DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This Action is in response to communications filed on 06/03/2021.
Claims 1, 3-11, 16-17 and 19-20 have been amended.
Claims 2 has been cancelled, and new claim 21 has been added.
Claims 1 and 3-21 are presented for examination, claims 1, 19 and 20 being independent. 
Claims 1 and 3-21 remain pending in this application.

Response to Arguments Regarding Claim Objections
In the non-final office Action mailed on 03/03/2021, claim 9 was objected to due to minor informalities. In the response filed on 06/03/2021, Applicant amended the claim to obviate the objections. As a result, the respective claim objection made in the non-final office Action mailed on 03/03/2021 has been withdrawn.

Response to Arguments Regarding Claim Rejections - 35 USC § 102/ 103
Applicant’s arguments with respect to rejection of claim(s) under 35 USC § 102/ 103 (see page 10-17) have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Objections
Claim(s) 1 and 4 objected to because of the following informalities:  
Claim 1 recites the limitation "the policies" in line 9. There is insufficient antecedent basis for this limitation in the claim.
Claim 4 recites the limitation "the corresponding first network device rules". There is insufficient antecedent basis for this limitation in the claim.
Appropriate correction is required.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claim(s) 1, 3-5, 7-10 and 19-21 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Gupta et al. (hereinafter, Gupta, US 20160359913 A1) in view of Sabev et al (US 20150229526 A1), and in view of Heller (US 20110055483 A1).

Regarding claim 1, Sharma discloses a method for managing a network device fabric comprising a plurality of network devices (see [0185]; an SDN controller operates to configure and manage the cloud system/ network), the method comprising: 
obtaining, from a service device (Fig.1: 134; also see [0057]: lines 20-28; also see last 9 lines of [0060] and [0061] in view of [0006]), a first service device policy set (see Fig.1:180; also see [0058] lines 1-7; the SBC 134 is able to provide instructions to the SDN Controller regarding policy flow instructions; also see Fig.20E:2048 and [0206]; the SDN controller is operated to receive the instructions from the SBC); 
examining the first service device policy set to identify a first set of qualifiers and a first traffic flow action for each policy in the first service device policy set (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service; also see [0205]; SBC is operated to generate instructions that include information by which the first programmable switch can identify packets of the first media packet flow and an action/command for the first programmable switch; examiner articulates that identifying one or more SDN programmable switches of the media packet flow based on policy instruction for the media micro flow service received from SBC imply examining the policy and identifying a first set of qualifiers, and identifying instructions for the media micro flow service (i.e., action/command for the first programmable switch) imply identifying a first traffic flow action); 
deriving, from each policy in the first service device policy set, a corresponding network device rule (see [0060] lines 15-22; the SBC 134 then uses the SDN control plane interface to communicate one or more rules that the SBC 134 wants propagated into the network. The SDN controller 112 determines how to apply these rules and depending on the implementation may translate the rules into lower level primitives and install them into the programmable network switches, e.g., SDN OpenFlow switches) from the corresponding first set of qualifiers and the first traffic flow action (see last 2 lines of [0059]; SDN controller 112 dynamically programs flows in the SDN system 100; also see [0083]; the SDN switch 300 includes one or more components for implementing instructions received from an SDN controller, the instructions including for example identifying packets of a media packet flow and performing actions upon the packets of a media packet flow; In some embodiments, the instructions include matching a packet to a flow based on the contents of the IPv4 or IPv6 packet header and modifying the IP address, before forwarding); and 
deploying the policies in the first service device policy set, wherein deploying a policy in the first service device policy set comprises: transmitting a command to each of the network devices of the network device fabric to deploy the corresponding network device rule (see Fig.1:182; also see last 4 lines of [0058]; the SDN controller dynamically sends policy enforcement instructions to the devices of the SDN network, e.g., SDN programmable switches, to enforce the policies; also see [0060] lines 15-22; the SBC 134 uses the SDN control plane interface to communicate one or more rules that the SBC 134 wants propagated into the network. The SDN controller 112 determines how to apply these rules and depending on the implementation may translate the rules into lower level primitives and install them into the programmable SDN OpenFlow switches; also see [0061]-[0063]; In the SDN network, media services are realized by rules or instructions programmed into the SDN programmable switches… Offloading relay aspects to a switch; SBC flows are realized from a network wide perspective using the underlying SDN aware network).
Sharma does not explicitly teach deploying the policies in the first service device policy set in an order from most specific to least specific, wherein deploying a policy in the first service device policy set comprises: determining whether each of the network devices confirms deployment of the corresponding network device rule; and revoking deployment of the corresponding network device rule at each of the network devices if any of the network devices reports failure to deploy the corresponding network device rule, wherein once deployment of the policy in the first service device policy set has been revoked, 
Gupta discloses deploying the policies in the first service device policy set in an order from most specific to least specific (see [0054]; a general policy may allow a certain communication while a more specific policy may block the communication. In some such example embodiments, various resolution techniques can be implemented; for example, the policies can be ordered according to importance and the first matching policy can be enforced with respect to the communication. In some example embodiments, the most specific policy can be implemented; specific meaning that the match is according to a high degree of granularity. For example, a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses. Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0062]-[0063] in view of Fig.6:610-614; network may be capable of resolving policy conflicts, such as enforcing more specific policies before less specific policies; the policy engine prioritizes enforcement based on granularity (or specificity),… and add the one or more policies to the one or more policies to the policy table; also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies. A policy with increased specificity can be associated with a smaller collection of endpoints, ports, protocols, etc. Thus, the policy with increased specificity can be applied instead of the conflicting other policies. In some example embodiments, policies are applied in a sequential order even if they are in conflict.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma to deploy the policies in the first service device policy set in an order from most specific to least specific.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Sabev discloses wherein deploying a policy in the first service device policy set (see [0008]; network devices associated with a network are consistently configured) comprises: 
transmitting a command (see Fig.3:315, 325 and 335) to each of the network devices (see Fig.3:310A-C; also see Fig.1:105A-N) of the network device fabric (see Fig.1:100) to deploy the corresponding network device rule (see [0011]; network device 105A is configured first and upon successful configuration of the network device 105A, network device 105B is configured and so on);
determining whether each of the network devices (see Fig.3:310A-C) confirms deployment of the corresponding network device rule (see Fig.3:320, 330, 340, 350 and 360; also see [0012]; When configuration of the network device is successful within the predetermined number of times, sequential configuration of the network devices is proceeded to configure next network device in the network; also see [0016]; confirmation of successful configuration of the load balancer 310A is received… the load balancer 310B is successfully configured… a message indicating unsuccessful configuration of the load balancer 310C is received); and 
revoking deployment of the corresponding network device rule at each of the network devices (see Fig.3:365-380; also see [0018]; a configuration of a second network device is reverted when the configuration of the first network device is unsuccessful upon retrying for the predetermined number of times; since configuration of load balancer 310C of FIG. 3 is unsuccessful, the configuration of the load balancer 310A and the load balancer 310B are reverted or “rolledback”) if any of the network devices reports failure to deploy the corresponding network device rule (see [0016]; confirmation of successful a message indicating unsuccessful configuration of the load balancer 310C is received).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Sabev with Sharma and Gupta so that deploying a policy in the first service device policy set comprises: transmitting a command to each of the network devices of the network device fabric to deploy the corresponding network device rule; determining whether each of the network devices confirms deployment of the corresponding network device rule; and revoking deployment of the corresponding network device rule at each of the network devices if any of the network devices reports failure to deploy the corresponding network device rule.
One of ordinary skill in the art would have been motivated to ensure consistency in the configuration of the network devices (Sabev: [0008]).
Although, and as set forth above, Gupta discloses deploying the policies in the first service device policy set in an order from most specific to least specific (see [0054]; also see [0062]-[0063]), Sharma (modified by Gupta and Sabev) does not explicitly teach wherein once deployment of the policy in the first service device policy set has been revoked, remaining undeployed policies in the first service device policy set that are less specific than a revoked policy are not deployed.
Heller discloses wherein once deployment of the policy in the first service device policy set has been revoked (see Fig.8:850-860), remaining undeployed policies (see Fig.8:855 and 820) in the first service device policy set are not deployed (also see [0045]; the lack of a transaction failure condition (600) allows the processor to continue in the AIG active mode; also see [0052]; After loads and stores in an AIG are processed it is determined (850) whether there has been an AIG failure as described in the descriptions of FIG. 3 and FIG. 4. If there is a failure then special handlers are invoked (860)... These possible failure handlers may require the rollback of the AIG which caused the failure… If no failure was detected then it is determined whether the load or store was the last instruction of the AIG; examiner articulates that the remaining AIG instructions are not processed (i.e. step 855 is not executed for next instruction) if AIG failure and rollback occurs).

