DETAILED ACTION
Response to Amendment
This action is in response to amendment filed July 13, 2021 for the application # 16/248,828 filed on January 16, 2019. Claims 1-20 are pending and are directed toward NETWORK POLICY MIGRATION IN A FEDERATED HYBRID CLOUD.
Any claim objection/rejection not repeated below is withdrawn due to Applicant's amendment.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as 


 Claims 1-6, 8-13 and 15-20 are rejected under 35 U.S.C. 102(a)(1) as being unpatentable over Raman et al. (US 2015/0281178, Pub. Date: Oct. 1, 2015), hereinafter referred to as Raman.
As per claim 1, Raman teaches a method of migrating a firewall policy between a first virtual data center and a second virtual data center (In some embodiments, a GVM can migrate from a first host to a second host in a multi-host environment. For such environments, the SVMI APis also allow the firewall SVM to specify the firewall engine's behavior to prepare for such a GVM migration. Raman, [0008]), comprising:
establishing a communication link between a first firewall server in the first virtual data center and a second firewall server in the second virtual data center over a network (The firewall engine of the first host can then send directly or indirectly (through a YM migrator executing on the host) the supplied connection state information to the firewall engine of the second host. Raman, [0008]), the first firewall server having a first firewall defined by polices applied to groups of objects in the first virtual data center (For instance, the SYMI APIs include a set of one or more APIs that allows a firewall SYM on the GYM's first host or second host to obtain the set of entries in the firewall engine's connection state data store that relate to the migrating GYM. Raman, [0008]);
obtaining, at the first firewall server, an inventory of objects in the second virtual data center from the second firewall server (Through this API set, the SYM on the first host can receive, update, and supply connection state information. Raman, [0008]);
determining firewall rule tuples (FIG. 3 illustrates an example of firewall rules that are specified in terms of the traditional five-tuple packet identifiers. Raman, [0016]) by mapping the FIG. 17 presents a data flow diagram that illustrates the firewall SYM using the SYM interface to obtain connection state data from the firewall engine on a second host to which a GYM migrated from a first host. Raman, [0027]); and
sending the firewall rule tuples to enforcement points in the second virtual data center (Similarly, through this API set, the SYM on the second host can receive and possibly update connection state information from the firewall engine on the second host. Accordingly, this API set relieves the firewall SYMs on the first and second hosts from having to have a separate mechanism to synchronize their firewall states. Raman, [0008]).
As per claim 2, Raman teaches the method of claim 1, further comprising: setting the first firewall server as a master server; and setting the second firewall server as a slave server (The firewall engine of the first host can then send directly or indirectly (through a VM migrator executing on the host) the supplied connection state information to the firewall engine of the second host. Raman, [0088]).
As per claim 3, Raman teaches the method of claim 1, wherein at least a portion of the objects in the inventory of the second virtual data center are migrated from the first virtual data center (For instance, the SVMI APis include a set of one or more APis that allow a firewall SVM on the GYM' s first host or second host to obtain the set of entries in the firewall engine's connection state data storage 125 that relate to the migrating GYM. Raman, [0088]), and wherein the method further comprises: obtaining migration information at the first firewall server from the second firewall server (Similarly, through this API set, the SVM on the second host can receive and possibly update connection state information from the firewall engine on the second host. Accordingly, this API set relieves the firewall SVMs on the first and second hosts from having to have a separate mechanism to synchronize their firewall states. Raman, [0088]).
As per claim 4, Raman teaches the method of claim 1, wherein the firewall rule tuples are further determined based on the migration information (Raman, [0054]).
As per claim 5, Raman teaches the method of claim 1, further comprising: sending the first firewall from the first firewall server to the second firewall server (Raman, [0088]).
As per claim 6, Raman teaches the method of claim 5, further comprising: modifying the first firewall at the second firewall server to generate a second firewall (Raman, [0088], [0098]). 
Claims 8-13 and 15-20 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 7 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Raman et al. (US 2015/0281178, Pub. Date: Oct. 1, 2015), in view of Litvin et al. (US 2009/0249438, Pub. Date: Oct. 1, 2009), hereinafter referred to as Raman and Litvin.
