DETAILED ACTION

1.	Notice of Pre-AIA  or AIA  Status:  The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


2.	Claims 1-20 are presented for allowance. 

3.	This allowance of application 16/399783 is in response to an Applicant initiated interview filed on June 30, 2021.

Claim Interpretation

4.	Claim 1 recites “a packet received from a network device which yields a modified packet.”  Applicant remarked (Page 3 of Remarks) that “Applicant’s Specification clearly explains that edge devices [] sometimes apply network address translation to a packet and modify the source address indicated in the header of a packet” and “the claim should be interpreted as reciting two source addresses with one corresponding to the client device that transmitted the packet (as recited in the claim itself) and the other source address corresponding to a network device that is not the transmitting client device, which can happen when traversing an edge device or a proxy as described in the Applicant’s specification.”  When considering the Applicant’s remarks, dependent claim 4 

5.	Claim 7 recites “an X-Forward-For field.”  Instant Specification [0010] states “an X-Forwarded-For (XFF) field of the packet header” and [0026] states “configured at startup or modified/programmed during operation to record data from an XFF field.” 

	Since the instant specification does not explain the XFF feature, a brief search reveals Xie et al., Petersson et al., Load Balancer.

Xie et al. (US 10104121) (col 2 lines 45-63) teach “application field retrieval module can be configured to analyze each application layer packet and retrieve application information such as one or more application fields from the packet, which can help identify the end user of the packet.  In an instance, each packet of HTTP application type includes an information field XFF (‘X-Forwarding For’) that indicates the IP address of the end user.  Similarly, each packet of SIP application type includes an information field SIP address, which indicates the IP address of the end user.”  “Based on specific information fields such as XFF, SIP address, identity (such as IP address) of the end user can be determined.”  (col 6 

Petersson et al. (“Forwarded HTTP Extension”, RFC 7239, 2014) [Pages 3-4] teach “a common way to disclose this information is by using the non-standard header field such as X-Forwarded-For, X-Forwarded-By, and X-Forwarded-Proto.  There are many benefits to using a standardized approach to commonly desired protocol function:  not least is interoperability between implementations.  This document standardizes a header field called ‘Forwarded’ and provides the syntax and semantics for disclosing such information.  ‘Forwarded also combines all the information within one single header field, making it possible to correlate this 



	The explanations provided by Xie, Petersson, Load Balancer, and the instant specification help to interpret the claims.

Examiner’s Amendment

6.	An examiner’s Amendment to the record appears below.  Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR § 1.312.  To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the Issue Fee.

7.	Authorization for this examiner’s amendment was given by Steve Gilliam via an email interview to USPTO on August 18, 2021.

8.	The claims have been amended as follows:


1.	(Currently Amended) A method comprising:
recording header information in a packet received from a network device which yields a modified packet, 
wherein the header information includes a first source address in a first header field and a second source address in a second header field, 
wherein the first source address corresponds to the network device and the second source address corresponds to a client device which transmitted the packet prior to the network device transmitting the packet;
analyzing the modified packet based, at least in part, on the second source address;
determining that the client device belongs to a group of devices controlled by a first policy; and
applying the first policy to the modified packet and other network traffic from the client device.

2.	(Currently Amended) The method of claim 1:
wherein analyzing the modified packet based, at least in part, on the second source address comprises querying a repository using the second source address to obtain characteristics of the client device;


3.	(Original) The method of claim 2, further comprising 
determining a geographic location for the client device based on the second source address indicated in the header information, 
wherein at least a first characteristic of the characteristics of the client device is the geographic location.

4. 	(Original) The method of claim 1, further comprising determining that the second header field should be recorded based, at least in part, on determining that the network device is at least one of a load balancer, a gateway, a proxy, or an edge router.

5.	(Original) The method of claim 1, wherein recording the header information is performed by a firewall, further comprising determining, by the firewall, that the second header field should be recorded based, at least in part, on a value of a configuration parameter.

6.	(Currently Amended) The method of claim 1, wherein applying the first policy to the modified packet and other network traffic from the client device comprises modified packet and the other network traffic should be at least one of blocked, allowed, throttled, and logged.

7.	(Original) The method of claim 1, wherein the first header field is a source address field and the second header field is an X-Forward-For field.

8.	(Currently Amended) The method of claim 1, wherein the analysis of the modified packet is  based on the  second source address instead of the first source address or the analysis of the packet is also based on the first source address.

9.	(Currently Amended) A non-transitory, computer-readable medium having instructions stored thereon that are executable by a computing device to perform operations comprising:
recording header information in a packet received from a network device which yields a modified packet, 
wherein the header information includes a first source address in a first header field and a second source address in a second header field, 
wherein the first source address corresponds to the network device and the second source address corresponds to a client device which transmitted the packet prior to the network device transmitting the packet;
analyzing the modified packet based, at least in part, on the second source address;

applying the first policy to the modified packet and other network traffic from the client device.