One of ordinary skill in the art would have been motivated to lower complexity and to detect conflict in system with large number of processors and interconnections (Heller: [0021]).

Regarding claim 3, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 1, as set forth above. In addition, Sharma further discloses wherein the first set of qualifiers comprises an application- protocol qualifier (APQ) (see [0058]; Box 180 indicates that the SBC 134 is able to provide instructions to the SDN Controller regarding policy flow instructions, 5-tuple information (source transport number, source Internet Protocol address, destination transport number, destination Internet Protocol address, and Protocol type (e.g., UDP or TCP)), bandwidth, DSCP marking, and Network Address and Port Translation; examiner articulates that the “Protocol type” information within the policy flow instructions corresponds to an application- protocol qualifier).
Sharma does not explicitly disclose wherein the first set of qualifiers further comprises an intercept source qualifier (ISQ) reflecting an ANY state and an intercept destination qualifier (IDQ) reflecting the ANY state.
However, Gupta discloses wherein the first set of qualifiers (see Fig.3: 304 and 308) further comprises an intercept source qualifier (ISQ) reflecting an ANY state (see Fig.3: 304 for row 301f) and an intercept destination qualifier (IDQ) reflecting the ANY state (see Fig.3: 308 for row 301f; also see [0050]; Policy table 300 can include policies 301a-301f (collectively, "301") for enforcement in a network… in some example embodiments one or both of source and destination are not specified).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma, Sabev and Heller so that 
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 4, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 1, as set forth above. In addition, Sharma further discloses wherein at least one of the corresponding first network device rules is directed to an offload network device rule subclass (see [0061]-[0063]; In the SDN network, media services are realized by rules or instructions programmed into the SDN programmable switches … Offloading relay aspects to a switch; SBC flows are realized from a network wide perspective using the underlying SDN aware network; examiner articulates that rules or instructions programmed into the SDN programmable switches that is used in offloading relay aspects to the SDN switch corresponds to an offload network device rule subclass).

Regarding claim 5, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 1, as set forth above. In addition, Sharma further discloses wherein deploying the policy (see [0058]-[0063]) further comprises: 
identifying a network device set that forms the network device fabric (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service).