As per claim 7, Raman teaches the method of claim 1, but silent about removing the communication link, Litvin however teaches further comprising: removing the communication link between the first and second firewall servers (Litvin, [0112]).
another advantage is that virtual machines can be instantiated as needed, then shut down when no longer needed, freeing the resources of the physical computer to run other virtual machines. Therefore, a system with multiple virtual machines that are needed at different times saves more resources by running each virtual machine only when that virtual machine is needed (Litvin, [0006]).

Claim 14 has limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of obviousness as used above.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-20 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-20 of copending Application No. 16/248,824 (reference application). Although the claims at issue are not identical, they are not patentably distinct from each other because all elements of claims 1-20 of the instant application correspond to elements of claims 1-20 of the reference application.
This is a provisional nonstatutory double patenting rejection because the patentably indistinct claims have not in fact been patented.
Response to Arguments
Applicant’s arguments with regards to claims 1-20 have been fully considered, but they are not persuasive.
“in contrast” argument – applicant argues that In contrast, the cited portions of Raman describe a method for transferring, from a first host to a second host, a set of entries in a firewall connection state data store in preparation for migration of a virtual machine. Specifically, the firewall connection state entries are stored actions that a firewall returns for different attribute sets of communicated data packets, but are separate from firewall rules (e.g., five tuples).7 For example, FIG. 3 of Raman illustrates "an example of firewall rules . . . that are specified in terms of the traditional five-tuple packet identifiers," while FIG. 4 of Raman illustrates "an example of connection state data ... stored in a connection state data storage (Raman, page 9, and similar pages 10-11).
Response: FIG.4 of Raman, cited by Applicant, shows Identifiers and Source, Destination, which all are considered the claimed objects, as follows at least from Specification [0028], [0032]. Compare with [0051] and [0066]-[0069] of Raman. Specifically Raman teaches “The publisher 615 detects changes to the firewall rules in the host data storage 610. In response to any detected change (e.g., addition, deletion or modification of firewall rules), the publisher pushes firewall rules that are affected by the detected change to the firewall engine 115. In some embodiments, the firewall engine maintains different firewall rule tables for different GYMs. In some of these embodiments, the publisher pushes the firewall rules for the different GYMs to the different firewall rule tables through the firewall engine 115.” Therefore Raman teaches “inventory of objects” such as different GVMs and identifiers, Raman further teaches firewall rules applied to different objects, and finally Raman teaches firewall rule tuples related to group of objects, as for example in “In some embodiments, each firewall rule in the data storage 120 is specified in terms of (1) the same set of packet identifiers ( e.g., five-tuple identifiers) that the firewall engine receives from the port, and (2) an action that is typically specified as an "allow" to allow a packet through or a "deny" to drop the packet. An identifier in a firewall rule can be specified in terms of an individual value or a wildcard value in some embodiments. In other embodiments, the identifier can further be defined in terms of a set of individual values or an abstract container, such as a security group, a compute construct, a network construct, etc.” (Raman, [0047]). As per migration, Examiner points Applicant’s attention to [0058], [0059] of Raman, and specifically “the configured behaviors in some embodiments also include other behaviors. For instance, the SYM 135 might configure the firewall engine 115 with configuration rules that specify how the firewall engine should check a packet that is exchanged between source and destination GYMs that execute on the same host. Absent special configuration, such a packet would cause the firewall engine in some embodiments to check twice with the firewall SYM, once for the source GYM and once for the destination GYM. However, through the SYMI APIs of some embodiments, the firewall SYM can configure the firewall engine to have the firewall SYM perform a check for such a packet only once, either for the source GYM or for the destination GYM. More details about interaction between firewall SYM and source and destination GYMs when the source and destination GYMs are on the same host are discussed below in Section IV.” (Raman, [0058]). 
Conclusion -Therefore, in view of the above reasons, Examiner maintains rejections.
 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on 5:00 AM- 4:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SALEH NAJJAR can be reached on (571) 272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/OLEG KORSAK/Primary Examiner, Art Unit 2492