isolation identifier at a network-entry and removing the network-isolation identifier at a network-exit, wherein the network-isolation identifier is a virtual WAN isolation identifier; analyzing a data flow based on an application signature, wherein the application signature is based on a size pattern or a frequency pattern of encrypted flow transactions; customizing application definitions by sending a customized domain name for each application, wherein each application has a plurality of domain names. 

The prior art of record does not disclose the limitations above in combination with the remaining elements in the independent claims.
The allowable subject matter is now reflected in applicant’s independent claim 1 and similarly in independent claim 8 and 15.  Dependent claims 2-7, 9-14, and 16-20 dependent from allowed claims and therefore are also allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HANNAH S WANG whose telephone number is (571)272-9018.  The examiner can normally be reached on Monday-Friday 9AM-5:30 PM ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/HANNAH S WANG/Primary Examiner, Art Unit 2454