DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
2.	The information disclosure statement (IDSs) submitted on 01/17/2020 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 102
3.	In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

4.	Claims 1, 5-7, 11, 12, 15-17 and 19 are rejected under 35 U.S.C. 102 (a)(2) as being anticipated by Horibuchi (US 2011/0078326 hereinafter referred to as Horibuchi).

Regarding claim 1,

“A method comprising: at a network security device having at least one Fully Qualified Domain Name (FQDN) access policy that permits traffic to flow to at least one resource associated with at least one FQDN:” (Horibuchi [0044] Fig. 3, [0074], A gateway including a host table and a transfer table with global addresses to be used for IP packet transfer between web client and web server. The global address with corresponding FQDN and global port in the host table. The global addresses also correspond with plurality FQDNs).
“receiving, from a managed endpoint device, a packet directed to the at least one resource associated with the at least one FQDN, wherein the packet includes a network address of the at least one resource and an identifier of the managed endpoint device” (Horibuchi [0076] [0077] [0080] [0068] [0053], receiving TCP packet with global address information and global port information from the client. The global address is the destination address. The packet transmitted and received by the web server. The web server is associated with FQDN. The packet received from the client located in IP network is an IP packet). Examiner’s note: TCP packet has source identification information such source port, and IP packet has IP address of the source as known standard in the industry. Inherently, the packet received from the client has source identification or source IP address. 
“obtaining Domain Name System (DNS) information associated with the managed endpoint device; based on the DNS information associated with the managed endpoint device” (Horibuchi [0078][0053], obtaining from the transfer table, a global address, global port and a local port information associated with the  global address and global port received from the client in the packet. Further, obtaining the global address and global port from DNS server).
Horibuchi [0079] [0080] [0068], translating the global address, i.e., the destination of the packet into local port to facilitate for transferring the packet to the destination. The web server is the destination of the packet. The web server has FQDN).
“and providing the packet to the at least one resource associated with the at least one FQDN” (Horibuchi [0080] [0068], the packet received by the web server is the destination of the packet. The web server has FQDN).

Regarding claim 12,
Horibuchi teaches:
“An apparatus comprising: a communication interface; a memory configured to store executable instructions for at least one Fully Qualified Domain Name (FQDN) access policy that permits traffic to flow to at least one resource associated with the at least one FQDN; and a processor coupled to the communication interface and the memory and configured to perform operations including” (Horibuchi Fig. 1, [0020][0044] Fig. 3, [0074],  a gateway device with plurality multiple interfaces to communicate with web client and web server. In addition, the gateway is a communication device to perform computer functions that requires program instructions and a processor for executing the instructions. A gateway including a host table and a transfer table with global addresses to be used for IP packet transfer between web client and web server. The global address with corresponding FQDN and global port in the host table. The global addresses also correspond with plurality FQDNs).

(Horibuchi [0076] [0077] [0080] [0068] [0053], receiving TCP packet with global address information and global port information from client. The global address is the destination address. The packet transmitted and received by the web server. The web server is associated with FQDN. The packet received from the client located in IP network is an IP packet). Examiner’s note: TCP packet has source identification information such as source port, and IP packet has IP address of the source as known standard in the industry. Inherently, the packet received from the client has source identification or IP address. 
“obtaining Domain Name System (DNS) information associated with the managed endpoint device; based on the DNS information associated with the managed endpoint device” (Horibuchi [0078][0053], obtaining from the transfer table a global address, global port and a local port information associated with the  global address and global port received from the client in the packet. Further, obtaining the global address and global port from DNS server).
“substituting the network address of the at least one resource into the at least one FQDN access policy to open a traffic flow to the at least one resource associated with the at least one FQDN” (Horibuchi [0079] [0080] [0068], translating the global address, i.e., the destination of the packet into local port to facilitate for transferring the packet to the destination. The web server is the destination of the packet. The web server has FQDN).
“and providing the packet to the at least one resource associated with the at least one FQDN” (Horibuchi [0080] [0068], the packet received by the web server is the destination of the packet. The web server has FQDN).

