Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .


DETAILED ACTION
1.        Claims 1 - 20 are pending.  Claims 1, 15, 20 have been amended.  Claims 1, 15, 20 are independent.   File date is 9-5-2019.  This action is in response to application amendments filed on 11-22-2021. 

Claim Rejections - 35 USC § 103  
2.        The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

3.       Claims 1 - 20 are rejected under 35 U.S.C. 103 as being unpatentable over Gunda et al. (US PGPUB No. 20180183759) in view of Liu et al. (US PGPUB No. 20210014749).     	

Regarding Claim 1, Gunda discloses a method comprising:
a)  receiving a data packet as part of network traffic to a destination host from a source host at a first border node instance in an enterprise network fabric, wherein the data packet is received with a context associated with the source host; (see Gunda ¶ 038, ll 1-7: data messages refer to a collection of bits in a particular format send across a network; sent as Ethernet frames, IP packets, etc.; ¶ 037, ll 12-19: context engine provides contextual attributes to service engines; utilize contextual attributes to identify service rules that specify context-based services to perform on data messages sent by or received) and 
c)  receiving the data packet at a second border node instance after the firewall applies the firewall policy to the data packet.(see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes)   

    Furthermore, Gunda discloses for b): sending the data packet to a firewall of the enterprise network fabric and applies a firewall policy to the data packet. (see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes)  
    And, Gunda discloses for d): selectively encapsulating the data packet with the context associated with the source host for applying one or more policies to control transmission of the network traffic through the enterprise network fabric. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received)

Gunda does not explicitly disclose for b): sending data packet to a firewall wherein the firewall strips context associated with source host from data packet and applies firewall policy, and for d): selectively encapsulating data packet with context associated with source host at second border node instance. 
However, Liu discloses: 
b)  wherein the firewall strips the context associated with the source host from the data packet; (see Liu ¶ 091, ll 1-9: access link management: after terminal switches access link, path and context information of source access link are saved; when needing to switch back: source access link is directly restored according to path and context information of source access link) and
d)  selectively encapsulating the data packet with the context associated with the source host at the second border node instance based on the firewall stripping the context associated with the source host from the data packet. (see Liu ¶ 091, ll 1-9: access link management: after terminal switches access link, path and context information of source access link are saved; when needing to switch back: source access link is directly restored according to path and context information of source access link)    
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gunda for b): sending data packet to a firewall wherein the firewall strips context associated with source host from data packet and applies firewall policy, and for d): selectively encapsulating data packet with context associated with source host at second border node instance as taught by Liu. One of ordinary skill in the art would have been motivated to employ the teachings of Liu for the benefits achieved from a system that enables the context associated with source data packets to be processed utilizing source host context even though a firewall system is associated with the network flow. (Liu ¶ 091, ll 1-9)  
 
Regarding Claim 2, Gunda-Liu discloses the method of claim 1, wherein the context associated with the source host includes a security group tag associated with the source host. (see Gunda ¶ 062, ll 6-15: firewall rules defined in terms of contextual attributes (context-based firewall engine), contextual attributes include application names and version identification, group ID, etc.; ¶ 097, ll 1-14: rule identifier includes a set of individual values or a group identifier such as a security group identifier)    

Regarding Claim 3, Gunda-Liu discloses the method of claim 1, wherein either or both the source host and the destination host are in the enterprise network fabric. (see Gunda ¶ 086, ll 5-9: logical forwarding element isolates traffic of VMs of one logical network from VMs of another logical network; logical forwarding element connects VMs executing on the same host or different hosts)    

Regarding Claim 4, Gunda-Liu discloses the method of claim 1, wherein only one of the source host and the destination host are in the enterprise network fabric. (see Gunda ¶ 086, ll 5-9: logical forwarding element isolates traffic of VMs of one logical network from VMs of another logical network; logical forwarding element connects VMs executing on the same host or different hosts)    

Regarding Claim 5, Gunda-Liu discloses the method of claim 1, wherein the first border node instance and the second border node instance are two separate instances of a same border node. (see Gunda ¶ 086, ll 5-9: logical forwarding element isolates traffic of VMs of one logical network from VMs of another logical network; logical forwarding element connects VMs executing on the same host or different hosts)    

