DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this Application after Final Rejection. Since this Application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 10/20/2021 has been entered.
	Claims 1, 3, 5-6, 11, 13, 15-16 and 20 are amended and claims 1-20 remain pending.

Response to Arguments
	Applicant’s arguments with respect to claims 1, 11 and 20, i.e., 35 U.S.C. 103 rejection of claims 1-3, 7, 9-13, 17 and 19-20, have been fully considered and are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1.	Claims 1-3, 7, 9-13, 17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan, US2014/0208426A1 in view of Dumitriu, US2014/0195666A1.

Per claim 1, Natarajan discloses a non-transitory computer-readable storage medium having computer readable code stored thereon for programming a processor, in a node of a cloud-based security system (The cloud system 500 may be configured to perform various functions such as spam filtering, uniform resource locator (URL) filtering, antivirus protection, bandwidth control, data loss prevention, zero day vulnerability protection, web 2.0 features, malware detection and blocking, and the like.  In an exemplary embodiment, the cloud system 500 and the distributed security system 100 may be viewed as Security-as-a-Service through the cloud – Natarajan: par. 0068 – Note: “[t]he user interface front-end 130 may provide a user interface through which users of the external systems may provide and define security policies, e.g., whether email traffic is to be monitored, whether certain web sites are to be precluded, etc.” – Natarajan: par. 0038), to perform steps of: 
Natarajan is not relied on to disclose but Dumitriu discloses receiving a plurality of packets, each of the plurality of packets being received from a respective network device each respective device being associated with one of a plurality of tenants associated with the cloud-based security system and being external to the node, the cloud-based security system enabling communication over a Wide Area Network (WAN) (an edge connector runs on a physical machine with at least one CPU that receives packets from an external network, such as the Internet, where the packets are addressed to an IP address associated with a tenant of the system – Dumitriu: par. 0103); 
selecting firewall policies for processing each respective packet of the plurality of packets based on a matching criteria, wherein the cloud-based security system supports the plurality of tenants and the firewall policies are selected based on which tenant is in the matching criteria for the respective packet and which of a plurality of firewall policies are associated with the tenant (When the edge connector receives a packet at step 410, it extracts a plurality of data at step 412, including but not limited to, source and destination addresses and source and destination ports.  After extracting the data, the edge connector looks up the plurality of data in a flow table (step 414) and determines if the flow has already been established (step 416)…If the flow already exists, the flow action list is applied to the packet and the packet is forwarded to the port of the flow configurable switch indicated by the flow action list in step 418 …Once the edge connector determines the VFE (Virtual Forwarding Element), the edge connector performs another lookup in step 420.  The lookup is performed by looking up the destination IP address in a series of virtual forwarding elements.  The virtual forwarding elements may comprise any combination of virtual routers and virtual switches including virtual routing tables to determine the appropriate path for the packet being forwarded – Dumitriu: par. 0103 and 0104 – Note: In one embodiment, each tenant may have a single virtual router configured to route all packets handled by that tenant.  In other embodiments, some tenants may have a plurality of virtual routers, virtual switches or other virtual forwarding elements defining the tenant's portion of the virtual network topology.  The decision engine also builds a series of actions to be performed on the packet from each virtual routing table.  Each routing step may also have pre-routing or post-routing processes that are added to the action list and incorporated into the flow rule to be applied to the packets matching the flow); 
generating firewall sessions, one for each packet matching a distinctive firewall policy, by allocating resources thereto (upon receiving the first packet of flow, the system invokes the decision engine to determine how the packet of that flow is to be handled.  The decision engine may then store the actions or rules for handling subsequent packets of that flow.  The stored actions or rules may stored in the shared database such that the rules are available to all nodes of the system for handling packets of a given flow … the decision engine's output includes a packet protocol header pattern than can be used to match other packets for which the decision engine's output would be the same as for the first packet.  In other words, the packet protocol header pattern may be used to identify packets which will be treated in an identical manner by applying the actions or rules determined for the first packet.  In embodiments, the output of the decision engine is the result of the simulation performed to determine how the packet is to be processed.  The packet protocol header pattern and the result of the simulation for the first packet are stored – Dumitriu: par. 0034-0035 – Note: A decision engine, may be invoked to determine how the packet will be handled… The decision engine may simulate how the packet will traverse the virtual network topology including each of a plurality of virtual network devices encountered by the packet.  In addition to simulating how a packet is passed from one device to the next through the virtual network, the decision engine may also simulate how each of the virtual devices affects the packet, such as by modifying the packet protocol headers.  Based on the simulation results, the system may process the packet applying each of the determined modifications or an aggregation of the modifications so that the packet maybe emitted from a network interface on one of the nodes of the network, where the specific network interface on which to emit the packet was determined during the simulation by the decision engine - the simulation results are equivalent to slow path firewall session allocating resources for a first packet of a state-full connection, i.e., session); and 
processing each of the plurality of packets utilizing one of the firewall sessions generated by directing packets to a respective firewall session based on the matching criteria to determine whether or not to block the respective packet from transmission over the WAN, the block is performed in the node in the cloud-based security system (During the process of identifying the destination address in the virtual routers, the flow may be unrouteable, black holed, or match a reject route, at which point the packet is dropped, or ICMP packets are returned.  In this embodiment, a flow may be created to drop all packets that match the flow's rule.  In this manner, the system may be configured to handle unrouteable packets or selectively screen undesired data according to rules established by the service provider or tenant – Dumitriu: par. 0103).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan in view of Dumitriu to include receiving a plurality of packets, each of the plurality of packets being received from a respective network device each respective device being associated with one of a plurality of tenants associated with the cloud-based security system and being external to the node, the cloud-based security system enabling communication over a Wide Area Network (WAN); selecting firewall policies for processing each respective packet of the plurality of packets based on a matching criteria, wherein the cloud-based security system supports the plurality of tenants and the firewall policies are selected based on which tenant is in the matching criteria for the respective packet and which of a plurality of firewall policies are associated with the tenant; generating firewall sessions, one for each packet matching a distinctive firewall policy, by allocating resources thereto; and processing each of the plurality of packets utilizing one of the firewall sessions generated by directing packets to a respective firewall session based on the matching criteria to determine whether or not to block the respective packet from transmission over the WAN, the block is performed in the node in the cloud-based security system.
One of ordinary skill in the art would have been motivated because it would allow to “simulate a route through the virtual network topology including any number of virtual network devices in order to determine how a given packet or flow is to be processed” – Dumitriu: par. 0048. It would further allow to include “a private network maintained by a service provider, where the service provider sells, leases, or otherwise provides network capabilities to a plurality of tenants” – Dumitriu: par. 0083.