Regarding claim 7, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 1, as set forth above. In addition, Sharma discloses the method further comprising:
obtaining, from the service device, a second service device policy set (see [0167]; the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 that receive packets with the 6-tuple Src: Port_E, IP_E, MAC_E Dest: SBC_Port_J, SBC_IP_J, SBC_MAC_J are rewritten to Src: SBC_Port_G1, SBC_IP_G, SBC_MAC_G Dest: MID_Port_H1, MID_IP_H, MID_MAC_H and directed to the media interworking device in the SDN network having address MID_Port_H1, MID_IP_H and MID_MAC_H for receiving media packets. Also the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 to rewrite packets received with the 6-tuple Src: MID_Port_H2, MID_IP_H, MID_MAC_H Dest: SBC_Port_G2, SBC_IP_G, SBC_MAC_G to be rewritten to Src: SBC_Port_K, SBC_IP_K, SBC_MAC_K Dest: Port_F, IP_F, MAC_F and directed to communications device E 1010); 
examining the second service device policy set to identify a second set of qualifiers and a second traffic flow action for each policy in the second service device policy set (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service; also see [0205]; SBC is operated to generate instructions that include information by which the first programmable switch can identify packets of the first media packet flow and an action/command for the first programmable switch; examiner articulates that identifying one or more SDN programmable switches of the media packet flow based on second policy instruction for the media micro flow service received from SBC imply examining the second policy and identifying a second set of qualifiers, and identifying instructions for the media micro flow service (i.e., action/command for the programmable switch) imply identifying a second traffic flow action); 
deriving, from each policy in the second service device policy set, a corresponding second network device rule (see [0060] lines 15-22; the SBC 134 then uses the SDN control plane interface to communicate one or more rules that the SBC 134 wants propagated into the network. The SDN controller 112 determines how to apply these rules and depending on the implementation may translate the rules into lower level primitives and install them into the programmable network switches, e.g., SDN OpenFlow switches) from the corresponding second set of qualifiers and the second traffic flow action (see last 2 lines of [0059]; SDN controller 112 dynamically programs flows in the SDN system 100; also see [0083]; the SDN switch 300 includes one or more components for implementing instructions received from an SDN controller, the instructions including for example identifying packets of a media packet flow and performing actions upon the packets of a media packet flow; In some embodiments, the instructions include matching a packet to a flow based on the contents of the IPv4 or IPv6 packet header and modifying the IP address, before forwarding).
Sharma does not explicitly disclose deploying the policies in the second service device policy set in an order from most specific to least specific.
Gupta discloses deploying the policies in the second service device policy set in an order from most specific to least specific (see [0054]; a general policy may allow a certain communication while a more specific policy may block the communication. In some such example embodiments, various resolution techniques can be implemented; for example, the policies can be ordered according to importance and the first matching policy can be enforced with respect to the communication. In some example embodiments, the most specific policy can be implemented; specific meaning that the match is according to a high degree of granularity. For example, a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses. Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0062]-[0063] in view of Fig.6:610-614; network may be capable of resolving policy conflicts, such as enforcing more specific policies before less specific policies; the policy engine prioritizes enforcement based on granularity (or specificity),… and add the one or more policies to the one or more policies to the policy table; also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies. A policy with increased specificity can be associated with a smaller collection of endpoints, ports, protocols, etc. Thus, the policy with increased specificity can be applied instead of the conflicting other policies. In some example embodiments, policies are applied in a sequential order even if they are in conflict.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma, Sabev and Heller to deploy the policies in the second service device policy set in an order from most specific to least specific.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 8, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 7, as set forth above. In addition, Sabev discloses the functionality wherein the deploying of the policies in the second service device policy set (see [0008]; network devices associated with a network are consistently configured) comprises: 
transmitting a command (see Fig.3:315, 325 and 335) to each of the network devices (see Fig.3:310A-C; also see Fig.1:105A-N) of the network device fabric (see Fig.1:100) to deploy the corresponding second network device rule (see [0011]; network device 105A is configured first and upon successful configuration of the network device 105A, network device 105B is configured and so on);
determining whether each of the network devices (see Fig.3:310A-C) confirms deployment of the corresponding second network device rule (see Fig.3:320, 330, 340, 350 and 360; also see [0012]; When configuration of the network device is successful within the predetermined number of times, sequential configuration of the network devices is proceeded to configure next network device in the network; also see [0016]; confirmation of successful configuration of the load balancer 310A is received… the load balancer 310B is successfully configured… a message indicating unsuccessful configuration of the load balancer 310C is received); and 
revoking deployment of the corresponding second network device rule at each of the network devices (see Fig.3:365-380; also see [0018]; a configuration of a second network device is reverted when the configuration of the first network device is unsuccessful upon retrying for the predetermined number of times; since configuration of load balancer 310C of FIG. 3 is unsuccessful, the configuration of the load balancer 310A and the load balancer 310B are reverted or “rolledback”) if any of the network devices reports failure to deploy the corresponding second network device rule (see [0016]; confirmation of successful configuration of the load balancer 310A is received… the load balancer 310B is successfully configured… a message indicating unsuccessful configuration of the load balancer 310C is received).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Sabev with Sharma and Gupta so that deploying of the policies in the second service device policy set comprises: transmitting a command to each of the network devices of the network device fabric to deploy the corresponding second network device rule; determining whether each of the network devices confirms deployment of the corresponding second network device rule; and revoking deployment of the corresponding second network device rule at each of the network devices if any of the network devices reports failure to deploy the corresponding second network device rule.
One of ordinary skill in the art would have been motivated to ensure consistency in the configuration of the network devices (Sabev: [0008]).
Although, and as set forth above, Gupta discloses deploying the policies in the first service device policy set in an order from most specific to least specific (see [0054]; also see [0062]-[0063]), Sharma (modified by Gupta and Sabev) does not explicitly teach wherein once deployment of the policy in the second service device policy set has been revoked, remaining undeployed policies in the second service device policy set that are less specific than a revoked policy are not deployed.
Heller discloses wherein once deployment of the policy in the second service device policy set has been revoked (see Fig.8:850-860), remaining undeployed policies (see Fig.8:855 and 820) in the second service device policy set are not deployed (also see [0045]; the lack of a transaction failure condition (600) allows the processor to continue in the AIG active mode; also see [0052]; After loads and stores in an AIG are processed it is determined (850) whether there has been an AIG failure as described in the descriptions of FIG. 3 and FIG. 4. If there is a failure then special handlers are invoked (860)... These possible failure handlers may require the rollback of the AIG which caused the failure… If no failure was detected then it is determined whether the load or store was the last instruction of the AIG; examiner articulates that the remaining AIG instructions are not processed (i.e. step 855 is not executed for next instruction) if AIG failure and rollback occurs).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Heller with Sharma, Gupta and Sabev to have a method wherein once deployment of the policy in the second service device policy set has been revoked, remaining undeployed policies in the second service device policy set that are less specific than a revoked policy are not deployed.
One of ordinary skill in the art would have been motivated to lower complexity and to detect conflict in system with large number of processors and interconnections (Heller: [0021]).

