DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is in response to the amendments filed on 03/18/2021. Claims 1, 7 and 7 have been amended. Claim 2 has been canceled. Claim 8 is added. Claims 1, and 3-8 are currently pending and have been considered below.

Response to Arguments
Applicant’s arguments, see pages 5-8, filed 03/18/2021, with respect to the rejection(s) of claims 1-7 under 35 U.S.C. 103, have been fully considered and are moot. Applicant's amendment necessitated the new ground(s) of rejection as will be discussed below 

Meanwhile, on page 7 of Remarks, Applicant states that mere updating of the setting in the plurality of servers based on the request analysis results as in Yasuda is substantially different from the "setting the one or each of the plurality of common access sources to an address corresponding to a management device ... ," as specifically recited in amended claim 1. The examiner respectfully disagrees.
	First of all, the claim recites “setting the one or each of the plurality of common access sources to an address corresponding to a management device ... ", but does not specify what the term “setting” means. Thus, under the broadest reasonable interpretation, it can be interpreted as (an address corresponding to) the management device is set as the one or each of the plurality of common access sources. 


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1 and 5-7 are rejected under 35 U.S.C. 103 as being unpatentable over Yasuda et al. (US 2013/0227097 A1; hereinafter, “Yasuda”) in view of Lee (US 9,634,990 B2; hereinafter, “Lee”).