Per claim 11, it recites a node in a cloud-based security system, comprising: 
a processor and memory storing instructions (Natarajan: cloud-based security system 700 as depicted in Fig. 7, i.e., server SME 710 in the cloud and server SMBA 720 and BA controller 722) that, when executed, cause the processor to perform the method steps as set forth in the non-transitory computer-readable storage medium of claim 1.
Therefore, claim 11 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 20, it recites a method implemented in a node of a cloud-based security system, the method comprising the method steps set forth in the non-transitory computer readable storage medium of claim 1.
Therefore, claim 20 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2 and 12, Natarajan-Dumitriu discloses features of claims 1 and 11, wherein the firewall policies are further based on a location in the matching criteria (According to a service agreement between a provider of the system 100 and an owner of an external system, the system 100 may thus provide security protection to the external system at any location throughout the geographic region …in the cloud system 500, traffic from various locations (and various devices located therein) such as a regional office 510, headquarters 520, various employee's homes 530, mobile laptop 540, and mobile device 550 is redirected to the cloud system 500 through the cloud nodes 502.  That is, each of the locations 510, 520, 530, 540, 550 is communicatively coupled to the Internet 504 through the cloud nodes 502 – Natarajan: par. 0035 and 0068).

Per claims 3 and 13, Natarajan-Dumitriu discloses features of claims 1 and 11, wherein each respective network device is configured to route Internet-bound traffic to the cloud-based security system (the distributed security system 100 may generally refer to an exemplary cloud-based security system.  Cloud computing systems and methods abstract away physical servers, storage, networking, etc. and instead offer these as on-demand and elastic resources.  The National Institute of Standards and Technology (NIST) provides a concise and specific definition which states cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction – Natarajan: par. 0041).
Furthermore, Dumitriu also discloses wherein each respective network device is configured to route Internet-bound traffic to the cloud-based security system (The physical network may comprise plurality of edge nodes 920 configured to access an external network, such as the Internet 902.  The physical network may also include a plurality of host nodes 921 configured to host virtual machines.  The network 922 may interconnect the plurality of edge nodes 920 and the plurality of host nodes 921 and be adapted to transport data packets throughout the system…In one embodiment, the edge nodes 920 and host nodes 921 are general purpose servers configured to operate in a cloud computing system… The system may include a software component operating on each of the nodes and implementing the virtual network topology including the provider virtual router and each of the tenant virtual routers – Dumitriu: par. 0129).
The same motivation to modify Natarajan in view of Dumitriu applied to claim 1 above applies here.