Regarding Claim 6, Gunda-Liu discloses the method of claim 1, wherein the first border node instance and the second border node instance are instances of two different border nodes as part of a multi-homed border of the enterprise network fabric. (see Gunda ¶ 086, ll 5-9: logical forwarding element isolates traffic of VMs of one logical network from VMs of another logical network; logical forwarding element connects VMs executing on the same host or different hosts)    

Regarding Claim 7, Gunda-Liu discloses the method of claim 1, further comprising:
a)  receiving, from a map register, and maintaining, at a map server/map resolver (MSMR), a mapping of contexts associated with sources to identifications of sources including the context associated with the source host mapped to an identification of the source host; (see Gunda ¶ 089, ll 1-7: service engine has its own context-based service rule storage, attribute mapping storage, connection cache storage)     
b)  sending, from the second border node instance to the MSMR, a map request including an identification of the source host; (see Gunda ¶ 090, ll 1-11: service operation for a data message flow attempts to match flow identifier and/or flow’s associated context attribute set to rue identifiers of its service rules in service rules storage) and
c)  receiving, at the second border node from the MSMR, the context associated with the source host, wherein the context associated with the source host is determined at the MSMR using the mapping based on the identification of the source host received from the first border node instance. (see Gunda ¶ 091, ll 11-14: context engine policy storage contains the rules that control operation of context engine; policies direct context engine to generate rules)    

Regarding Claim 8, Gunda-Liu discloses the method of claim 7, wherein the second border node instance is configured to send the map request to the MSMR in response to the firewall decapsulating the data packet through application of the firewall policy. (see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes)     

Regarding Claim 9, Gunda-Liu discloses the method of claim 7, further comprising:
a)  sending a map reply of at least a plurality of nodes associated with the second border node from the MSMR to the second border node instance, wherein the map reply excludes a mapping of the destination host to a corresponding RLOC; (see Gunda ¶ 090, ll 1-11: service operation for a data message flow attempts to match flow identifier and/or flow’s associated context attribute set to rue identifiers of its service rules in service rules storage) and
b)  sending the identification of the source host from the second border node instance to the MSMR as part of a map request based on the map cache excluding the mapping of the destination host to the RLOC. (see Gunda ¶ 091, ll 11-14: context engine policy storage contains the rules that control operation of context engine; policies direct context engine to generate rules)    

Regarding Claim 10, Gunda-Liu discloses the method of claim 1, further comprising:
a)  maintaining, at a map server/map resolver (MSMR), a mapping of contexts associated with sources to identifications of sources including the context associated with the source host mapped to an identification of the source host; (see Gunda ¶ 089, ll 1-7: service engine has its own context-based service rule storage, attribute mapping storage, connection cache storage)    
b)  sending, from the second border node instance to the MSMR, an identification of the source host; and c) determining, at the MSMR, whether to send the context associated with the source host to the second border node instance based on the one or more policies; (see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes) and
d)  selectively sending the context associated with the source host from the MSMR to the second border node instance based on whether it is determined to send the context based on the one or more policies to facilitate selective encapsulation of the data packet with the context associated with the source host. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received)    

Regarding Claim 11, Gunda-Liu discloses the method of claim 10, wherein the MSMR determines whether to send the context associated with the source host using the mapping of contexts associated with sources to identifications of sources, the identification of the source host, and the one or more policies. (see Gunda ¶ 089, ll 1-7: service engine has its own context-based service rule storage, attribute mapping storage, connection cache storage; ¶ 090, ll 1-11: service operation for a data message flow attempts to match flow identifier and/or flow’s associated context attribute set to rue identifiers of its service rules in service rules storage)    

Regarding Claim 12, Gunda-Liu discloses the method of claim 1, further comprising:
a)  determining whether to send the data packet after it is encapsulated with the context associated with the source host based on the one or more policies as part of applying the one or more policies to the network traffic; (see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes) and
b)  sending the data packet encapsulated with the context associated with the source host to the destination host if it is determined to send the data packet based on the one or more policies. (see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes)    

Regarding Claim 13, Gunda-Liu discloses the method of claim 1, wherein the source host is associated with a first subscriber and the destination host is associated with a second subscriber, the method further comprising: selectively encapsulating the data packet with the context associated with the source host for applying the one or more policies controlling subscriber to subscriber communication through the enterprise network fabric. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received)    

