DETAILED ACTION
This action is responsive to RCE filed on January 18th, 2022. 
Claims 1~30 are examined.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/18/22 has been entered.
Response to Arguments
Applicant’s arguments with respect to claim(s) 1~30 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1~7, 9, 16~22, and 24 are rejected under 35 U.S.C. 103 as being unpatentable over Erickson et al. hereinafter Erickson (U.S 2016/0036636) in view of Lu et al. hereinafter Lu (U.S 2019/0075056).
Regarding Claim 1, 

receiving, at data processing hardware, a reachability query requesting a reachability status of a target through a network, the reachability query comprising a packet header associated with a data packet [¶59, performing a CanReachAll check of the network by receiving an input string comprising of packet header objects], the packet header comprising: 
a source internet protocol (IP) address associated a source of the data packet [¶61, “ipv4_src addr 192.168.2.0/24”]; and
a destination IP address associated with a destination of the data packet [¶61, “ipv4_dst addr 192.168.3.0/24”]; 
generating, by the data processing hardware, using a data plane model, one or more simulated forwarding paths for the data packet based on the packet header [¶79~¶81; ¶84~¶86; Fig. 6, ‘606’ and ‘608’ with regards to network model], each simulated forwarding path comprising corresponding network configuration information associated with the network [¶87, reporting identified failover paths between particular locations including suggested network configuration changes]; 
for each respective simulated forwarding path of the one or more simulated forwarding paths: 
determining, by the data processing hardware, from the corresponding network configuration information, at least one egress firewall rule of a first instance that applies to the respective simulated forwarding path [¶69, canOnlyReach <list of ports P> there exists no packet that can exit the network at 
determining, by the data processing hardware, from the corresponding network configuration information, at least one ingress firewall rule that applies to the respective simulated forwarding path [¶68, <list of ports P> canReachAll, there exists packet entering the network that can exit the network; 58, network devices 502, 504, and 506 each have forwarding tables to identify possible paths that traverse these devices]; and 
determining, by the data processing hardware, the reachability status of the target based on the at least one egress firewall rule and the at least one ingress firewall rule [¶66, the CanReachAll check can include multiple extensions; ¶68; ¶69; ¶80, system can present trace results relevant to the search to rapidly converge to the relevant traffic of interest]; and 
providing, by the data processing hardware, the determined reachability status and the one or more simulated forwarding paths to a user device associated with the reachability query [¶81, provide an interface where the user can view virtual packet traces], the one or more simulated forwarding paths when received by the user device causing the user device to present the corresponding network configuration information for each simulated forwarding path [¶87, a query can be submitted to identify a number of failover paths between particular locations (i.e., a particular network property) and flow paths matching the failover paths may be returned; report generated based on the 
Erickson did not specifically teach the presented network configuration information comprising the at least one egress firewall rule of the first instance; and the at least ingress firewall rule of the second instance.
Lu taught the presented network configuration information comprising the at least one egress firewall rule of the first instance; and the at least ingress firewall rule of the second instance [¶32, Fig. 4, receiving configuration data, collect traffic flow data regarding one or more firewall rules. The host machines export the collected data to the set of traffic flow data collectors for analysis and display; ¶36, Fig. 5, firewall rule ID field 510 and Table 1 provides description of field 540 that contain additional information such as flowDirection 0x00: ingress flow to VM and 0x01: egress from VM].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Lu’s teaching of the presented network configuration information comprising the at least one egress firewall rule of the first instance and the at least ingress firewall rule of the second instance with the teachings of Erickson, because the combination would be crucial and helpful to monitor how much traffic and which kind of traffic has hit a specific firewall rule or set of firewall rules [Lu: ¶1].
Regarding Claim 2, 
Erickson taught wherein determining the reachability status of the one or more simulated forwarding paths comprises using a network abstract state machine [¶23, state information parsed to generate a network model 112].
Regarding Claim 3, 