Regarding claim 9, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 1, as set forth above. In addition, Sharma discloses the method further comprising prior to deriving the first network device rule (see [0169]-[0170] in view of Fig.10; the SDN switches are program by the SBC via the SDN controller; also [0173] in view of Fig.14:1426 and 1428; instructions are in the form of a flow table entries that are installed in one or more SDN switch(es) 1512, 1514, 1516, . . . , 1518 of the SDN network 1506 for the media flow from device E 1004 to device E 1010 illustrated by line 1836 on FIG. 18... Both switches 3 and N may and in some embodiments do have instructions TAG04 and 05 installed in them): 
obtaining, from the service device, a second service device policy set (see [0167]; the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network Also the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 to rewrite packets received with the 6-tuple Src: MID_Port_H2, MID_IP_H, MID_MAC_H Dest: SBC_Port_G2, SBC_IP_G, SBC_MAC_G to be rewritten to Src: SBC_Port_K, SBC_IP_K, SBC_MAC_K Dest: Port_F, IP_F, MAC_F and directed to communications device E 1010). 
Sharma does not explicitly disclose establishing a processing prioritization based on a first specificity of the first service device policy set and a second specificity of the second service device policy set; and based on the processing prioritization: offloading enforcement of the second service device policy set, prior to offloading enforcement of the first service device policy set, onto the network device fabric.
Gupta discloses establishing a processing prioritization based on a first specificity of the first service device policy set and a second specificity of the second service device policy set (see [0054]; a general policy may allow a certain communication while a more specific policy may block the communication. In some such example embodiments, various resolution techniques can be implemented; for example, the policies can be ordered according to importance and the first matching policy can be enforced with respect to the communication. In some example embodiments, the most specific policy can be implemented; specific meaning that the match is according to a high degree of granularity. For example, a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses. Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0063] in view of Fig.6:610; the policy engine prioritizes enforcement based on granularity (or specificity); and 
based on the processing prioritization: offloading enforcement of the second service device policy set, prior to offloading enforcement of the first service device policy set, onto the network device fabric (see [0054]; also see [0062]-[0063] in view of Fig.6:610-614; network may be capable of resolving policy conflicts, such as enforcing more specific policies before less specific policies; the policy engine prioritizes enforcement based on granularity (or specificity),… and add the one or more policies to the one or more policies to the policy table; also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies. A policy with increased specificity can be associated with a smaller collection of endpoints, ports, protocols, etc. Thus, the policy with increased specificity can be applied instead of the conflicting other policies. In some example embodiments, policies are applied in a sequential order even if they are in conflict).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma, Sabev and Heller to obtain a second service device policy set prior to deriving the first network device rule; establish a processing prioritization based on a first specificity of the first service device policy set and a second specificity of the second service device policy set; and based on the processing prioritization: to offload enforcement of the second service device policy set, prior to offloading enforcement of the first service device policy set, onto the network device fabric.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 10, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 9, as set forth above. In addition, Gupta further discloses wherein establishing the processing prioritization based on the first and second specificities (see [0054]; also see [0063] in view of Fig.6:610), comprises: 
examining the second service device policy set (Fig.3:301) to identify at least a second set of qualifiers (Fig.3:304 and 308; also see [0050]; Policy table 300 can include policies 301a-301f (collectively, "301") for enforcement in a network… Each policy 301 can specify packet attributes 302 such as source 304, destination 308, and action 316 to be applied to a packet when the packet matches each of packet attributes 302… In some example embodiments, the source and destination are of different types (e.g., source is a MAC address while destination is an endpoint group) while in some example embodiments one or both of source and destination are not specified; also see [0054]; a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses. Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0063] in view of Fig.6:610); 
measuring the first specificity based at least on a first cardinality of the first set of qualifiers (see Fig.3:304 and 308 for row 301a; also see [0050]; in some example embodiments one or both of source and destination are not specified; also see [0054]; Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0063] in view of Fig.6:610; also see Fig.5: 502 and 504 for row 501a); 
measuring the second specificity based at least on a second cardinality of the second set of qualifiers (see Fig.3:304 and 308 for row 301e; Fig.3:304 and 308; also see [0050]; In some example embodiments, the source and destination are of different types (e.g., source is a MAC address while destination is an endpoint group); also see [0054]; Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0063] in view of Fig.6:610; also see Fig.5: 502 and 504 for rows 501b and/or 501d); 
making a determination, based on the second specificity exceeding the first specificity, that the second service device policy is more specific than the first service device policy (see [0054]; a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter,  more specific policies before less specific policies; also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies); and 
establishing the processing prioritization based on the determination (see [0054]; the most specific policy can be implemented; specific meaning that the match is according to a high degree of granularity; also see [0062]-[0063] in view of Fig.6:610-614; network may be capable of resolving policy conflicts, such as enforcing more specific policies before less specific policies; the policy engine prioritizes enforcement based on granularity (or specificity); also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies. A policy with increased specificity can be associated with a smaller collection of endpoints, ports, protocols, etc. Thus, the policy with increased specificity can be applied instead of the conflicting other policies. In some example embodiments, policies are applied in a sequential order even if they are in conflict; also see claim 3; the one or more policies are prioritized over the one or more first policies based on the one or more policies corresponding to a higher level of specificity than the one or more first policies).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma so that establishing the processing prioritization based on the first and second specificities, comprises: examining the second service device policy to identify at least a second set of qualifiers; measuring the first specificity based at least on a first cardinality of the first set of qualifiers; measuring the second specificity based at least on a second cardinality of the second set of qualifiers; making a determination, based on the second specificity exceeding the first specificity, that the second service device policy is more specific than the first service device policy; and establishing the processing prioritization based on the determination.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).
Regarding Claims 19 and 20, the claims list all the same limitations of claim 1, but as a system (see Sharma Fig.1:100; also see [0057]), comprising: a network device fabric comprising a plurality of interconnected network devices (see [0057] lines 1-10); a service device (Fig.1: 134; also see [0057]: lines 20-28; also see last 9 lines of [0060] and [0061] in view of [0006]) directly-connected to a network device (Fig.1:106) of a plurality of network devices of the network device fabric (see [0057]); and a control plane service (CPS) (Fig.1:112) operatively connected to the network device fabric (see [0057]); and a non-transitory computer readable medium (CRM) comprising computer readable program code (see Sharma [0349]-[0350]), which when executed by a computer processor (see Sharma Fig.21:2106 and Fig.22:2206), enables the computer processor to carry out the corresponding steps, rather than the method form. Therefore, the supporting rationale of the rejection to claim 1 and/or 19 applies equally as well to Claim 20.

