DETAILED ACTION
The present application is being examined under the pre-AIA  first to invent provisions. 

Reason for Allowance
The following is an examiner’s statement of reasons for allowance: Claims 1-10, 12-15, 17-19 and 21-23 are allowed.
The invention is directed to a network security device to apparatuses and methods for connecting tunnels to channel a data flow from a user terminal to a mobile network through a virtual switch in a network device including a virtual machine configured to provide a service by processing data in the data flow. Each of the independent claims 1, 2, 14, 17 and 23 contains the following underlined features that, when combined with other features in the claims, conventional techniques of record in the art failed to anticipate or render obvious at the time when instant invention was made.
Regarding claim 1, A method for interposing a computing unit between a network node and another network device in a mobile network, the method comprising: dispatching a virtual machine on the computing unit, the virtual machine being configured to provide a service by processing data in a data flow from a user terminal to the other network device through the network node to support functionality of an application running in the virtual machine; configuring a first General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel between the network node and the computing unit to receive the data flow via the first GTP tunnel, and a second GTP configuring, in the computing unit, a virtual switch having a first port that is a terminal point for the first GTP tunnel and a second port that is a starting point for the second GTP tunnel to forward the data flow there-between, and configured to supply the data to the virtual machine, wherein the virtual switch operates to forward the data flow from the first GTP tunnel to the second GTP tunnel, according to one or more predetermined traffic management rules.
	Regarding claim 2, A method performed by a device having one or more processors, the method comprising: establishing a first tunnel between the device and a node of a mobile network to Attorney's Docket No. receive a data flow from a user terminal via the first tunnel, and a second tunnel between the device and another network device of the mobile network to forward the data flow via the second tunnel, the first tunnel and the second tunnel operating according to Internet protocols; connecting the first tunnel to the second tunnel using a virtual switch running on the device; connecting a virtual machine running on the device to the virtual switch, the virtual machine being configured to provide a service by processing data in the data flow to support functionality of an application running in the virtual machine; and configuring the virtual switch to forward the data flow from the first tunnel to the second tunnel, according to one or more predetermined traffic management rules.
Regarding claim 14, A computing unit, comprising: at least one physical interface configured to communicate with a node of a mobile network and another network device of the mobile network; and a data processing unit including one or more processors and configured to establish a first tunnel between the computing unit and the node of the the virtual machine being configured to provide a service to the user terminal by processing data in the data flow to support functionality of an application running in the virtual machine, wherein the data processing unit is further configured to run the executable codes corresponding to the virtual switch such that to forward the data flow from the first tunnel to the second tunnel, according to one or more predetermined traffic management rules. 
Regarding claim 17, A non-transitory computer readable medium storing executable codes which, when executed on a computer having a mobile network interface and one or more processors, make the computer perform a method comprising: establishing a first tunnel between the device and a node of a mobile network to receive a data flow from a user terminal via the first tunnel, and a second tunnel between the device and another network device of the mobile network to forward the data flow, the first tunnel and the second tunnel operating according to Internet protocols; connecting the first tunnel to the second tunnel using a virtual switch running on the device; and connecting a virtual machine running on the device to the virtual switch, the virtual machine being configured to provide a service by processing data in the data flow to support functionality of an application running in the virtual machine; wherein the virtual switch operates to forward the data flow from the first tunnel to the second tunnel, according to one or more predetermined traffic management rules.
Regarding claim 23, A device in a mobile network, the device comprising: a mobile network interface configured to enable the device to communicate to a computing unit; a data processing unit configured to provide information to a switch controller for configuring a virtual switch running on the computing unit to operate as a General Packet Radio Service (GPRS) Tunneling Protocol (GTP) tunnel end point, and to redirect a network node and another network device that have initially been connected via a GTP tunnel, to connect via a first GTP tunnel and a second GTP tunnel to the computing unit, respectively, wherein the computing unit receives a data flow from a user terminal via the first GTP tunnel, forwards the data flow via the second GTP tunnel, the first GTP tunnel being connected to the second GTP tunnel by the virtual switch, and connects a virtual machine running on the computing unit to the virtual switch, the virtual machine being configured to provide a service by processing data in the data flow to support functionality of an application running in the virtual machine, wherein the virtual switch operates to forward the data flow from the first GTP tunnel to the second GTP tunnel, according to one or more predetermined traffic management rules.
	Therefore, the independent claims claim 1 and 23 and independent claims 2, 14, 17, together with their respective dependent claims, are allowed for the reason given above. 

Claims 3-10, 12-13 and 15 and 18-19, 21-22 are allowed since they depend on claims 2, 14 and 17 respectively.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED M BOKHARI whose telephone number is (571)270-3115.  The examiner can normally be reached on Monday through Friday.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kwang B Yao can be reached on 5712723182.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/SYED M BOKHARI/Examiner, Art Unit 2473                                                                                                                                                                                                        5/5/2021
/KWANG B YAO/Supervisory Patent Examiner, Art Unit 2473