Per claims 7 and 17, Natarajan-Dumitriu discloses features of claims 1 and 11, wherein the cloud- based security system is configured to operate the firewall policies in a cloud without firewall hardware deployed at local Internet breakouts (the distributed security system 100 may generally refer to an exemplary cloud-based security system.  Cloud computing systems and methods abstract away physical servers, storage, networking, etc. and instead offer these as on-demand and elastic resources.  The National Institute of Standards and Technology (NIST) provides a concise and specific definition which states cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.  Cloud computing differs from the classic client-server model by providing applications from a server that are executed and managed by a client's web browser, with no installed client version of an application required.  Centralization gives cloud service providers complete control over the versions of the browser-based applications provided to clients, which removes the need for version upgrades or license management on individual client computing devices – Natarajan: par. 0041).

Per claim 9, Natarajan-Dumitriu discloses the non-transitory computer-readable storage medium of claim 1, wherein the steps further include logging every firewall session for multiple users, multiple user devices, multiple locations, multiple applications, multiple ports, and multiple protocols (Other application layer functions may also be provided in a data logging layer 170, such as a user interface (UI) front-end 130.  The user interface front-end 130 may provide a user interface through which users of the external systems may provide and define security policies, e.g., whether email traffic is to be monitored, whether certain web sites are to be precluded, etc. Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting.  The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 170.  Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system.  In an exemplary embodiment, the logging node 140 data may be anonymized so that data identifying an enterprise is removed or obfuscated – Natarajan: par. 0038 – Note: Example external systems may include an enterprise 200, a computer device 220, and a mobile device 230, or other network and computing systems communicatively coupled to the system 100 – par. 0033, wherein according to a service agreement between a provider of the system 100 and an owner of an external system, the system 100 may thus provide security protection to the external system at any location throughout the geographic region – par. 0035. Further, and the authority nodes 120 may serve as an application layer 160.  The application layer 160 may, for example, manage and provide policy data, threat data, and data inspection engines and dictionaries for the processing nodes 110.  In an exemplary embodiment, the application layer 160 can continually update the processing nodes 110 with newly detected malware as described herein for zero day/zero hour protection – par. 0037).

Per claims 10 and 19, Natarajan-Dumitriu discloses features of claims 1 and 11, wherein the steps further include receiving an update based on detection of zero-day/zero-hour threats (The FCC components 704 is a BA Analysis Engine which includes secure content storage with data destruct capabilities, is a scalable and flexible platform for VM based execution sandboxes, includes a smart scheduler to determine what needs to be analyzed and manage BA content from the cloud, and includes threat reporting storage and UI infrastructure for malware result analysis and research.  The FCC components 704 can provide dynamic updates based on latest malware analysis thereby providing zero day/zero hour protection – Natarajan: par. 0076 – Note: Server SMBE 720 which is part of FCC Components 704 provides updates to the cloud components 702); and updating the firewall based on the update (The server 710 is configured to enforce policy based on configuration, to log transactions to the data store 712 with information included therein such as policy reason and Threat category/super category information, and to send BA content to the BA infrastructure (specifically the server 720).  In an exemplary embodiment, the server 710 can be the processing node 110, the cloud node 502, etc. That is, the server 710 is generally performing inline traffic processing between a user and another domain in an external fashion as a cloud-based system (security-as-a-service) – Natarajan: par. 0077 – Note: Server SME 710 which is part of cloud components 702 receives and process the updates and logs the transactions to the data store 712).

2.	Claims 4-6, 8, 14-16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan, US2014/0208426A1 in view of Dumitriu, US2014/0195666A1 as applied to claims 1 and 11 above, in further view of Buruganahalli, US2017/0302703A1 (references through-out are either supported by or from provisional 61/831,391 filed 06/05/2013). 

Per claims 4 and 14, Natarajan-Dumitriu discloses features of claims 1 and 11. 
Natarajan-Dumitriu is not relied on to disclose but Buruganahalli discloses wherein the firewall policies are configured to operate over all ports and protocols associated with the WAN (As shown in FIG. 1, network traffic monitoring begins at 102.  An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis.  In some embodiments, user identification is then determined (e.g., user ID can be deduced based on the source IP address).  A policy check engine 106 determines whether any policies can be applied based on the IP address and port number.  As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan-Dumitriu further in view of Buruganahalli to include wherein the firewall policies are configured to operate over all ports and protocols associated with the WAN.
One of ordinary skill in the art would have been motivated because it would allow “to securely enable application usage using business-relevant concepts, instead of following the traditional approach offered by traditional port-blocking firewalls” – Buruganahalli: par: 0021.