Regarding claim 21, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 1, as set forth above. In addition, Gupta further discloses wherein the at least one of the corresponding first network device rule is directed to a compressed list of metadata descriptive of or pertinent to one or more types of network traffic flows (see [0054]; a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses). 
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma so that at least one of the corresponding first network device rule is directed to a compressed list of metadata descriptive of or pertinent to one or more types of network traffic flows.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).
Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Gupta et al. (hereinafter, Gupta, US 20160359913 A1) in view of Sabev et al (US 20150229526 A1) in view of Heller (US 20110055483 A1) in view of Ashley et al. (hereinafter, Ashley, US 20170155681 A1).
Regarding claim 6, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 5, as set forth above. Although, and as forth above, Sharma discloses transmitting the rule commit command (see [0093]; also see [0218]), Sharma (modified by Gupta, Sabev and Heller) does not explicitly disclose wherein determining whether a network device confirms deployment of the corresponding network device rule comprises: receiving a rule commit report from the network device.
Ashley discloses wherein determining whether a network device confirms deployment of the corresponding network device rule comprises: receiving a rule commit report from the network device (see [0038] in view of Fig.10:1030-1040; the network flow controller waits for an acknowledgement form the affected policy enforcement points… the network flow controller receives an acknowledgement from the enforcement points; also see [0040] in view of Fig.11:1120-1150; If the policies were successfully loaded, then the operation proceeds to step 1150 where the enforcement point notifies the network flow controller about the successful policy loading).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ashley with Sharma, Gupta, Sabev and Heller so that determining whether a network device confirms deployment of the corresponding network device rule comprises: receiving a rule commit report from the network device.
One of ordinary skill in the art would have been motivated to facilitate automatic deployment of a network security policy based on virtual network topology in a dynamic SDN (Ashley: Abstract) and so that the network flow controller directs the new flow to the next hop if the network flow controller receives an acknowledgement from the enforcement points (Ashley: [0038]-[0039]).

Claim(s) 11-16 and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Gupta et al. (hereinafter, Gupta, US 20160359913 A1) in view of Sabev et al (US 20150229526 A1) in view of Heller (US 20110055483 A1) in view of Jain et al. (hereinafter, Jain, US 20140376367 A1).

Regarding claim 11, Sharma (modified by Gupta, Sabev and Heller) discloses the method of claim 1, as set forth above. In addition, Sharma discloses the method further comprising:
obtaining, from the service device, a second service device policy set (see [0167]; the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 that receive packets with the 6-tuple Src: Port_E, IP_E, MAC_E Dest: SBC_Port_J, SBC_IP_J, SBC_MAC_J are rewritten to Src: SBC_Port_G1, SBC_IP_G, SBC_MAC_G Dest: MID_Port_H1, MID_IP_H, MID_MAC_H and directed to the media interworking device in the SDN network having address MID_Port_H1, MID_IP_H and MID_MAC_H for receiving media packets. Also the SBC sends instructions and/or information to the SDN controller to configure SDN switches of the SDN network 1006 to rewrite packets received with the 6-tuple Src: MID_Port_H2, MID_IP_H, MID_MAC_H Dest: SBC_Port_G2, SBC_IP_G, SBC_MAC_G to be rewritten to Src: SBC_Port_K, SBC_IP_K, SBC_MAC_K Dest: Port_F, IP_F, MAC_F and directed to communications device E 1010). 
examining the second service device policy set to identify a second set of qualifiers and a second traffic flow action (see [0019]; method including the steps of: … (iii) operating the SDN controller to receive the instructions for the media micro flow service from the SBC; (iv) operating the SDN controller to identify one or more SDN programmable switches on which to install the instructions for the media micro flow service; also see [0205]; SBC is operated to generate instructions that include information by which the first programmable switch can identify packets of the first media packet flow and an action/command for the first programmable switch; examiner articulates that identifying one or more SDN programmable switches of the media packet flow based on policy instruction for the media micro flow service received from SBC imply examining the second policy and identifying a second set of .
Sharma does not explicitly disclose performing a lookup on a group assignment table using the second set of qualifiers, to identify a set of groups; deriving, from the second service device policy set, a second network device rule comprising the set of groups; and deploying policies in the second service device policy set in an order from most specific to least specific.
Gupta discloses deploying policies in the second service device policy set in an order from most specific to least specific (see [0054]; a general policy may allow a certain communication while a more specific policy may block the communication. In some such example embodiments, various resolution techniques can be implemented; for example, the policies can be ordered according to importance and the first matching policy can be enforced with respect to the communication. In some example embodiments, the most specific policy can be implemented; specific meaning that the match is according to a high degree of granularity. For example, a policy (or EPG) that pertains to an IP address of 192.168.1.5 is more specific than a policy or EPG that pertains to an IP subnet of 192.168.1.0/24 because the former describes a single IP address instead of the latter, which is applicable to 254 IP addresses. Specificity can be determined by any of the packet attributes described in a policy, such as IP address, port, etc.; also see [0062]-[0063] in view of Fig.6:610-614; network may be capable of resolving policy conflicts, such as enforcing more specific policies before less specific policies; the policy engine prioritizes enforcement based on granularity (or specificity),… and add the one or more policies to the one or more policies to the policy table; also see [0068]; one of the policies in conflict can have an increased level of specificity in comparison to the other policies. A policy with increased specificity can be associated with a smaller collection of endpoints, ports, protocols, etc. Thus, the policy with increased specificity can be applied instead of the conflicting other policies. In some example embodiments, policies are applied in a sequential order even if they are in conflict.