Regarding claim 19
Horibuchi teaches:
“One or more non-transitory computer readable storage media encoded with instructions that, when executed by a processor, cause the processor to perform operations including” (Horibuchi [0020], a gateway device with plurality multiple interfaces to communicate with web client and web server. In addition, the gateway device is a communication device to perform computer functions that requires stored program instructions and a processor for executing the instructions)
“receiving, from a managed endpoint device, a packet directed to the at least one resource associated with the at least one FQDN, wherein at least one Fully Qualified Domain Name (FQDN) access policy that permits traffic to flow to at least one resource associated with at least one FQDN: wherein the packet includes a network address of the at least one resource and an identifier of the managed endpoint device” (Horibuchi [0076][0077][0080][0068][0053] [0044] Fig. 3, [0074], receiving TCP packet with global address information and global port information from client. The global address is the destination address. The packet transmitted and received by the web server. The web server is associated with FQDN. The packet received from the client located in IP network is an IP packet). Examiner’s note: TCP packet has source identification information such as source port, and IP packet has IP address of the source as known standard in the industry. Inherently, the packet received from the client has source identification or IP address. A gateway including host table and transfer table with global addresses to be used for IP packet transfer between web client and web server. The global address with corresponding FQDN and global port in the host table. The global addresses also correspond with plurality FQDNs).
“obtaining Domain Name System (DNS) information associated with the managed endpoint device; based on the DNS information associated with the managed endpoint device” (Horibuchi [0078][0053], obtaining from the transfer table, a global address, global port and a local port information associated with the  global address and global port received from the client in the packet. Further, obtaining the global address and global port from DNS server).
“substituting the network address of the at least one resource into the at least one FQDN access policy to open a traffic flow to the at least one resource associated with the at least one FQDN” (Horibuchi [0079] [0080] [0068], translating the global address, i.e., the destination of the packet into local port to facilitate for transferring the packet to the destination. The web server is the destination of the packet. The web server has FQDN).
“and providing the packet to the at least one resource associated with the at least one FQDN” (Horibuchi [0080] [0068], the packet received by the web server is the destination of the packet. The web server has FQDN).

Regarding claims 5 and 15,   Horibuchi teaches all the limitations of claims 1 and 12.
Horibuchi teaches:
“wherein obtaining the DNS information associated with the managed endpoint device includes: sending a DNS information query directly to the managed endpoint device” (Horibuchi [0075] [0074], providing a packet with the global address to the client. The packet includes the global address, global port corresponding to the plurality of FQDNs, and ports set for the plurality of FQDNs). 

Regarding claims 6, 16, Horibuchi teaches all the limitations of claims 1 and 12. 
Horibuchi teaches:
“further comprising: searching a local FQDN cache of the network security device for a mapping of the network address of the at least one resource to the at least one FQDN access policy” (Horibuchi [0073] [0044] [0068] Fig. 3, searching a host table for the global address and global port information in the mapping information. The gateway device comprising the host table with mapping information for plurality of FQDNs and their corresponding global port and  global address which is required for obtaining destination local port and local address to transfer the packet. Each webs server has FQDN).
“determining that the network address of the at least one resource is not currently mapped to the at least one FQDN access policy; and obtaining the DNS information associated with the managed endpoint device directly from the managed endpoint device or indirectly via an endpoint service in response to determining that the network address of the at least one resource is not currently mapped to the at least one FQDN access policy” (Horibuchi [0073][0072][0053], if there is no mapping for the  global address (i.e., the destination) on the host table, creating mapping for received FQDN, and set global address value and global port value.  The FQDN is received directly from the client. Furthermore, obtaining the global address and global port from DNS server).


Regarding claims 7 and 17, Horibuchi teaches all the limitations of claims 1 and 12.
Horibuchi teaches:
“wherein the DNS information associated with the managed endpoint device includes one or more mappings of network addresses to FQDNs, and wherein the method further comprises: storing the one or more mappings of network addresses to the FQDNs in a local FQDN cache of the network security device” (Horibuchi Fig. 3, [0044] [0053], mapping FQDNs with their corresponding global address and global port. The mapping is located in the gateway device’s host table and transfer table. Further, obtaining the global address and global port from DNS server).

Regarding claim 11. Horibuchi teaches all the limitations of claim 1.
Horibuchi teaches:
“wherein the identifier of the managed endpoint device is an Internet Protocol (IP) address of the managed endpoint device and wherein the at least one resource associated with the at least one FQDN includes a first local resource and a second external resource” (Horibuchi [0053] [0080] [0081], the packet received from the client located in IP network is an IP packet. Examiner’s note: TCP packet has source identification information such source port, and IP packet has IP address of the source as known standard in the industry. Inherently, the packet received from the client has source IP address.  The web server has local port and source IP address).


