DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This action is in response to communication filed 01/08/2022. Claims 1, 11 and 20 have been amended and claims 1-20 remain pending.

Response to Arguments
Applicant's arguments filed 01/08/2022 have been fully considered but they are not persuasive. 
In page 7, Applicant argues “in Dumitriu, the decision engine is invoked to conduct a simulation on a first packet (of multiple associated packets) to determine how the packet will be routed through the network topology and how the packet will be handled. The results are then stored for all of the nodes of the network topology to access to handle that first packet and the subsequent multiple associated packets for the routing of those packets through the network. Such a routing simulation and subsequent routing of the associated packets, while disclosing an efficient manner for routing packets, has no bearing on how a firewall is utilized on the nodes of the network in Dumitriu. Indeed, Dumitriu does not describe firewall services at all, but merely notes in paragraph [0006] that the system and method “may also provide firewall services.” As Dumitriu is silent with regards to how such firewall services are conducted, Dumitriu cannot suggest how firewall sessions are generated and resources allocated thereto, let alone generating a new firewall session for each packet matching a distinctive firewall policy and then directing further matched packets thereto as required in the claims”.
Examiner respectfully disagrees.
As Applicant contends, Dumitriu discloses determining how the packet will be routed through the network topology and how the packet will be handled by implementing a decision engine. Dumitriu discloses “the decision engine's output includes a packet protocol header pattern than can be used to match other packets for which the decision engine's output would be the same as for the first packet. In other words, the packet protocol header pattern may be used to identify packets which will be treated in an identical manner by applying the actions or rules determined for the first packet” – par. :0035. A configuration of virtual ports and the device associated with the virtual ports (mapping of the network resources) is retrieved from a shared database storing topology and device configuration information, wherein “[t]he action for processing the network packet is then determined based upon a simulation of the device associated with the virtual port. The determined action may include one or more of modifying an internal state of a network device, dropping the packet, modifying the packet's protocol headers, emitting the packet from one or more virtual ports of a network device”  – par. 0043-0047. Note that the above described features are the functions of a rule/policy defined firewalling as explicitly suggested by Dumitriu in par. 0006 “[t]he method and system may also provide for L3/L4 firewall services, source and/or destination network address translation services” (Emphasis Added).
Dumitriu further discloses only the first packet of a connection will cause a call to the decision engine, because, once the flow is created in the flow table 162 that flow may be applied to subsequent packets of the same flow, wherein the decision engine builds an action list indicating how to process and forward the packet and inserts it as a flow rule in the flow table. Subsequent packets that match the criteria for that flow have the action list applied, which may include routing the packet to a given port – par. 0095-0096.

In response to applicant’s argument that “Dumitriu does not describe firewall services at all, but merely notes in paragraph [0006] that the system and method “may also provide firewall services.” As Dumitriu is silent with regards to how such firewall services are conducted”, the fact that applicant has recognized another advantage which would flow naturally from following the suggestion of the prior art cannot be the basis for patentability when the differences would otherwise be obvious. See Ex parte Obiaya, 227 USPQ 58, 60 (Bd. Pat. App. & Inter. 1985).

In response to applicant’s argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., how such firewall services are conducted) are not recited in the rejected claim(s) in such details to dismiss applicability of the teachings of Dumitriu. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims. See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). In fact, as factually explained above, Dumitriu functionally discloses how such firewalling services, among other routing and forwarding services, are conducted.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


1.	Claims 1-3, 7, 9-13, 17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan, US2014/0208426A1 in view of Dumitriu, US2014/0195666A1.