One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).
Sharma (modified by Gupta, Sabev and Heller) does not explicitly disclose performing a lookup on a group assignment table using the second set of qualifiers, to identify a set of groups; and deriving, from the second service device policy set, a second network device rule comprising the set of groups.
Jain discloses performing a lookup on a group assignment table using the second set of qualifiers, to identify a set of groups (see [0029] in view of Fig.4A:406; in response to identifying the policy being triggered, the system determines the traffic parameters of the flow at the next or previous hop (operation 406). Note that, if the traffic flow direction is going into the network, the edge node determines the traffic parameters of the flow at the next hop node by performing a reverse route lookup; also see [0011]; when a traffic flow that traverses one or more network address translation (NAT) layers is initiated, a reverse NAT lookup and/or routing lookup is performed, and the edge policy is pushed up to the PEP node that is closest to the origination or destination of the traffic flow; also see [0018] and [0026]; a reverse source route lookup is performed by edge device 302 to determine the source route of the flow. In some embodiments, the reverse source route lookup may involve a reverse NAT lookup, such as lookup of a NAT rule in the NAT translation table; examiner articulates that the source and/or destination IP address extracted from the current traffic flow policy corresponds to a second set of qualifiers identified; examiner also articulates that performing a reverse NAT lookup in the NAT translation table (and/or routing lookup) to determine the next or previous hop (source route of the flow) that is closest to the origination or destination of the traffic flow implies performing a lookup on a group assignment table using the second set of qualifiers to identify a set of groups); and
deriving, from the second service device policy set, a second network device rule comprising the set of groups (see [0029] in view of Fig.4A:408; Based on the determined traffic parameters, the edge node translates the policy statement; also see [0026]; Using the same NAT rule, edge device 302 can translate the policy statement. The translated policy statement is now relevant to the source address of the flow at IN 304; examiner articulates that translating the policy statement to generate a translated policy statement corresponds to deriving a second network device rule from the second service device policy).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Jain with Sharma, Gupta, Sabev and Heller to perform a lookup on a group assignment table using the second set of qualifiers, to identify a set of groups; and to derive, from the second service device policy set, a second network device rule comprising the set of groups.
One of ordinary skill in the art would have been motivated to significantly improve throughput at edge device by enforcing policy at a point closest to the traffic originating point (Jain: [0026] last 7 lines).

Regarding claim 12, Sharma (modified by Gupta, Sabev, Heller and Jain) discloses the method of claim 11, as set forth above. In addition, Gupta further discloses wherein the second set of qualifiers (see Fig.3:304 and 308) comprises an intercept source qualifier (ISQ) (see Fig.3:304) reflecting a LISTED state (see Fig.3:304 at rows 301a-d that list the source address/ ID) and an intercept destination qualifier (IDQ) (see Fig.3:308) reflecting an ANY state (see Fig.3:308 at row 301f), wherein the set of groups comprises at least one source group (see Fig.3:304; also see [0050]; Each policy 301 can specify packet attributes 302 such as source 304, destination 308, and action 316 to be applied to a packet when the packet matches each of packet attributes 302; in some example embodiments one or both of source and destination are not specified).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma, Sabev, Heller and Jain so that the second set of qualifiers comprises an intercept source qualifier (ISQ) reflecting a LISTED state 
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 13, Sharma (modified by Gupta, Sabev, Heller and Jain) discloses the method of claim 11, as set forth above. In addition, Gupta further discloses wherein the second set of qualifiers (see Fig.3:304 and 308) comprises an intercept source qualifier (ISQ) (see Fig.3:304) reflecting an ANY state (see Fig.3:304 at rows 301e-f) and an intercept destination qualifier (IDQ) (see Fig.3:308) reflecting a LISTED state (see Fig.3:308 at rows 301a-e that list the destination address/ ID), wherein the set of groups comprises at least one destination group (see Fig.3:308; also see [0050]; Each policy 301 can specify packet attributes 302 such as source 304, destination 308, and action 316 to be applied to a packet when the packet matches each of packet attributes 302; in some example embodiments one or both of source and destination are not specified).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma, Sabev, Heller and Jain so that the second set of qualifiers comprises an intercept source qualifier (ISQ) reflecting an ANY state and an intercept destination qualifier (IDQ) reflecting a LISTED state, wherein the set of groups comprises at least one destination group.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 14, Sharma (modified by Gupta, Sabev, Heller and Jain) discloses the method of claim 11, as set forth above. In addition, Gupta further discloses wherein the second set of qualifiers (see comprises an intercept source qualifier (ISQ) (see Fig.3:304) reflecting a LISTED state (see Fig.3:304 at rows 301a-d that list the source address/ ID) and an intercept destination qualifier (IDQ) (see Fig.3:308) reflecting the LISTED state (see Fig.3:308 at rows 301a-e that list the destination address/ ID), wherein the set of groups comprises at least one source group and at least one destination group (see Fig.3:304; also see [0050]; Each policy 301 can specify packet attributes 302 such as source 304, destination 308, and action 316 to be applied to a packet when the packet matches each of packet attributes 302; In some example embodiments, the source and destination are of different types (e.g., source is a MAC address while destination is an endpoint group) while in some example embodiments one or both of source and destination are not specified).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Gupta with Sharma, Sabev, Heller and Jain so that the second set of qualifiers comprises an intercept source qualifier (ISQ) reflecting a LISTED state and an intercept destination qualifier (IDQ) reflecting the LISTED state, wherein the set of groups comprises at least one source group and at least one destination group.
One of ordinary skill in the art would have been motivated so that conditional policies can be dynamically enforced by the components depending on a network control scheme implemented by a network (Gupta: [0030]).