Per claims 5 and 15, Natarajan-Dumitriu discloses features of claims 1 and 11.
Natarajan-Dumitriu is not relied on to disclose but Buruganahalli discloses wherein each of the plurality of packets includes one of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) traffic (Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy).  For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked and decryption is not required.  As an example, Bob who is a user (e.g., an employee) of ACME Company may attempt to logon using a web browser executing on his desktop office computer to a remote server that is associated with the online banking site (e.g., web site) of Banking Corporation.  If the firewall policy of ACME Company has white listed the domain associated with the Banking Corporation as a trusted domain, then Bob's connection (e.g., an SSL/TLS session) with the web site for the Banking Corporation can be allowed using various techniques described herein – Buruganahalli (provisional): par. 0030 – Note: also see details in par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan-Dumitriu further in view of Buruganahalli to include wherein each of the plurality of packets includes one of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) traffic.
One of ordinary skill in the art would have been motivated because it would allow “to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy)” – Buruganahalli: par. 0030.

Per claims 6 and 16, Natarajan-Dumitriu discloses features of claims 1 and 11.
Although Natarajan discloses Deep Packet Inspection (DPI) (The cloud components 702 monitor inline users such as using HTTP and non-HTTP protocols (to cover proxy and firewall/DPI) to detect and block/preclude malware – Natarajan: par. 0076), it is not relied on to explicitly disclose but Buruganahalli discloses wherein the steps further include performing Deep Packet Inspection (DPI) on each of the plurality of packets in a same session (Various techniques described herein can also be applied to efficiently handle a session resumption (e.g., resumption of an SSL/TLS session) that does not involve any server certificate exchange.  For example, in such a scenario it can be challenging to determine the domain name unless the data communications of that resumed session are decrypted.  Using the techniques described herein allow for the resumed session to be associated with a destination domain without requiring decryption of such data communications.  For example, in the case of a session resumption, there is a client hello message followed by server hello but no certificate is provided from the server (e.g., as it was previously sent to the client at the previous handshake for the initial session setup) – Buruganahalli (provisional): par. 0033 – Note: Stateful firewalls can also perform stateful-based packet inspection in which each packet is examined within the context of a series of packets associated with that network transmission's flow of packets/packet flow (e.g., stateful firewalls or third generation firewalls) – Buruganahalli (provisional): par. 0021, wherein stateful-based packet inspection is inherently performed on packets within flow of an existing/same session); and 
determining an application associated with the same session based on the DPI As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan-Dumitriu further in view of Buruganahalli to include wherein the steps further include performing Deep Packet Inspection (DPI) on each of the plurality of packets in a same session; and determining an application associated with the same session based on the DPI.
One of ordinary skill in the art would have been motivated because it would allow “to securely enable application usage using business-relevant concepts, instead of following the traditional approach offered by traditional port-blocking firewalls” – par: 0021 and further allow “facilitating deep packet inspection of the session traffic, which can include unencrypted and possibly encrypted data communications associated with the session using a secure protocol, such as SSL/TLS” – par. 0044.

Per claims 8 and 18, Natarajan-Dumitriu discloses features of claims 1 and 11.
Although Natarajan discloses security policies based on location (Note: see rejection of claim 2), it is not relied on to disclose but Natarajan-Dumitriu further in view of Buruganahalli discloses wherein the firewall policies are security policies based on user identity application awareness, and location (As shown in FIG. 1, network traffic monitoring begins at 102.  An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis.  In some embodiments, user identification is then determined (e.g., user ID can be deduced based on the source IP address).  A policy check engine 106 determines whether any policies can be applied based on the IP address and port number.  As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, claims 8 and 18 are rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 4 above. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Hsu (2016/0094514A1) discloses translating existing network attributes (such as MAC address, IP address, VLAN tags, user account names, etc.) of the traffic flow of packets, to establish a unique identity capable of representing the traffic flow in the multi-tenant environment.  For example, if IP address is selected as the existing network attribute, the original IP address will be translated into a unique IP address according to the information for the tenant before sending packets to the packet processing module for implementing a packet processing policy, e.g., a security protection policy.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on 571 - 272 - 3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/Examiner, Art Unit 2434