Regarding claim 1:
Yasuda teaches:
(para. [0200]: a computer readable recording medium that records the configuration management program, a program product that includes the configuration management program and may be loaded into an internal memory of the computer, and a computer such as a server including the program; para. [0001]: a multi-tenancy information processing system, a management server, and a configuration management method; para. [0007]: with flexible network configuring the cloud, it is easy to apply the corporate IT system to the cloud), the process comprising:
constructing a plurality of platforms in the cloud (para. [0097]: The tenant segment management tables 351 are each generated at the time of initially constructing the tenant, referred to at the time of changing the configuration of the tenant, and deleted at the time of deleting the tenant configuration; para. [0076]: The servers 110 are arranged in a plurality of segments. --- It is noted that the tenant and servers teaches a platforms; FIG. 17: FIG. 17 illustrates a configuration example of a multi-tenant system) when definition information on a construction of the platform is received from a plurality of information processing devices via a network (para. [0120]: The configuration management request receiving unit 301 receives a tenant configuration management request from the management consoles 135a and 135b (S801); para. [0026]: receives, from a management console, a configuration change request including type information on a request representing any one of addition, deletion, and movement of the virtual machine, a tenant identifier of a target tenant, and a segment identifier of a target segment; para. [0109]: The type of configuration change request 701 represents any one of addition, deletion, and movement of the virtual machine; Fig. 1: a management network 115; para. [0072]: According to a requirement from each of the clients, the devices such as the plurality of routers 131, firewalls 141, load balancers 151, or switches 161 are selectively used to configure a tenant. In the present specification, the tenant represents a system virtually configured for each of the clients; para. [0128]: The device specifying unit 340 in the network configuration changing unit 332 searches the tenant management table 350 with the use of the tenant identifier included in the configuration change request, and specifies the corresponding tenant segment management tables 351 (S901). --- It is noted that a tenant configuration management request and the management tables in FIGs. 4 to 7 teaches definition information on a construction of a platform; devices of clients 101a and 101b teaches a plurality of information processing devices; and a management network teaches via a network); 
causing each of the plurality of platforms constructed at the constructing to include a firewall (para. [0072]: According to a requirement from each of the clients, the devices such as the plurality of … firewalls 141 are selectively used to configure a tenant; FIG. 17: tenants 1 and 2 each includes a firewall) initialized to … accesses … one or a plurality of common access sources that are common to the platform (FIGs. 4, 5, 6 and 14 & para. [0097]: The tenant segment management tables 351 are each generated at the time of initially constructing the tenant, referred to at the time of changing the configuration of the tenant, and deleted at the time of deleting the tenant configuration. Also, when the number of segments within the tenant is changed by the configuration change of the tenant, table contents are updated by the management table changing unit 343; para. [0093]: At the time of changing the virtual machine configuration of the tenant, the management server 116 rapidly specifies necessary NW setting and the NW device group to be subjected to the NW setting by the aid of the use case of the virtual machine and the network segment information in addition to the tenant identifier; paras. [0169]-[0171]: The management server according to the present invention is, for example, a management device in a multi-tenancy information processing system including a plurality of clients, a service network having plural types of network devices, and a plurality of servers, in which a virtual machine is configured in the servers, the management device: is coupled with the respective devices configuring the multi-tenancy information processing system through a management network,). --- It is noted that generated at the time of initially teaches a firewall initialized; FIG. 14 shows source servers and destination IP addresses, here source server (e.g., management server) teaches one common access source, and destination IP addresses (e.g., the tenant identifier) teaches the platform; the management device is coupled with the respective devices (see also FIG. 1) teaches one common access source that are common to the platform);
setting the one or each of the plurality of common access sources to … a management device that controls construction of the platforms (paras. [0169]-[0171]: The management server according to the present invention is, for example, a management device in a multi-tenancy information processing system including a plurality of clients, a service network having plural types of network devices, and a plurality of servers, in which a virtual machine is configured in the servers, the management device: is coupled with the respective devices configuring the multi-tenancy information processing system through a management network,); paras. [0176] and [0179]: the management device may include: … a virtual machine configuration changing unit that changes the setting in the plurality of servers, and a network configuration changing unit that changes the setting in the network devices configuring the service network. --- It is noted that the management device is coupled with the respective devices (see also FIG. 1), which teaches setting one common access source to a development device, here, the claim does not specify what the term “setting” means, thus, it is interpreted as the management device is set as the one or each of the plurality of common access sources; the management device may include a virtual machine configuration changing unit that changes the setting in the plurality of servers, which teaches a development device that controls construction of the platforms).
Yasuda is silent about:
… a firewall … block accesses excluding one or a plurality of … access sources …;
… an address corresponding to a … device … 
Lee, in the same field of endeavor, teaches:
… a firewall … block accesses excluding one or a plurality of … access sources … (col. 27, ll. 51-56: Firewall rules can be used to allow only specific traffic in and out of a cloud chamber or virtual machine within a cloud chamber. Firewall rules can be used to allow only specific traffic to and from a cloud chamber or virtual machine within a cloud chamber; col. 28, ll. 54-60: When a virtual machine is added to a server group in an application profile, all neighbors for this new member can be found from the data structure. The system generates the firewall rules for this new virtual machine. --- It is noted that firewall rules allows only specific traffic to and from a cloud chamber or virtual machine, which teaches a firewall block accesses excluding one or a plurality of access sources, here, allows only specific traffic is interpreted as having the same meaning as block accesses excluding one or a plurality of access sources); 
… an address corresponding to a … device … (col. 20, ll. 34-45: The firewall rule can include the IP address associated with the component to, for example, filter the connections that are allowed to the component, filter the connections coming from the component, or both … When the device is instantiated, the firewall generator can generate firewall rules for that component and push the firewall rules to that component in the cloud chamber; col. 20, ll. 53-56: For example, a first firewall rule may include as a permitted source an IP address assigned to the first virtual machine in the server group. --- It is noted that a first firewall rule may include as a permitted source an IP address associated with the component teaches an address corresponding to a device. In other words, where a device is connected to a network, the term “device” includes a corresponding address thereof). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yasuda’s system by enhancing Yasuda’s system to generate a firewall rule to allow only specific traffic to and from virtual machines (e.g., servers) 
The motivation is to protect the enterprise’s data center from malware, internal attacks, inadvertent configurations, spoofing, data theft, and so forth by allowing only specific traffic to and from virtual machines (e.g., servers) particularly at the time of changing the virtual machine configuration of the tenant. 

Regarding claim 5:
Yasuda in view of Lee teaches:
The non-transitory computer-readable recording medium according to claim 1. 
Yasuda further teaches:
wherein the plurality of information processing devices are information processing devices belonging to different tenants (para. [0070]: A data center 100 communicates with, for example, devices of clients 101a and 101b through appropriate networks such as WANs 105a, 105b, and a dedicated network 106. --- It is noted that devices 101b belongs to a different client; and clients teaches tenants).

Regarding claim 6:
Claim 6 recites a method which corresponds to the process stored in the non-transitory computer-readable recording medium of claim 1, and contains no additional limitations. 
Therefore claim 6 is rejected by applying the same rationale used to reject claim 1 above. 

Regarding claim 7:
Claim 7 recites a control device which corresponds to the process stored in the non-transitory computer-readable recording medium of claim 1, and additionally contains a memory; (para. [0070]: The data center 100 includes a server 110 that provides a service to the clients, a storage 111 that is coupled to the server through a storage area network (SAN), a service network 113, a management switch 120, a management server 116, and a management console 135 a having a configuration management I/F 180 b. --- It is noted that the data center teaches a control device; a management server teaches a processor; and a storage teaches a memory).
Therefore claim 7 is rejected by applying the same rationale used to reject claim 1 above.