Regarding claim 15, Sharma (modified by Gupta, Sabev, Heller and Jain) discloses the method of claim 11, as set forth above. In addition, Jain further discloses wherein the second network device rule is directed to a redirect network device rule subclass (see [0016]; distributed Policy Enforcement Point (PEP) offloads the processing of the edge policies to multiple PEP nodes within the tenant network. In some embodiments, the edge policy is enforced at a PEP node that is closest to the traffic destination/origination point within the tenant network. Given the dynamic nature of traffic and the various network elements (such as load balancers or switches that perform NAT) that may alter the traffic parameters (such as source/destination address and port), expressions of the edge policy (such as firewall rules, which are often implemented using IP-address/port based traffic filters) also need to be dynamically adjusted).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Jain with Sharma, Gupta, Sabev and Heller so that the second network device rule is directed to a redirect network device rule subclass.
One of ordinary skill in the art would have been motivated to significantly improve throughput at edge device by enforcing policy at a point closest to the traffic originating point (Jain: [0026] last 7 lines).

Regarding claim 16, Sharma (modified by Gupta, Sabev, Heller and Jain) discloses the method of claim 11, as set forth above. In addition, Jain further discloses: 
making a determination that the deployment of the policies in the second service device policy set had succeeded (see [0030] in view of Fig.4B:420-422; the intermediate node receives a policy statement associated with a flow, and determines whether to apply the policy locally; examiner articulates that determining whether to apply the received policy locally encompasses determining that the deployed/ offloaded network policy set was successful received, i.e. the deployment of policy had succeeded); 
deriving, from the second service device policy set and based on the determination (see [0030] in view of Fig.4B:420-422), a third network device rule comprising the set of groups and the second traffic flow action (see [0030] in view of 426-428; the intermediate node determines traffic parameters of the flow at the next or previous hop (operation 426), translates the received policy statement based on the determined traffic parameters (operation 428), and forwards the translated policy statement to the next/previous hop; also see [0027]; translation of a triggered policy reflect any possible changes in traffic parameters, such as modified destination address of the flow; also see [0018]; policy checking mechanism determines whether the incoming/outgoing traffic flow triggers a policy. For example, a firewall rule stored in policy database 206 may state that any incoming (going into the tenant network) traffic flow with a destination IP address of 192.168.0.x should be dropped, or any incoming traffic flow with a destination IP address of 192.168.0.y should be allowed. In another example, a firewall rule may state that any outgoing traffic that has a source IP address of 10.10.1.x should be allowed. As a result, if a received initial packet of the traffic flow has a destination address of 192.168.0.x, 192.168.0.y, or 10.10.1.x, security-policy checking mechanism 204 will determine that a security rule has been triggered and identify the corresponding firewall rule; examiner articulates that firewall rule for dropping or allowing traffic flow based on destination IP address of 192.168.0.x imply third network device rule comprising the set of groups and the second traffic flow action).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Jain with Sharma, Gupta, Sabev and Heller to make a determination that the deployment of the policies in the second service device policy set had succeeded and based on the determination, deriving a third network device rule comprising the set of groups and the second traffic flow action.
One of ordinary skill in the art would have been motivated to significantly improve throughput at edge device by enforcing policy at a point closest to the traffic originating point (Jain: [0026] last 7 lines).

Regarding claim 18, Sharma (modified by Gupta, Sabev, Heller and Jain) discloses the method of claim 16, as set forth above. In addition, Jain further discloses wherein the third network device rule is directed to a fail- close network device rule subclass (see [0018]; policy checking mechanism determines whether the incoming/outgoing traffic flow triggers a policy. For example, a firewall rule stored in policy database 206 may state that any incoming (going into the tenant network) traffic flow with a destination IP address of 192.168.0.x should be dropped; also see [0021]; translated policy statement now states that traffic flow with a destination IP address of 10.10.1.x should be dropped. Policy-forwarding mechanism 212 then forwards the translated policy statement to the next hop, thus allowing the next hop node to enforce the policy using the translated policy statement; examiner articulates that a network device rule directed to the dropping (or discarding) of intercept network traffic flows corresponds to fail- close network device rule subclass).

One of ordinary skill in the art would have been motivated to enhance the effectiveness of a firewall (denied traffic flow will be dropped immediately after its initiation) and ultimately increase traffic throughput (Jain: [0022] last 4 lines).