Per claim 1, Natarajan discloses a non-transitory computer-readable storage medium having computer readable code stored thereon for programming a processor, in a node of a cloud-based security system (The cloud system 500 may be configured to perform various functions such as spam filtering, uniform resource locator (URL) filtering, antivirus protection, bandwidth control, data loss prevention, zero day vulnerability protection, web 2.0 features, malware detection and blocking, and the like.  In an exemplary embodiment, the cloud system 500 and the distributed security system 100 may be viewed as Security-as-a-Service through the cloud – Natarajan: par. 0068 – Note: “[t]he user interface front-end 130 may provide a user interface through which users of the external systems may provide and define security policies, e.g., whether email traffic is to be monitored, whether certain web sites are to be precluded, etc.” – Natarajan: par. 0038), to perform steps of: 
Natarajan is not relied on to disclose but Dumitriu discloses receiving a plurality of packets, each of the plurality of packets being received from a respective network device each respective device being associated with one of a plurality of tenants associated with the cloud-based security system and being external to the node, the cloud-based security system enabling communication over a Wide Area Network (WAN) (an edge connector runs on a physical machine with at least one CPU that receives packets from an external network, such as the Internet, where the packets are addressed to an IP address associated with a tenant of the system – Dumitriu: par. 0103); 
selecting firewall policies for processing each respective packet of the plurality of packets based on a matching criteria (When the edge connector receives a packet at step 410, it extracts a plurality of data at step 412, including but not limited to, source and destination addresses and source and destination ports.  After extracting the data, the edge connector looks up the plurality of data in a flow table (step 414) and determines if the flow has already been established (step 416)…If the flow already exists, the flow action list is applied to the packet and the packet is forwarded to the port of the flow configurable switch indicated by the flow action list in step 418 …Once the edge connector determines the VFE (Virtual Forwarding Element), the edge connector performs another lookup in step 420.  The lookup is performed by looking up the destination IP address in a series of virtual forwarding elements.  The virtual forwarding elements may comprise any combination of virtual routers and virtual switches including virtual routing tables to determine the appropriate path for the packet being forwarded – Dumitriu: par. 0103 and 0104), wherein the cloud-based security system supports the plurality of tenants and the firewall policies are selected based on which tenant is in the matching criteria for the respective packet and which of a plurality of firewall policies are associated with the tenant (Virtual router 302 may be, for example, a virtual router created by a tenant to route traffic between the tenant's virtual machines, virtual machines 211 and 212. The tenant's virtual machines may be on the same host, or may be located on different hosts within the network…the packets are addressed to an IP address associated with a tenant of the system. The tenant IP addresses may be assigned to tenant virtual machines running on one or more hosts within the system…In one embodiment, each tenant may have a single virtual router configured to route all packets handled by that tenant. In other embodiments, some tenants may have a plurality of virtual routers, virtual switches or other virtual forwarding elements defining the tenant's portion of the virtual network topology. The decision engine also builds a series of actions to be performed on the packet from each virtual routing table. Each routing step may also have pre-routing or post-routing processes that are added to the action list and incorporated into the flow rule to be applied to the packets matching the flow – Dumitriu: par. 0099 and 0103-0105 – Note: A tenant specific virtual network topology may provide for organization of tenant virtual machines in desired arrangements or provide for isolation between virtual machines controlled by the same tenant, such as where a tenant is utilizing the network to host multiple discrete functions or business processes – par. 0127); 
generating a new firewall session, at the node, for each packet matching a distinctive firewall policy by allocating resources thereto (only the first packet of a connection will cause a call to the decision engine, because, once the flow is created in the flow table 162 that flow may be applied to subsequent packets of the same flow, wherein the decision engine builds an action list indicating how to process and forward the packet and inserts it as a flow rule in the flow table. Subsequent packets that match the criteria for that flow have the action list applied, which may include routing the packet to a given port – Dumitriu: par. 0095-0096 – Note: “only a first packet of a connection causing a call to the decision engine” is interpreted as equivalent to a distinctive policy for a first packet, resulting in generating a new connection/session and “subsequent packets that match the criteria for that flow” is equivalent to a distinctive policy for subsequent packet of the connection/session, resulting in forwarding in accordance with the action list in the flow table. “simulating a route through the virtual network topology including any number of virtual network devices – par. 0048” is equivalent to allocating resources); and 
processing each of the plurality of packets utilizing one of the firewall sessions generated by directing packets to a respective firewall session based on the matching criteria to determine whether or not to block the respective packet from transmission over the WAN, the block is performed in the node in the cloud-based security system (a flow may be created to drop all packets that match the flow's rule.  In this manner, the system may be configured to handle unrouteable packets or selectively screen undesired data according to rules established by the service provider or tenant – Dumitriu: par. 0103 – Note: the action for processing the network packet is determined based upon the virtual device associated with the virtual port. The determined action may include one or more of dropping the packet, modifying the packet's protocol headers and/or emitting the packet from one or more virtual ports of a network device  – par. 0043-0047).
It is further noted that Natarajan discloses cloud components that function as firewall/DPI to monitor inline users using HTTP and non-HTTP protocols for detecting and blocking/precluding malware, wherein the cloud-based method further includes performing one of blocking or allowing the unknown content to or from the user based on policy – (Natarajan: par. 0072 and 0076). As previously established, Natarajan has further been modified to include the firewall services as suggested by Dumitriu.
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan in view of Dumitriu to include receiving a plurality of packets, each of the plurality of packets being received from a respective network device each respective device being associated with one of a plurality of tenants associated with the cloud-based security system and being external to the node, the cloud-based security system enabling communication over a Wide Area Network (WAN); selecting firewall policies for processing each respective packet of the plurality of packets based on a matching criteria, wherein the cloud-based security system supports the plurality of tenants and the firewall policies are selected based on which tenant is in the matching criteria for the respective packet and which of a plurality of firewall policies are associated with the tenant; generating a new firewall session for each packet matching a distinctive firewall policy by allocating resources thereto; and processing each of the plurality of packets utilizing one of the firewall sessions generated by directing packets to a respective firewall session based on the matching criteria to determine whether or not to block the respective packet from transmission over the WAN, the block is performed in the node in the cloud-based security system.
One of ordinary skill in the art would have been motivated because it would allow to “simulate a route through the virtual network topology including any number of virtual network devices in order to determine how a given packet or flow is to be processed” – Dumitriu: par. 0048. It would further allow to include “a private network maintained by a service provider, where the service provider sells, leases, or otherwise provides network capabilities to a plurality of tenants” – Dumitriu: par. 0083.

