DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a reply to the application filed on 12/18/2018, in which, claim(s) 1-20 are pending. Claim(s) 1, 9 and 15 are independent.

Response to Election
Applicant’s election without traverse of claims 1-8 with new claims 21-32 including similar features to claims 1-8 in the reply filed on 09/23/2021 is acknowledged. Claims 1-8 and 21-32 will be examined on the merits in this Non-Final Office Action.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 08/04/2020, has been reviewed. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the examiner is considering the information disclosure statement.

Drawings
The drawings filed on 12/18/2018 are accepted by The Examiner.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-6, 8, 21-26 and 28-32 are rejected under 35 U.S.C. 103 as being unpatentable over Wesinger et al. (US 2007/0101421 A1) in view of Turley et al. (US 7,610,621 B2) further in view of Korsunsky et al. (US 2011/0219035 A1).
Regarding Claims 1, 21, and 29, Wesinger discloses
A method for processing an input packet in accordance with firewall rules of a first firewall that enforces a segmentation policy and that co-exists with a system firewall ([0039], “Precautions are required to safeguard sensitive accounting data such that it cannot be accessed over the general corporate network. A first firewall (105, 155) is used for this purpose. The first firewall is interposed between the accounting network and the general corporate network”, therefore enforces a segmentation policy and that co-exists with a system firewall, i.e. “a second firewall (107, 157)” in [0040], [0073], “Rules checking is performed on a first data packet to be sent”), the method comprising: 
receiving a first input packet ([0073], “a first data packet to be sent”); 
applying first firewall rules ([0073], “Rules checking is performed on a first data packet to be sent from the first computer to the second computer. If the result of this rules checking is to allow the first packet to be sent. a time-out limit associated with communications between the first computer and the second computer” with figure 1 element 105 for the first firewall used for segmenting the accounting data element 103); 
passing control of the first input packet to the system firewall to enable the system firewall to determine whether to drop or accept the first input packet (with figure 1 element 105 for the first firewall used for segmenting the accounting data element 103 and pass control to second firewall 107, [0053], “a primary function of a firewall is to selectively allow and disallow communications. Hence, in the course of establishing a connection, each virtual host examines a configuration table to determine, based on the particulars of the requested connection-Source, destination, protocol, time-of-day, port number, etc.-whether such a connection will be allowed or disallowed”).  
Wesinger does not explicitly teach but Turley teaches 
a rule chain of the first firewall to determine if the input packet meets respective criteria of each of the first firewall rules; responsive to the input packet meeting criteria specified in one of the first firewall rules, executing a command to exit the rule chain without dropping or accepting the input packet (Claim 1, “a firewall comprising… one or more rule chains for conditioning the data packets (i.e. determine if the input packet meets respective criteria then exit the rule chain) without accepting or dropping the data packets”); 
Wesinger and Turley are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to apply firewall rules (as taught by Wesinger) with a rule chain without dropping or accepting the input packet (as taught by Turley) and pass input packet to another firewall (as taught by Wesinger). The motivation/suggestion would have been to have network firewalls that can dynamically adapt to changing conditions and operator requirements (Turley, Col 1 lines 23-26).
The combined teaching of Wesinger and Turley does not explicitly teach but Korsunsky teaches
the first firewall is a segmentation firewall ([0505], “A security policy for each segment may be separately defined and employed by the flow processing facility 102”, [0509], “a flow processing facility 102 with firewall functionality”);
Wesinger, Turley and Korsunsky are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Korsunsky with the combined teaching of Wesinger and Turley. The motivation/suggestion would have been to use a flow processing facility that processes 

Regarding Claims 2, 22, and 30, the combined teaching of Wesinger, Turley and Korsunsky teaches
determining, by the system firewall, whether to drop or accept the first input packet based on security firewall rules associated with the system firewall (Wesinger, [0053], “a primary function of a firewall is to selectively allow and disallow communications. Hence, in the course of establishing a connection, each virtual host examines a configuration table to determine, based on the particulars of the requested connection-source, destination, protocol, time-of-day, port number, etc.-whether such a connection will be allowed or disallowed); 
dropping the first input packet responsive to the system firewall determining to drop the first input packet (Wesinger, [0053], “selectively allow and disallow”, [0073], “ Rules checking is performed on a first data packet”); and 
passing the first input packet to a workload or to a network responsive to the system firewall determining to accept the first input packet (Wesinger, [0053], “selectively allow and disallow”, [0069], “ the DNS module of the machine that is least busy will be the first to respond to a query. An ensuing connection request is then mapped to a virtual host on the responding least-busy machine (i.e. passing based on workload to the least busy machine)).  