Claim 3 is rejected under 35 U.S.C. 103 as being unpatentable over Yasuda et al. (US 2013/0227097 A1; hereinafter, “Yasuda”) in view of Lee (US 9,634,990 B2; hereinafter, “Lee”), and further in view of Schneebeli et al. (US 8,010,627 B1; hereinafter, “Schneebeli”).

Regarding claim 3:
Yasuda in view of Lee teaches:
The non-transitory computer-readable recording medium according to claim 1, wherein the process further comprising: 
Yasuda further teaches:
... the one or each of the plurality of common access sources (paras. [0169]-[0171]: The management server according to the present invention is, for example, a management device in a multi-tenancy information processing system including a plurality of clients, a service network having plural types of network devices, and a plurality of servers, in which a virtual machine is configured in the servers, the management device: is coupled with the respective devices configuring the multi-tenancy information processing system through a management network,); paras. [0176] and [0179]: the management device may include: … a virtual machine configuration changing unit that changes the setting in the plurality of servers, and a network configuration changing unit that changes the setting in the network devices configuring the service network. --- It is noted that the management device is coupled with the respective devices (see also FIG. 1), which teaches one common access source) … application software to be operated on the platforms … (FIG. 17& para. [0090]: the virtual machine configuration changing unit 331 updates the setting in the plurality of servers on the basis of request analysis results. For example, the virtual machine configuration changing unit 331 sets the virtual NIC and the VLAN to be allocated to the NIC; para. [0082]: The virtual machine 203 a includes a business application 241 a, an operating system (OS) 242, and a virtual NIC 243. --- It is noted that virtual machine (i.e., an application and an operating system) teaches application software to be operated on the platforms); and
updating a setting of the firewall to a state where all accesses are permitted, at an operation stage for operating the developed application software on the platforms (FIGs. 4, 5 and 6 & para. [0097]: when the number of segments within the tenant is changed by the configuration change of the tenant, table contents are updated by the management table changing unit 343; para. [0076]: The servers 110 are arranged in a plurality of segments. The tenant 1 includes, for example, segments A to D. The segments are, for example, segments (for example, the segments C and D in FIG. 17) that section a portion in which a server group (for example, web servers, mail servers) used for communication with an external such as the internet is arranged, and segments (for example, the segments A and B in FIG. 17) in which business servers within a corporate network are arranged through the firewall 141c. --- It is noted that a server group (for example, web servers, mail servers) used for communication with an external teaches all accesses are permitted, at an operation stage for operating the developed application software on the platforms).
Yasuda is silent about:

Lee teaches:
… an address corresponding to a … device … (col. 20, ll. 34-45: The firewall rule can include the IP address associated with the component to, for example, filter the connections that are allowed to the component, filter the connections coming from the component, or both … When the device is instantiated, the firewall generator can generate firewall rules for that component and push the firewall rules to that component in the cloud chamber; col. 20, ll. 53-56: For example, a first firewall rule may include as a permitted source an IP address assigned to the first virtual machine in the server group. --- It is noted that a first firewall rule may include as a permitted source an IP address associated with the component teaches an address corresponding to a device. In other words, where a device is connected to a network, the term “device” includes a corresponding address thereof); and
updating a setting of the firewall to a state … (col. 22, l. 63- col. 23, l. 2: By examining and analyzing the computing flows in the application profile, however, the system can rapidly and automatically generate the appropriate firewall rules to ensure protection of new resources provisioned into the server groups defined in the application profile and update the rules when resources are removed from the server groups defined in the application profile.).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yasuda’s system by enhancing Yasuda’s system to update a firewall rule, as taught by Lee, in order to protect the virtual machine behind the firewall reflecting a change of state. 
The motivation is to protect the enterprise from malware, internal attacks, inadvertent configurations, spoofing, data theft, and so forth even under a change of state using a firewall. 
Yasuda in view of Lee is silent about:
.
Schneebeli teaches:
setting the … common access sources to … a development source that develops application software … at a development stage of the application software (col. 2, ll. 48-49: The content is generated in a staging area; col. 5, ll. 13-15: Preferably, access to staging area 16 is only provided through limited access input 18. Access may be limited to certain users, such as system administrators, and may include one or more levels of access; col. 6, ll. 7-13: the administrator or content developer may either log on to the network 10 at firewall 30 for access to staging area 16 or connect to production area 14 by generating a request from network backbone 12. --- It is noted that the content developers teaches a development source; content is generated in a staging area teaches development source that develops application software at a development stage of the application software; content developer may either log on to the network 10 at firewall 30 for access to staging area 16 teaches setting the common access sources to a development source. Further noted that the claim does not specify what the term setting means, thus, it can be interpreted as the development source is the one or each of the plurality of common access sources). 
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yasuda in view of Lee’s system by enhancing Yasuda in view of Lee’s system to allow content developers to access to staging area, as taught by Schneebeli, in order to develop the contents. 
The motivation is to protect the multi-tenant system from unverified source by blocking it to enter the constructing environment except for specifically allowed network sources using a firewall (Schneebeli, col. 2, ll. 13-20).