10.	(Currently Amended) The machine-readable media of claim 9:
wherein the instructions executable by the computing device to perform the operations comprising analyzing the modified packet based, at least in part, on the second source address comprise the instructions executable by the computing device to perform operations comprising querying a repository using the second source address to obtain characteristics of the client device;
wherein the instructions executable by the computing device to perform the operations comprising determining that the client device belongs to the group of devices controlled by the first policy are based, at least in part, on the obtained characteristics.

11.	(Currently Amended) The machine-readable media of claim 10, further comprising 
the instructions executable by the computing device to perform  operations comprising determining a geographic location for the client device based on the second source address indicated in the header information, 


12.	(Currently Amended) The machine-readable media of claim 9, further comprising the instructions executable by the computing device to perform  operations comprising determining that the second header field should be recorded based, at least in part, on determining that the network device is at least one of a load balancer, a gateway, a proxy, or an edge router.

13.	(Currently Amended)  The machine-readable media of claim 9, wherein the computing device is a firewall, further comprising the instructions executable by the computing device to perform  operations comprising determining that the second header field should be recorded based, at least in part, on a value of a configuration parameter.

14.	(Currently Amended) An apparatus comprising:
a processor; and
a computer-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to,
record header information in a packet received from a network device which yields a modified packet,
wherein the header information includes a first source address in a first header field and a second source address in a second header field, 

analyze the modified packet based, at least in part, on the second source address;
determine that the client device belongs to a group of devices controlled by a first policy; and
apply the first policy to the packet and other network traffic from the client device.

15.	(Currently Amended) The apparatus of claim 14:
wherein the instructions to analyze the modified packet based, at least in part, on the second source address comprise instructions to query a repository using the second source address to obtain characteristics of the client device;
wherein the instructions to determine that the client device belongs to the group of devices controlled by the first policy are based, at least in part, on the obtained characteristics.

16.	(Original) The apparatus of claim 15, further comprising
instructions to determine a geographic location for the client device based on the second source address indicated in the header information, 
wherein at least a first characteristic of the characteristics of the client device is the geographic location.

17.	(Original) The apparatus of claim 14, further comprising instructions to determine that the second header field should be recorded based, at least in part, on determining that the network device is at least one of a load balancer, a gateway, a proxy, or an edge router.

18.	(Original The apparatus of claim 14, wherein the apparatus is a firewall, further comprising instructions to determine that the second header field should be recorded based, at least in part, on a value of a configuration parameter.

19.	(Currently Amended) The apparatus of claim 14, wherein the instructions to apply the first policy to the modified packet and other network traffic from the client device comprise instructions to determine that the packet and the other network traffic should be at least one of blocked, allowed, throttled, and logged.

20.	(Original) The apparatus of claim 14, wherein the first header field is a source address field and the second header field is an X-Forward-For field.


Reason for Allowance

9.	Claims 1, 9 and 14 of the present invention are directed towards recording header information in a packet received from a network device which yields a 
recording header information in a packet received from a network device which yields a modified packet, 
wherein the header information includes a first source address in a first header field and a second source address in a second header field, 
wherein the first source address corresponds to the network device and the second source address corresponds to a client device which transmitted the packet prior to the network device transmitting the packet;
analyzing the modified packet based, at least in part, on the second source address;
determining that the client device belongs to a group of devices controlled by a first policy; and
applying the first policy to the modified packet and other network traffic from the client device.

10.	Regarding allowed claims 1, 9 and 14 presented above, the following is an examiner’s statement of reasons for allowance.  The following are the closest prior art:

Fluhrer et al. (US Pub 20090034557) [0007] teach “recording header information in a packet received” limitation, “wherein the header information includes” clause, and “wherein the first source address corresponds to” clause.

Dror et al. (US 9276851) (col 5 lines 59-66) teach “analyzing the modified packet” limitation.

Xie et al. (US 10104121) (col 2 lines 11-27, col 3 lines 10-16) teach “determining that the client device” limitation and part of “applying the first policy” limitation.

Kinoshita et al. (US Pub 20050141531) [0014] [0015].  

Chang (US Pub 20050135359) [0011].

Ignatchenko (US Pub 20180048567) [0069] [0392] [0416] [0440] [0464].

Petersson et al. (“Forwarded HTTP Extension”, RFC 7239, 2014) teach various Extensions.

According to Information Sciences Institute (“Internet Protocol”, RFC 791, 1981), page 28 shows the “Internet Header Format” that clearly shows one “source address” in one field and one “destination address” in another field.



According to Wikimedia, “the X-Forward-For (XFF) header is a de facto standard supported by most HTTP proxy software.  It appends the IP address of the client to the HTTP header which is passed on to the server.  Thus, the server can determine the client IP, because this header can be forged.  Wikipedia and other Wikipedia websites will only accept XFF headers which come from sources which are known to be trusted.”

11.	In summary, nowhere do the prior art disclose the unique combination of steps/elements listed above.  The unique combination of steps/elements listed 

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

12.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to O. Charlie Vostal whose telephone number is 571-270-3992.  The examiner can normally be reached on 8:30am to 5:00pm EST Monday thru Friday.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Thu Nguyen can be reached on 571-272-6967.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





	/ONDREJ C VOSTAL/           Primary Examiner, Art Unit 2452                                                                                                                                                                                             
	August 20, 2021