Per claim 11, it recites a node in a cloud-based security system, comprising: 
a processor and memory storing instructions (Natarajan: cloud-based security system 700 as depicted in Fig. 7, i.e., server SME 710 in the cloud and server SMBA 720 and BA controller 722) that, when executed, cause the processor to perform the method steps as set forth in the non-transitory computer-readable storage medium of claim 1.
Therefore, claim 11 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 20, it recites a method implemented in a node of a cloud-based security system, the method comprising the method steps set forth in the non-transitory computer readable storage medium of claim 1.
Therefore, claim 20 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2 and 12, Natarajan-Dumitriu discloses features of claims 1 and 11, wherein the firewall policies are further based on a location in the matching criteria (According to a service agreement between a provider of the system 100 and an owner of an external system, the system 100 may thus provide security protection to the external system at any location throughout the geographic region …in the cloud system 500, traffic from various locations (and various devices located therein) such as a regional office 510, headquarters 520, various employee's homes 530, mobile laptop 540, and mobile device 550 is redirected to the cloud system 500 through the cloud nodes 502.  That is, each of the locations 510, 520, 530, 540, 550 is communicatively coupled to the Internet 504 through the cloud nodes 502 – Natarajan: par. 0035 and 0068).

Per claims 3 and 13, Natarajan-Dumitriu discloses features of claims 1 and 11, wherein each respective network device is configured to route Internet-bound traffic to the cloud-based security system (the distributed security system 100 may generally refer to an exemplary cloud-based security system.  Cloud computing systems and methods abstract away physical servers, storage, networking, etc. and instead offer these as on-demand and elastic resources.  The National Institute of Standards and Technology (NIST) provides a concise and specific definition which states cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction – Natarajan: par. 0041).
Furthermore, Dumitriu also discloses wherein each respective network device is configured to route Internet-bound traffic to the cloud-based security system (The physical network may comprise plurality of edge nodes 920 configured to access an external network, such as the Internet 902.  The physical network may also include a plurality of host nodes 921 configured to host virtual machines.  The network 922 may interconnect the plurality of edge nodes 920 and the plurality of host nodes 921 and be adapted to transport data packets throughout the system…In one embodiment, the edge nodes 920 and host nodes 921 are general purpose servers configured to operate in a cloud computing system… The system may include a software component operating on each of the nodes and implementing the virtual network topology including the provider virtual router and each of the tenant virtual routers – Dumitriu: par. 0129).
The same motivation to modify Natarajan in view of Dumitriu applied to claim 1 above applies here.