Claim Rejections - 35 USC § 103
5.	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
6.	Claims 2, 3, 13, 14 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Horibuchi (US 2011/0078326 hereinafter referred to as Horibuchi) in view of Li (US 2013/0179551 hereinafter referred to as Li). 

Regarding claims 2, 13 and 20, Horibuchi teaches all the limitations of claims 1, 12 and 19. 
Horibuchi does not teach
“ wherein obtaining the DNS information associated with the managed endpoint device includes: sending a resolution request to an endpoint service, wherein the resolution request is configured to cause the endpoint service to query the managed endpoint device for the DNS information associated with the managed endpoint device; and following a query by the endpoint 
Li teaches:
“ wherein obtaining the DNS information associated with the managed endpoint device includes: sending a resolution request to an endpoint service, wherein the resolution request is configured to cause the endpoint service to query the managed endpoint device for the DNS information associated with the managed endpoint device and ” (Li [0008], sending DNS query from the client to DNS server, and the DNS server return DNS referral message back to the client if the DNS server does not have the request address in its entry).
“following a query by the endpoint service to the managed endpoint device, receiving the DNS information associated with the managed endpoint device from the endpoint service” (Li [0008], receiving DNS referral message from the DNS server in order to obtain the address from a different DNS server).
Both Horibuchi and Li teach Domain Name System (DNS). Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Horibuchi to include a DNS sever to send DNS referral message to notify a DNS requesting device to obtain the request address from a different DNS server as disclosed by Li, such inclusion avoid sending subsequent DNS requests to outside of the local network, and to obtain the address directly from local DNS server (Li [0047]). 

Regarding claims 3 and 14, the combination of Horibuchi and Li teaches all the limitations of claim 2 and 13.
Horibuchi does not teach:

Li teaches:
“wherein sending the resolution request includes: sending the resolution request to the endpoint service before receiving the packet from the managed endpoint device” (Li [0008], the DNS query submitted to the DNS server in order to obtain an address of a host to establish communication between the client device located in a private network and hosts located in internal network and external network for accessing services, resources provided by the hosts. The IP packets discussed in claim 1 have destination IP address, and they are not DNS request for obtaining host name address. Thus, DNS request is a prior step for obtaining host name address). 
Both Horibuchi and Li teach Domain Name System (DNS). Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Horibuchi to include a feature for sending DNS request to DNS server for obtaining IP address of a host as discussed in Li, such inclusion  is a known feature to establish communication between client and the host if the client does not know the IP address of the host,  and would haven consistent with rationale of using known technics to improve similar (methods or products) in the same way to show a prima facie case of obviousness (MPEP 2143(I)(C) ).

7.	Claims 8, 9, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Horibuchi (US 2011/0078326 hereinafter referred to as Horibuchi) in view of Shribman et al. (US 2012/0124239 hereinafter referred to as Shribman). 


Horibuchi does not teach:
“wherein obtaining the DNS information associated with the managed endpoint device includes: obtaining the one or more mappings that meet a predetermined criterion that includes at least one of a time-to-live value or a time stamp.”
  Shribman teaches:
“wherein obtaining the DNS information associated with the managed endpoint device includes: obtaining the one or more mappings that meet a predetermined criterion that includes at least one of a time-to-live value or a time stamp (Shribman [0082] [0068], obtaining valid cache entry from DNS cache based on time to live (TTL).  The DNS cache store valid cache entry for DNS resolution which is mapping of domain names with corresponding IP address as known in the industry). 
 Horibuchi and Shribman teach Domain Name System (DNS). Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Horibuchi to include a feature for obtaining DNS resolution based time to live (TTL) value as disclosed by Shribman, such inclusion is useful to perform direct DNS resolution from the local DNS cache until the expiration of the TTL. (Shribman [0100] [0101]). 