Regarding Claim 4, 
Erickson taught wherein the network configuration information comprises at least one of the following: a network configuration associated with each step along the corresponding simulated forwarding path [¶87, identify a number of failover paths between particular locations].
Regarding Claim 5, 
Erickson taught further comprising executing, by the data processing hardware, network reachability analysis on each of the one or more simulated forwarding paths based on the corresponding network configuration information [¶55, modify a snapshot of a network to model and test potential changes to the network].
Regarding Claim 6, 
Erickson taught wherein the network reachability analysis is configured to at least one of: determine a final state of reachability for the data packet along the corresponding simulated forwarding path [¶55, changes can be tested using the network model].
Regarding Claim 7, 
Erickson taught wherein the final state of reachability comprises any one of: a dropped state indicating that the data packet will be dropped due to a configuration checkpoint failure or a missing configuration [¶38, reveal information as to why a particular check fails].
Regarding Claim 9, 
Erickson taught wherein the packet header further comprises: a protocol associated with the data packet; a source port associated with the data packet; and a destination port associated with the data packet [¶61].
Regarding Claims 16~22 and 24, the claims are similar in scope to claim(s) 1~7 and 9 respectively and therefore, rejected under the same rationale.

Claims 8, 10~15, 23, and 25~30 are rejected under 35 U.S.C. 103 as being unpatentable over Erickson and Lu in view of Dodge et al. hereinafter Dodge (U.S 2020/0007569).
Regarding Claim 8, 
Erickson and Lu in view of Dodge taught wherein executing the network reachability analysis comprises executing the network reachability analysis in a continuous mode [¶23, the analysis may be performed by network security evaluator 100 in an automated manner thus, making it obvious the analysis can be initiated manually by a user with a choice to stop the analysis at any given time].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Dodge’s teaching of executing the network reachability analysis comprises executing the network reachability analysis in a continuous mode with the teachings of Erickson and Lu, because the combination would allow the security of a network be analyzed quickly and efficiently [Dodge: ¶18].
Regarding Claim 10, 
Erickson and Lu in view of Dodge taught wherein the source of the data packet comprises a first instance executing in a first network and the destination of the data packet comprises a second instance executing in a second network different than the first network [Dodge: ¶104~¶105].
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the invention was made, to combine, Dodge’s teaching of the source of the data packet comprises a first instance executing in a first network and the 
Regarding Claim 11, 
Erickson and Lu in view of Dodge taught wherein the first network comprises a virtual private cloud (VPC) network and the second network comprises an on-premises network [Dodge: ¶47, reachability from a VPC and other networks]. The rationale to combine as discussed in claim 10, applies here as well.
Regarding Claim 12, 
Erickson and Lu in view of Dodge taught wherein the first network and the second network comprise respective virtual private cloud (VPC) networks [Dodge: ¶24, network reachability analysis using data 110 which includes information about VPCs]. The rationale to combine as discussed in claim 10, applies here as well.
Regarding Claim 13, 
Erickson and Lu in view of Dodge taught wherein the source of the data packet comprises a first instance and the destination of the data packet comprises a second instance, the first instance and the second instance both executing in a same virtual private cloud (VPC) network [Dodge: ¶142, Virtual networks 1320A and 1320B in virtual network implementation 1310]. The rationale to combine as discussed in claim 10, applies here as well.
Regarding Claim 14, 
Erickson and Lu in view of Dodge taught wherein the source of the data packet is located in an external network and the destination of the data packet comprises a global HTTPS load balancer executing in a virtual private cloud (VPC) network, the global 
Regarding Claim 15, 
Erickson and Lu in view of Dodge taught wherein generating one or more simulated forwarding paths for the data packet comprises generating a corresponding simulated forwarding path from the global HTTPS load balancer to each one of the multiple different backend VMs [Dodge: ¶80; ¶107, HTTPS access instances 814 for accessing resource instances 818A and 818B; ¶120]. The rationale to combine as discussed in claim 10, applies here as well.
Regarding Claims 23 and 25~30, the claims are similar in scope to claim(s) 8 and 10~15 respectively and therefore, rejected under the same rationale.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HEE SOO KIM whose telephone number is (571)270-3229. The examiner can normally be reached on M-F 9AM-5PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Nicholas Taylor can be reached on (571) 272-3889. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information 
/HEE SOO KIM/Primary Examiner, Art Unit 2457