Per claims 7 and 17, Natarajan-Dumitriu discloses features of claims 1 and 11, wherein the cloud- based security system is configured to operate the firewall policies in a cloud without firewall hardware deployed at local Internet breakouts (the distributed security system 100 may generally refer to an exemplary cloud-based security system.  Cloud computing systems and methods abstract away physical servers, storage, networking, etc. and instead offer these as on-demand and elastic resources.  The National Institute of Standards and Technology (NIST) provides a concise and specific definition which states cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.  Cloud computing differs from the classic client-server model by providing applications from a server that are executed and managed by a client's web browser, with no installed client version of an application required.  Centralization gives cloud service providers complete control over the versions of the browser-based applications provided to clients, which removes the need for version upgrades or license management on individual client computing devices – Natarajan: par. 0041).

Per claim 9, Natarajan-Dumitriu discloses the non-transitory computer-readable storage medium of claim 1, wherein the steps further include logging every firewall session for multiple users, multiple user devices, multiple locations, multiple applications, multiple ports, and multiple protocols (Other application layer functions may also be provided in a data logging layer 170, such as a user interface (UI) front-end 130.  The user interface front-end 130 may provide a user interface through which users of the external systems may provide and define security policies, e.g., whether email traffic is to be monitored, whether certain web sites are to be precluded, etc. Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting.  The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 170.  Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system.  In an exemplary embodiment, the logging node 140 data may be anonymized so that data identifying an enterprise is removed or obfuscated – Natarajan: par. 0038 – Note: Example external systems may include an enterprise 200, a computer device 220, and a mobile device 230, or other network and computing systems communicatively coupled to the system 100 – par. 0033, wherein according to a service agreement between a provider of the system 100 and an owner of an external system, the system 100 may thus provide security protection to the external system at any location throughout the geographic region – par. 0035. Further, and the authority nodes 120 may serve as an application layer 160.  The application layer 160 may, for example, manage and provide policy data, threat data, and data inspection engines and dictionaries for the processing nodes 110.  In an exemplary embodiment, the application layer 160 can continually update the processing nodes 110 with newly detected malware as described herein for zero day/zero hour protection – par. 0037).

Per claims 10 and 19, Natarajan-Dumitriu discloses features of claims 1 and 11, wherein the steps further include receiving an update based on detection of zero-day/zero-hour threats (The FCC components 704 is a BA Analysis Engine which includes secure content storage with data destruct capabilities, is a scalable and flexible platform for VM based execution sandboxes, includes a smart scheduler to determine what needs to be analyzed and manage BA content from the cloud, and includes threat reporting storage and UI infrastructure for malware result analysis and research.  The FCC components 704 can provide dynamic updates based on latest malware analysis thereby providing zero day/zero hour protection – Natarajan: par. 0076 – Note: Server SMBE 720 which is part of FCC Components 704 provides updates to the cloud components 702); and updating the firewall based on the update (The server 710 is configured to enforce policy based on configuration, to log transactions to the data store 712 with information included therein such as policy reason and Threat category/super category information, and to send BA content to the BA infrastructure (specifically the server 720).  In an exemplary embodiment, the server 710 can be the processing node 110, the cloud node 502, etc. That is, the server 710 is generally performing inline traffic processing between a user and another domain in an external fashion as a cloud-based system (security-as-a-service) – Natarajan: par. 0077 – Note: Server SME 710 which is part of cloud components 702 receives and process the updates and logs the transactions to the data store 712).

2.	Claims 4-6, 8, 14-16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan, US2014/0208426A1 in view of Dumitriu, US2014/0195666A1 as applied to claims 1 and 11 above, in further view of Buruganahalli, US2017/0302703A1 (references through-out are either supported by or from provisional 61/831,391 filed 06/05/2013). 

Per claims 4 and 14, Natarajan-Dumitriu discloses features of claims 1 and 11. 
Natarajan-Dumitriu is not relied on to disclose but Buruganahalli discloses wherein the firewall policies are configured to operate over all ports and protocols associated with the WAN (As shown in FIG. 1, network traffic monitoring begins at 102.  An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis.  In some embodiments, user identification is then determined (e.g., user ID can be deduced based on the source IP address).  A policy check engine 106 determines whether any policies can be applied based on the IP address and port number.  As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan-Dumitriu further in view of Buruganahalli to include wherein the firewall policies are configured to operate over all ports and protocols associated with the WAN.
One of ordinary skill in the art would have been motivated because it would allow “to securely enable application usage using business-relevant concepts, instead of following the traditional approach offered by traditional port-blocking firewalls” – Buruganahalli: par: 0021.