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Yasuda et al. (US 2013/0227097 A1; hereinafter, “Yasuda”) in view of Lee (US 9,634,990 B2; hereinafter, “Lee”), and further in view of Koyama et al. (US 2018/0234295 A1; hereinafter, “Koyama”).

Regarding claim 4:
Yasuda in view of Lee teaches:
The non-transitory computer-readable recording medium according to claim 1, wherein the process further comprising: 
Yasuda teaches:
… the initial setting when a setting screen for setting blocking or permission of an access for the firewall is displayed (para. [0166]: The NW command generating screen is displayed in the management consoles 135a and 135b. The screen illustrated in FIG. 14 exemplifies a screen for setting the filtering, but other screens may be applied).
Yasuda in view of Lee is silent about 
hiding the initial setting …
Koyama, in an analogous field of endeavor, teaches: 
hiding the initial setting (see para. [0110]: the setting manager 48 stores setting information of the electronic blackboard 2 in the setting file storage 430… The setting information of the electronic blackboard 2 may be network settings … Here, the network settings may include an Internet protocol (IP) address setting of the electronic blackboard 2, … a default gateway setting, and a Domain Name System (DNS) setting; see para. [0111]: the setting file output unit 49b stores the setting information of the electronic blackboard 2 in the USB memory 5 as a setting file. Here, the content of the setting file may not be viewed by the user for a security reason; see para. [0225]: the display controller 223… displays the setting information setting screen … on the display 210. --- It is noted that the setting file is not viewed by the user for a security reason teaches hiding the initial setting). 
 when the firewall configuration interface displays the configuration setting of the firewall, as taught by Koyama, in order to protect the default setting configuration of the firewall.
The motivation is to prevent the default setting configuration from being changed unintentionally by a user, or being viewed or changed by an authorized user by setting it not to display the setting information on the display.

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Yasuda et al. (US 2013/0227097 A1; hereinafter, “Yasuda”) in view of Lee (US 9,634,990 B2; hereinafter, “Lee”), and further in view of Aaron (US 2008/0172731 A1; hereinafter, “Aaron”).

Regarding claim 8:
Yasuda in view of Lee teaches:
The non-transitory computer-readable recording medium according to claim 1, wherein the process further comprising: 
Yasuda teaches:
when the development source meets a plurality of conditions for permitting or denying a communication, causing the firewall to permit or deny the development source … (see FIG. 14. --- It is noted that the filtering setting display screen in FIG. 14 shows source server, application#, protocol#, and enable setting, which teaches the development source meets a plurality of conditions for permitting or denying a communication, causing the firewall to permit or deny the development source).
Yasuda is silent about:

Aaron teaches:
… permit or deny ... according to a condition having a relatively high priority among the plurality of conditions (claim 9: wherein modifying the firewall policy to allow the group of the questionable packets associated with a next highest priority to pass through the firewall unblocked further includes modifying the firewall policy to block the group of the questionable packets previously allowed to pass through the firewall unblocked. --- It is noted that the firewall policy to allow the group of the questionable packets associated with a next highest priority teaches permit or deny according to a condition having a relatively high priority among the plurality of conditions).
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Yasuda in view of Lee’s system by enhancing Yasuda in view of Lee’s system to give a priority to the firewall policy, as taught by Aaron, in order to allow source severs to access based on the order of priority defined in the firewall policy.
The motivation is to give the efficiency for protecting the multi-tenant system from external source by setting the firewall policy to block an access from certain sources that are well known to be dangerous or dangerous in some circumstances with high priority. 

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO 
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WANSIK YOU whose telephone number is (571)270-3360.  The examiner can normally be reached on 7:30-5:30 M-Th.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ASHOKKUMAR PATEL can be reached on (571)-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/ASHOKKUMAR B PATEL/            Supervisory Patent Examiner, Art Unit 2491