Claim(s) 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Sharma et al. (hereinafter, Sharma, US 20180337849 A1) in view of Gupta et al. (hereinafter, Gupta, US 20160359913 A1) in view of Sabev et al (US 20150229526 A1) in view of Heller (US 20110055483 A1) in view of Jain et al. (hereinafter, Jain, US 20140376367 A1) and in view of Ashley et al. (hereinafter, Ashley, US 20170155681 A1).
Regarding claim 17, Sharma (modified by Gupta, Sabev, Heller and Jain) discloses the method of claim 11, as set forth above. Sharma (modified by Gupta, Sabev, Heller and Jain) does not disclose prior to examining the second service device policy set: obtaining a service device unreachability semantic; and prior to the deployment of the policies in the second service device policy set: making a determination that the service device unreachability semantic is a fail-close unreachability semantic; deriving, from the second service device policy set and based on the determination, a third network device rule comprising the set of groups.
Ashley discloses prior to examining the second service device policy set (see [0040] in view of Fig.11:1110; operation returns to step 1110 to await further communication from the network flow controller… policy enforcement point awaiting a policy deployment command which is provided by the network flow controller; examiner articulates that returning to step 1110 to wait for new policy deployment command from the network flow controller implies that the network flow controller hasn’t examined and provided new policy deployment command): 
obtaining a service device unreachability semantic (see [0040] in view of Fig.11:1140; enforcement point notifies the network flow controller about the failure of policy loading; also see [0038-[0039] in view of Fig.10:1030-1050; if the network flow controller determines that a timeout occurs and/or an enforcement point fails to load the appropriate policies, the then operation proceeds to step 1050; also see [0019]; the network flow controller has knowledge of any networks associated with the controller, has knowledge of any endpoints operationally coupled to the networks and has knowledge of the policy that is appropriate to each endpoint, … when a policy is no longer needed when an endpoint is moved or removed/ destroyed; examiner articulates that the network flow controller knowing when an endpoint has been moved or removed/ destroyed, such as via timeout notifications, corresponds to the network flow controller obtaining a service device unreachability semantic); and 
prior to the deployment of the policies in the second service device policy set (see [0040] in view of Fig.11:1110; operation returns to step 1110 to await further communication from the network flow controller… policy enforcement point awaiting a policy deployment command which is provided by the network flow controller; examiner articulates that returning to step 1110 to wait for new policy deployment command from the network flow controller implies that the network flow controller hasn’t made policy deployment): 
making a determination that the service device unreachability semantic is a fail-close unreachability semantic (see [0040] in view of Fig.11:1140; enforcement point notifies the network flow controller about the failure of policy loading; also see [0038-[0039] in view of Fig.10:1030-1050; if the network flow controller determines that a timeout occurs and/or an enforcement point fails to load the appropriate policies, the then operation proceeds to step 1050; also see [0019]; the network flow controller has knowledge of any networks associated with the controller, has knowledge of any endpoints operationally coupled to the networks and has knowledge of the policy that is appropriate to each endpoint, … when a policy is no longer needed when an endpoint is moved or removed/ destroyed; examiner articulates that the network ; 
deriving, from the second service device policy set and based on the determination, a third network device rule comprising the set of groups (see [0038]-[0039] in view of 1040-1050; if the network flow controller determines that a timeout occurs and/or an enforcement point fails to load the appropriate policies, the then operation proceeds to step 1050… At step 1050, the network flow controller performs one of a plurality of operations based upon the policy. More specifically, the network flow controller can resend the notification to the affected endpoints. The network flow controller can also remove the new network flow from the policy enforcement operation. The network flow controller can also direct the new network flow to a future hop (i.e., to a next processor in a series of processors); also see claim 3; responsive to detecting a time out, performing an action selected from a group consisting of resending a notification, dropping a new flow, and rerouting the network flow; also see [0019]; the network flow controller notifies enforcement points of the policy that is appropriate for any newly added endpoint or environment, directs traffic to the enforcement points after validating that an appropriate policy has been loaded and notifies enforcement points when a policy is no longer needed when an endpoint is moved or removed/ destroyed; examiner articulates that the new command to notify enforcement points when a policy is no longer needed when an endpoint is moved or removed/ destroyed (command to remove the network flow from the policy enforcement operation) corresponds to a third network device rule regarding the endpoint derived from the policy that is no longer needed).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the teachings of Ashley with Sharma, Gupta, Sabev, Heller and Jain to obtain a service device unreachability semantic prior to examining the second service device policy; and prior to the deployment of the policies in the second service device policy set: making a 
One of ordinary skill in the art would have been motivated to facilitate resending the notification to the affected endpoints so that the network flow controller can direct the new flow to the next hop if the network flow controller receives an acknowledgement from the enforcement points, or drop/ remove the new network flow from the policy enforcement operation (Ashley: [0038]-[0039]).

Additional References
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Anantharam et al. (US 9667571 B2) discloses local, global and network level policy are applied sequentially.
Vinokurov et al. (US 20080196088 A1) teaches the user security policy is enforced first and the device security policy is enforced last.
Noy et al. (US 20030051049 A1) discloses rollback instruction that includes the device components instructing their associated network devices to revert to their previous state upon receiving the rollback instruction.
Purkayastha et al. (US 8335171 B1) teaches a rollback-on-error operation where if an error condition occurs during an editing of configuration data on the network device, the configuration data may be restored to a state that existed prior to the editing.


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SANDARVA KHANAL whose telephone number is (571)272-8107.  The examiner can normally be reached on MON-FRI, 0800-1700.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamal B Divecha can be reached on 571-272-5863.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 






/SANDARVA KHANAL/Examiner, Art Unit 2453                                                                                                                                                                                                        

/KAMAL B DIVECHA/Supervisory Patent Examiner, Art Unit 2453