Regarding Claim 14, Gunda-Liu discloses the method of claim 13, wherein the one or more policies allow communication between the first subscriber and the second subscriber, the method further comprising: 
a)  receiving, at the second border node instance from a MSMR, the context associated with the source host based on the one or more policies allowing communication between the first subscriber and the second subscriber; (see Gunda ¶ 038, ll 1-7: data messages refer to a collection of bits in a particular format send across a network; sent as Ethernet frames, IP packets, etc.; ¶ 037, ll 12-19: context engine provides contextual attributes to service engines; utilize contextual attributes to identify service rules that specify context-based services to perform on data messages sent by or received)    
b)  encapsulating the data packet with the context associated with the source host; and c) sending the encapsulated data packet to the destination host from the second border node instance. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received)     

Regarding Claim 15, Gunda discloses a system comprising:
a)  one or more processors; and b) at least one computer-readable storage medium having stored therein instructions which, when executed by the one or more processors, cause the one or more processors to perform operations (see Gunda ¶ 147, ll 1-9: implemented as software processes specified as a set of instructions recorded on a computer readable storage medium; instructions are executed by one or more processors; to perform designated actions) comprising:
c)  receiving a data packet as part of network traffic to a destination host from a source host at a first border node instance in an enterprise network fabric, wherein the data packet is received with a security group tag associated with the source host; (see Gunda ¶ 038, ll 1-7: data messages refer to a collection of bits in a particular format send across a network; sent as Ethernet frames, IP packets, etc.; ¶ 037, ll 12-19: context engine provides contextual attributes to service engines; utilize contextual attributes to identify service rules that specify context-based services to perform on data messages sent by or received; ¶ 097, ll 1-14: rule identifier includes a set of individual values or a group identifier such as a security group identifier) and 
e)  receiving the data packet at a second border node instance after the firewall applies the firewall policy to the data packet. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received)   

    Furthermore, Gunda discloses for d): sending the data packet to a firewall of the enterprise network fabric and applies a firewall policy to the data packet. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received) 
    And, Gunda discloses for f): selectively encapsulating the data packet with the security group tag associated with the source host for applying one or more policies to control transmission of the network traffic through the enterprise network fabric. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received) 

Gunda does not explicitly disclose for d): wherein firewall strips context associated with source host from data packet, and for f): selectively encapsulating data packet with security group tag associated with source host at second border node instance based on firewall stripping context associated with source host. 
However, Liu discloses: 
d)  wherein the firewall strips the context associated with the source host from the data packet and applies a firewall policy to the data packet; (see Liu ¶ 091, ll 1-9: access link management: after terminal switches access link, path and context information of source access link are saved; when needing to switch back: source access link is directly restored according to path and context information of source access link) and
f)   selectively encapsulating the data packet with the security group tag associated with the source host at the second border node instance based on the firewall stripping the context associated with the source host from the data packet. (see Liu ¶ 091, ll 1-9: access link management: after terminal switches access link, path and context information of source access link are saved; when needing to switch back: source access link is directly restored according to path and context information of source access link) 
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gunda for d): wherein firewall strips context associated with source host from data packet, and for f): selectively encapsulating data packet with security group tag associated with source host at second border node instance based on firewall stripping context associated with source host as taught by Liu. One of ordinary skill in the art would have been motivated to employ the teachings of Liu for the benefits achieved from a system that enables the context associated with source data packets to be processed utilizing source host context even though a firewall system is associated with the network flow. (Liu ¶ 091, ll 1-9)      

Regarding Claim 16, Gunda-Liu discloses the system of claim 15, wherein the instructions which, when executed by the one or more processors, further cause the one or more processors to perform operations comprising:
a)  maintaining, at a map server/map resolver (MSMR), a mapping of security group tags associated with sources to identifications of sources including the security group tag associated with the source host mapped to an identification of the source host; (see Gunda ¶ 089, ll 1-7: service engine has its own context-based service rule storage, attribute mapping storage, connection cache storage; ¶ 097, ll 1-14: rule identifier includes a set of individual values or a group identifier such as a security group identifier)    
b)  sending, from the second border node instance to the MSMR, an identification of the source host; and c) receiving, at the second border node from the MSMR, the security group tag associated with the source host, wherein the security group tag associated with the source host is determined at the MSMR using the mapping based on the identification of the source host received from the first border node instance. (see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes)    

Regarding Claim 17, Gunda-Liu discloses the system of claim 16, wherein the second border node instance is configured to send the identification of the source host to the MSMR in response to the firewall decapsulating the data packet through application of the firewall policy. (see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes)     