Regarding claim 9, Horibuchi teaches all the limitations of claim 7.
Horibuchi does not teach:
wherein obtaining the DNS information associated with the managed endpoint device includes: based on an expiration of a predetermined time interval, obtaining, directly from the managed endpoint device or indirectly via an endpoint service, the one or more mappings that 
Shribman teaches:
wherein obtaining the DNS information associated with the managed endpoint device includes: based on an expiration of a predetermined time interval, obtaining, directly from the managed endpoint device or indirectly via an endpoint service, the one or more mappings that meet a predetermined criterion and are stored in a local domain name cache of the managed endpoint device, the predetermined criterion includes at least one of a time-to-live value or a time stamp” (Shribman [0082][0099][0068] Fig. 3, obtaining valid cache entry  from DNS cache based on expiration time to live (TTL) stored in DNS cache.  The TTL value is predetermined interval. The DNS cache store valid cache entry for DNS resolution which is mapping of domain names with corresponding IP address as known in the industry. The DNS cache is located in the same communication device). 
Horibuchi and Shribman teach Domain Name System (DNS). Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Horibuchi to include a feature for obtaining DNS resolution based time to live (TTL) value as disclosed by Shribman, such inclusion is useful to perform direct DNS resolution from the local DNS cache until the expiration of the TTL. (Shribman [0100] [0101]). 



10 is rejected under 35 U.S.C. 103 as being unpatentable over Horibuchi (US 2011/0078326 hereinafter referred to as Horibuchi) in view of Ellard et al. (US 2015/0358285 hereinafter referred to as Ellard).

Regarding claim 10, Horibuchi teaches all the limitations of claim 7.
Horibuchi does not teach:
“obtaining, from a domain name cache of the at least one resource associated with the at least one FQDN, the identifier of the managed endpoint device, wherein the identifier of the managed endpoint device is an Internet Protocol (IP) address of the managed endpoint device”
Ellard teaches
“obtaining, from a domain name cache of the at least one resource associated with the at least one FQDN, the identifier of the managed endpoint device, wherein the identifier of the managed endpoint device is an Internet Protocol (IP) address of the managed endpoint device” (Ellard [0031] [0029] [0039], receiving destination address of client device in reply packet from a server (i.e., example.com) server. The destination address is assigned IP address of the client device. Delivering the reply packet to the client device).
Horibuchi and Ellard teach Domain Name System (DNS). Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Horibuchi to receive destination IP address of client device from a server as disclosed by Ellard because the IP address is useful to deliver the packet to the client device, and would haven consistent with rationale of using known technics to improve similar (methods or products) in the same way to show a prima facie case of obviousness (MPEP 2143(I)(C) ).

4 is are rejected under 35 U.S.C. 103 as being unpatentable over Horibuchi (US 2011/0078326 hereinafter referred to as Horibuchi) in view of Li (US 2013/0179551 hereinafter referred to as Li), further in view of Ellard et al. (US 2015/0358285 hereinafter referred to as Ellard).

Regarding claim 4, Horibuci and Li teaches all the limitations of claim 2.
Horibuchi and Li do not teach:
“wherein sending the resolution request includes: based on receiving the packet directed to the at least one resource associated with the at least one FQDN, extracting from the packet the network address of the at least one resource associated with the at least one FQDN and the identifier of the managed endpoint device”
Ellard teaches:
“wherein sending the resolution request includes: based on receiving the packet directed to the at least one resource associated with the at least one FQDN, extracting from the packet the network address of the at least one resource associated with the at least one FQDN and the identifier of the managed endpoint device” (Ellard [0075][0024], obtaining destination address and source address of the packet transmitted from client device located within protected network, to destination server located within external network. The destination server is a website with hostname (example.com) for providing resources to the client device).
“generating the resolution request to include the network address and the identifier of the managed endpoint device, and sending the resolution request to the endpoint service” (Ellard [0076] [0037] [0038], forcing the client device to perform domain name lookup before attempting communicating with external network. making DNS request from DNS server by a client device in order to get an address website. The request generated with source address and destination address).
Horibuchi, Li and Ellard teach Domain Name System (DNS). Therefore, it would have been obvious to one with ordinary skill in the art before the effective filing date of the claimed invention to modify Horibuchi and Li to include feature to examine source and destination address packet originated from protected network, such inclusion is useful to protect unauthorized communication by blocking a network traffic for which DNS resolution was not performed in order (Ellard [0032]). 
Conclusion
10.	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure because the references teach a DNS system.
Lipidous et al. (US 2019/003687)
Saidumuhamed et al. (US 2019/0327205)
Fujita et al. (US 2004/0047349)
George (US 2013/0254423)
11.	Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESFU N MEKONEN whose telephone number is (571)270-0587.  The examiner can normally be reached on Monday - Friday, 8:00 AM to 4:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/T.N.M/Examiner, Art Unit 2454


/UMAR CHEEMA/Supervisory Patent Examiner, Art Unit 2454