Regarding Claims 3, 23, and 31, the combined teaching of Wesinger, Turley and Korsunsky teaches
wherein the first input packet is received with the segmentation firewall being configured in a co-existence mode (Wesinger, [0039], “Precautions are required to safeguard sensitive accounting data such that it cannot be accessed over the general corporate network. A first firewall (105, 155) is used for this purpose. The first firewall is interposed between the accounting network and the general corporate network”, that enforces a segmentation policy and that co-exists with a system firewall, i.e. “a second firewall (107, 157)” in [0040], [0073], “Rules checking is performed on a first data packet to be sent”, Korsunsky, [0505], [0509]), the method further comprising: 
switching operation of the segmentation firewall to an exclusive mode; receiving a second input packet with the segmentation firewall operating in the exclusive mode (Wesinger, [0009], “All communications, e.g., data packets, which flow between the networks in either direction, must pass through the firewall”, [0039], “A first firewall (105, 155) is used for this purpose. The first firewall is interposed between the accounting network and the general corporate network” exclusively, Korsunsky, [0505], “A security policy for each segment may be separately defined and employed by the flow processing facility 102”, [0509], “a flow processing facility 102 with firewall functionality”); 
applying the segmentation firewall rules of the segmentation firewall to determine whether to drop or accept the second input packet; and dropping or accepting the second input packet dependent on application of the segmentation firewall rules (Wesinger, [0053], “to selectively allow and disallow communications”, Korsunsky, [0505], “A security policy for each segment may be separately defined and employed by the flow processing facility 102”, [0509], “a flow processing facility 102 with firewall functionality”).  

Regarding Claims 4, 24, and 32, the combined teaching of Wesinger, Turley and Korsunsky teaches
executing a first jump command of an input module to jump to a chain selection module of the segmentation firewall; selecting, by the chain selection module, a first rule chain of the segmentation firewall (Turley, Col 6 Line 49-52, “jumps to other (first) rule chains represent the antecedent portion of the rule”, Korsunsky, [0505], [0509]); 
executing, in the chain selection module, a goto command to go to the first rule chain of the segmentation firewall; executing first firewall rules in the first rule chain (Turley, Col 7 Line 1-8, “The arriving (:A) sub-tree (represented at 202) prepares packets to enter the matrix….Since the purpose of this sub-tree is packet "conditioning" (as executing), its rules only change network packets, and do not drop or accept them”, Korsunsky, [0505], [0509]); 
responsive to completing execution of the first firewall rules without dropping the first input packet, executing a first return command to return to a first memory location of an instruction of the input module following the first jump command (Turley, Col 7 Line 1-8, “The arriving (:A) sub-tree (represented at 202) prepares packets to enter the matrix….Since the purpose of this sub-tree is packet do not drop or accept them”, Col 6 Line 49-52, “exits from a rule chain”).  

Regarding Claims 5, and 25, the combined teaching of Wesinger, Turley and Korsunsky teaches
executing a second jump command to a second rule chain of the segmentation firewall (Turley, Col 6 Line 49-52, “jumps to other (second) rule chains represent the antecedent portion of the rule”, Korsunsky, [0505], [0509]); 
executing second firewall rules in the second rule chain (Turley, Col 7 Line 1-8, “The arriving (:A) sub-tree (represented at 202) prepares packets to enter the matrix….Since the purpose of this sub-tree is packet "conditioning" (as executing), its rules only change network packets, and do not drop or accept them”); and 
responsive to completing execution of the second firewall rules without dropping the first input packet, executing a second return command to return to a second memory location of an instruction of the input module following the second jump command (Turley, Col 7 Line 1-8, “The arriving (:A) sub-tree (represented at 202) prepares packets to enter the matrix….Since the purpose of this sub-tree is packet "conditioning", its rules only change network packets, and do not drop or accept them”, Col 6 Line 49-52, “exits from a (second) rule chain”).

Regarding Claims 6, and 26, the combined teaching of Wesinger, Turley and Korsunsky teaches passing, by the input module, the first input packet to the system firewall following the second return command (Wesinger, with figure 1 

Regarding Claims 8, and 28, the combined teaching of Wesinger, Turley and Korsunsky teaches
switching operation of the segmentation firewall to a monitoring mode; receiving a second input packet with the segmentation firewall operating in the monitoring mode (Wesinger, [0009], “monitors and controls the flow of data”, Korsunsky, [0505], [0509]); 
applying the segmentation firewall rules of the segmentation firewall and logging results of the application of the segmentation firewall rules without dropping or accepting the second input packet; and storing a log of the results (Wesinger, [0084], “If access is granted and a connection is opened, when the connection is later closed, a log entry is made recording information about that access. Log entries may also be made when a connection is opened”, Turley, claim 1, “without accepting or dropping the data packets” Korsunsky, [0505], [0509]).  

Claims 7, and 27 are rejected under 35 U.S.C. 103 as being unpatentable over Wesinger et al. (US 2007/0101421 A1) in view of Turley et al. (US 7,610,621 B2) further in view of Korsunsky et al. (US 2011/0219035 A1) and further in view of Elhaddad et al. (US 2018/0191471 A1).
Regarding Claims 7, and 27, the combined teaching of Wesinger, Turley and Korsunsky does not explicitly teach but Elhaddad teaches wherein selecting the first rule chain of the segmentation firewall comprises: 
determining a packet type of the first input packet; and selecting the first rule chain from a set of selectable rule chains based on the packet type ([0039], “if the underlay network element 206 is a firewall, then the one or more processing modules 224 can apply various rules or criteria (e.g., based on the network address specified in the data packet, the port number (e.g., the IP port number) specified in the data packet, the data packet type, etc.)”).  
Wesinger, Turley, Korsunsky and Elhaddad are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Elhaddad with the combined teaching of Wesinger, Turley and Korsunsky. The motivation/suggestion would have been to perform active flow diagnostics for cloud-hosted networks (Elhaddad, title).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497