Regarding Claim 18, Gunda-Liu discloses the system of claim 15, wherein the instructions which, when executed by the one or more processors, further cause the one or more processors to perform operations comprising:
a)  receiving and maintaining, at the MSMR, a mapping of security group tags associated with sources to identifications of sources including the context associated with the source host mapped to an identification of the source host; (see Gunda ¶ 089, ll 1-7: service engine has its own context-based service rule storage, attribute mapping storage, connection cache storage; ¶ 062, ll 6-15: firewall rules defined in terms of contextual attributes (context-based firewall engine), contextual attributes include application names and version identification, group ID, etc.; ¶ 097, ll 1-14: rule identifier includes a set of individual values or a group identifier such as a security group identifier)    
b)  sending, from the second border node instance to the MSMR, an identification of the source host; and c) determining, at the MSMR, whether to send the security group tag associated with the source host to the second border node instance based on the one or more policies; (see Gunda ¶ 062, ll 1-10: firewall engine performs firewall operations on data messages sent by or received for the DCNs, firewall operations are based on firewall rules in rule storage; ¶ 063, ll 1-5: firewall engine can allow, block, or re-route data messages based on any number of contextual attributes) and
d)  selectively sending the security group tag associated with the source host from the MSMR to the second border node instance based on whether it is determined to send the security group tag based on the one or more policies to facilitate selective encapsulation of the data packet with the security group tag associated with the source host. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received; ¶ 097, ll 1-14: rule identifier includes a set of individual values or a group identifier such as a security group identifier)    

Regarding Claim 19, Gunda-Liu discloses the system of claim 15, wherein the source host is associated with a first subscriber and the destination host is associated with a second subscriber and the instructions which, when executed by the one or more processors, further cause the one  or more processors to perform operations comprising: selectively encapsulating the data packet with the security group tag associated with the source host for applying the one or more policies controlling subscriber to subscriber communication through the enterprise network fabric. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received ; ¶ 062, ll 6-15: firewall rules defined in terms of contextual attributes (context-based firewall engine), contextual attributes include application names and version identification, group ID, etc.; ¶ 097, ll 1-14: rule identifier includes a set of individual values or a group identifier such as a security group identifier)  

Regarding Claim 20, Gunda discloses a non-transitory computer-readable storage medium having stored therein instructions which, when executed by a processor, cause the processor to perform operations (see Gunda ¶ 147, ll 1-9: implemented as software processes specified as a set of instructions recorded on a computer readable storage medium; instructions are executed by one or more processors; to perform designated actions) comprising:
a)  receiving a data packet as part of network traffic to a destination host from a source host at a first border node instance in an enterprise network fabric, wherein the data packet is received with a context associated with the source host; (see Gunda ¶ 038, ll 1-7: data messages refer to a collection of bits in a particular format send across a network; sent as Ethernet frames, IP packets, etc.; ¶ 037, ll 12-19: context engine provides contextual attributes to service engines; utilize contextual attributes to identify service rules that specify context-based services to perform on data messages sent by or received)    
b)  injecting, into the first border node instance, routes from source nodes associated with the first border node instance to a firewall of the enterprise network fabric; (see Gunda ¶ 135, ll 4-9: firewall action requires the data message to be re-routed (i.e. analogous to injecting a new route for data message); process performs a network address translation on data message in order to effectuate the re-routing operation) and 
d)  receiving the data packet at a second border node instance after the firewall applies the firewall policy to the data packet. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received)  

    Furthermore, Gunda discloses for c): sending the data packet to the firewall based on the routes injected into the first border node instance and applies a firewall policy to the data packet. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received) 
    And, Gunda discloses for e): selectively encapsulating the data packet with the context associated with the source host for applying one or more policies to control transmission of the network traffic through the enterprise network fabric. (see Gunda ¶ 016, ll 8-18: context engine generates a service token for collection of attributes and provides service token to service engine (i.e. pass along in data message’s encapsulating tunnel header); service engine identifies contextual attributes that context engine has provided to service engine; ¶ 018, ll 6-16: firewall engine performs context-based firewall operations on data messages sent by or received)    