Per claims 5 and 15, Natarajan-Dumitriu discloses features of claims 1 and 11.
Natarajan-Dumitriu is not relied on to disclose but Buruganahalli discloses wherein each of the plurality of packets includes one of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) traffic (Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy).  For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked and decryption is not required.  As an example, Bob who is a user (e.g., an employee) of ACME Company may attempt to logon using a web browser executing on his desktop office computer to a remote server that is associated with the online banking site (e.g., web site) of Banking Corporation.  If the firewall policy of ACME Company has white listed the domain associated with the Banking Corporation as a trusted domain, then Bob's connection (e.g., an SSL/TLS session) with the web site for the Banking Corporation can be allowed using various techniques described herein – Buruganahalli (provisional): par. 0030 – Note: also see details in par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan-Dumitriu further in view of Buruganahalli to include wherein each of the plurality of packets includes one of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) traffic.
One of ordinary skill in the art would have been motivated because it would allow “to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy)” – Buruganahalli: par. 0030.

Per claims 6 and 16, Natarajan-Dumitriu discloses features of claims 1 and 11.
Although Natarajan discloses Deep Packet Inspection (DPI) (The cloud components 702 monitor inline users such as using HTTP and non-HTTP protocols (to cover proxy and firewall/DPI) to detect and block/preclude malware – Natarajan: par. 0076), it is not relied on to explicitly disclose but Buruganahalli discloses wherein the steps further include performing Deep Packet Inspection (DPI) on each of the plurality of packets in a same session (Various techniques described herein can also be applied to efficiently handle a session resumption (e.g., resumption of an SSL/TLS session) that does not involve any server certificate exchange.  For example, in such a scenario it can be challenging to determine the domain name unless the data communications of that resumed session are decrypted.  Using the techniques described herein allow for the resumed session to be associated with a destination domain without requiring decryption of such data communications.  For example, in the case of a session resumption, there is a client hello message followed by server hello but no certificate is provided from the server (e.g., as it was previously sent to the client at the previous handshake for the initial session setup) – Buruganahalli (provisional): par. 0033 – Note: Stateful firewalls can also perform stateful-based packet inspection in which each packet is examined within the context of a series of packets associated with that network transmission's flow of packets/packet flow (e.g., stateful firewalls or third generation firewalls) – Buruganahalli (provisional): par. 0021, wherein stateful-based packet inspection is inherently performed on packets within flow of an existing/same session); and 
determining an application associated with the same session based on the DPI As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan-Dumitriu further in view of Buruganahalli to include wherein the steps further include performing Deep Packet Inspection (DPI) on each of the plurality of packets in a same session; and determining an application associated with the same session based on the DPI.
One of ordinary skill in the art would have been motivated because it would allow “to securely enable application usage using business-relevant concepts, instead of following the traditional approach offered by traditional port-blocking firewalls” – par: 0021 and further allow “facilitating deep packet inspection of the session traffic, which can include unencrypted and possibly encrypted data communications associated with the session using a secure protocol, such as SSL/TLS” – par. 0044.

Per claims 8 and 18, Natarajan-Dumitriu discloses features of claims 1 and 11.
Although Natarajan discloses security policies based on location (Note: see rejection of claim 2), it is not relied on to disclose but Natarajan-Dumitriu further in view of Buruganahalli discloses wherein the firewall policies are security policies based on user identity application awareness, and location (As shown in FIG. 1, network traffic monitoring begins at 102.  An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis.  In some embodiments, user identification is then determined (e.g., user ID can be deduced based on the source IP address).  A policy check engine 106 determines whether any policies can be applied based on the IP address and port number.  As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, claims 8 and 18 are rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 4 above. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Duke (US9252972) discloses a local policy engine interacting with an external policy server to receive policies using software defined networking (SDN) protocol as if the data plane of the network device were directly exposed to the external policy server by the SDN protocol. A flow control unit receives an inbound packet and selectively directs the packet along fast path to forwarding ASICs for immediate forwarding or along slow path for additional analysis by service cards. Service cards include a DPI module that installs a filter within flow control unit to specify that subsequent packets of the packet flow session after a first inbound packet is processed through the slow path, may be processed on fast path that bypasses DPI module.
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/Examiner, Art Unit 2494