Gunda does not explicitly disclose for c): wherein firewall strips context associated with source host from data packet, and for e): selectively encapsulating data packet with context associated with source host at second border node instance based on firewall stripping context associated with source host. 
However, Liu discloses:
c)  wherein the firewall strips the context associated with the source host from the data packet; (see Liu ¶ 091, ll 1-9: access link management: after terminal switches access link, path and context information of source access link are saved; when needing to switch back: source access link is directly restored according to path and context information of source access link) and  
e)  selectively encapsulating the data packet with the context associated with the source host at the second border node instance based on the firewall stripping the context associated with the source host from the data packet. (see Liu ¶ 091, ll 1-9: access link management: after terminal switches access link, path and context information of source access link are saved; when needing to switch back: source access link is directly restored according to path and context information of source access link)     
        It would have been obvious to one of ordinary skill in the art, before the effective filing date of the claimed invention, to modify Gunda for c): wherein firewall strips context associated with source host from data packet, and for e): selectively encapsulating data packet with context associated with source host at second border node instance based on firewall stripping context associated with source host as taught by Liu. One of ordinary skill in the art would have been motivated to employ the teachings of Liu for the benefits achieved from a system that enables the context associated with source data packets to be processed utilizing source host context even though a firewall system is associated with the network flow. (Liu ¶ 091, ll 1-9)

Response to Arguments
4.    Applicant’s arguments, see Arguments/Remarks Made in an Amendment, filed 11-22-2021, with respect to the rejection(s) under Gunda have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Gunda in view of Liu.

A.  Applicant argues on page 11 of Remarks:    ...   Examiners are cautioned to avoid hindsight and set aside knowledge of applicant’s disclosure in reaching this determination.

    The Examiner respectfully disagrees.  In response to applicant's argument that the examiner's conclusion of obviousness is based upon improper hindsight reasoning, it must be recognized that any judgment on obviousness is in a sense necessarily a reconstruction based upon hindsight reasoning.  But so long as it takes into account only knowledge which was within the level of ordinary skill at the time the claimed invention was made, and does not include knowledge gleaned only from the applicant's disclosure, such a reconstruction is proper.  See In re McLaughlin, 443 F.2d 1392, 170 USPQ 209 (CCPA 1971).

B.  Applicant argues on page 12 of Remarks:    ...   “sending the data packet to a firewall of the enterprise network fabric wherein the firewall strips the context associated with the source host from the data packet and applies a firewall policy to the data packet,”   ...   .  

    The Examiner respectfully disagrees.  Liu discloses the capability to save the context and path information associated with a source host wherein enabling a communication session such as a firewall data processing communication session.  And, Liu discloses the capability to restore the context and path information associated with a source host wherein enabling post firewall data processing communication session. (see Liu ¶ 091, ll 1-9: access link management: after terminal switches access link, path and context information of source access link are saved; when needing to switch back: source access link is directly restored according to path and context information of source access link)

C.  Applicant argues on page 12 of Remarks:    ...   “selectively encapsulating the data packet with the context associated with the source host at the second border node instance for applying one or more policies to control transmission of the network traffic through the enterprise network fabric based on the firewall stripping the context associated with the source host from the data packet.”

    The Examiner respectfully disagrees. Liu discloses the capability to save the context and path information associated with a source host wherein enabling a communication session such as a firewall data processing communication session.  And, Liu discloses the capability to restore the context and path information associated with a source host wherein enabling post firewall data processing communication session. (see Liu ¶ 091, ll 1-9: access link management: after terminal switches access link, path and context information of source access link are saved; when needing to switch back: source access link is directly restored according to path and context information of source access link)  

D.  Applicant argues on page 13 of Remarks: Claims 15 and 20 have been amended substantially similar to claim 1 and should therefore be allowable for the same reasons asserted above.

    Responses to arguments against independent claim 1 also answer arguments against independent claims 15 and 20, which have similar limitations as independent claim 1.   

E.  Applicant argues on page 13 of Remarks: Claims 2-14 and 16-19 are dependent on one of independent claims 1 and 15 and should be allowable at least by virtue of their dependency on allowable independent claims   ...   . 

    Responses to arguments against the independent claims also answer arguments against the associated dependent claims.    

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

January 3, 2022
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Kyung H Shin whose telephone number is (571)272-3920. The examiner can normally be reached M - F 12pm - 8pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on (571) 272-3880. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/KYUNG H SHIN/                                                                                                             1-6-2022Primary Examiner, Art Unit 2443