DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Response to Amendment
This communication is in response to applicant's amendment filed on 04/21/2022. Claims 1-5, 7-12, 14-19 and 21-23 are presently pending for examination. Claims 1, 8 and 15, are amended. Claims 6, 13 and 20 are canceled. Claims 21-23 are newly added. 

Response to Arguments
Claim Rejections - 35 U.S.C. § 103:
Applicants’ arguments with respect to claims rejected under prior art have been fully considered and the rejection of 35 U.S.C. § 103 have been withdrawn in view of the examiner’s amendment to claim.


EXAMINER’S AMENDMENT
An examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner's amendment was given in a telephone interview with Attorney Jason E. Amsel (Reg. No. 60,650) on 05/02/2022. 

The application has been amended as follows:

Please replace claim 1 with:
1. (Currently amended)  A method for managing enforcement of a segmentation policy, comprising:
storing, at a policy management server, a segmentation policy comprising a set of segmentation rules that specify a white list of permissible connections between workloads providing or consuming network-based services;
storing, at the policy management server, an enforcement policy that specifies at least a first group of services for operating in a test state and at least a second group of services for operating in an enforced state;
generating, based on the segmentation policy, segmentation policy instructions for causing an enforcement module to configure one or more traffic filters with a first set of filtering rules that allow traffic associated with the first or second group of services meeting the segmentation rules of the segmentation policy;
generating, based on the enforcement policy, enforcement policy instructions for causing the enforcement module to configure the one or more traffic filter with a first default filtering rule to allow traffic associated with the first group of services that fails to meet any of the first set of filtering rules, and a second default filtering rule to block traffic associated with the second group of services that fails to meet any of the first set of filtering rules; 
distributing over a network, the segmentation policy instructions and the enforcement policy instructions to the enforcement module executing remotely from the policy management server;
receiving over the network from the enforcement module, first traffic data meeting the first set of filtering rules as allowed traffic;
receiving over the network from the enforcement module, second traffic data meeting the first default filtering rule as unenforced impermissible traffic; 
receiving, over the network from the enforcement module, third traffic data meeting the second default filtering rule as blocked traffic; and
generating a traffic flow graph representing the allowed traffic, the unenforced impermissible traffic, and the blocked traffic as visually distinguishable lines.

Please replace claim 8 with:
8. (Currently Amended) A non-transitory computer-readable storage medium storing instructions for managing enforcement of a segmentation policy, the instructions when executed causing one or more processors to perform steps including:
storing, at a policy management server, a segmentation policy comprising a set of segmentation rules that specify a white list of permissible connections between workloads providing or consuming network-based services;
storing, at the policy management server, an enforcement policy that specifies at least a first group of services for operating in a test state and at least a second group of services for operating in an enforced state;
generating, based on the segmentation policy, segmentation policy instructions for causing an enforcement module to configure one or more traffic filters with a first set of filtering rules that allow traffic associated with the first or second group of services meeting the segmentation rules of the segmentation policy;
generating, based on the enforcement policy, enforcement policy instructions for causing the enforcement module to configure the one or more traffic filter with a first default filtering rule to allow traffic associated with the first group of services that fails to meet any of the first set of filtering rules, and a second default filtering rule to block traffic associated with the second group of services that fails to meet any of the first set of filtering rules; 
distributing over a network, the segmentation policy instructions and the enforcement policy instructions to the enforcement module executing remotely from the policy management server;
receiving over the network from the enforcement module, first traffic data meeting the first set of filtering rules as allowed traffic;
receiving over the network from the enforcement module, second traffic data meeting the first default filtering rule as unenforced impermissible traffic; 
receiving, over the network from the enforcement module, third traffic data meeting the second default filtering rule as blocked traffic; and
generating a traffic flow graph representing the allowed traffic, the unenforced impermissible traffic, and the blocked traffic as visually distinguishable lines.

Please replace claim 15 with:
15. (Currently Amended) A computer system comprising:
one or more processors; and
a non-transitory computer-readable storage medium storing instructions for managing enforcement of a segmentation policy, the instructions when executed causing the one or more processors to perform steps including:
storing, at a policy management server, a segmentation policy comprising a set of segmentation rules that specify a white list of permissible connections between workloads providing or consuming network-based services;
storing, at the policy management server, an enforcement policy that specifies at least a first group of services for operating in a test state and at least a second group of services for operating in an enforced state;
generating, based on the segmentation policy, segmentation policy instructions for causing an enforcement module to configure one or more traffic filters with a first set of filtering rules that allow traffic associated with the first or second group of services meeting the segmentation rules of the segmentation policy;
generating, based on the enforcement policy, enforcement policy instructions for causing the enforcement module to configure the one or more traffic filter with a first default filtering rule to allow traffic associated with the first group of services that fails to meet any of the first set of filtering rules, and a second default filtering rule to block traffic associated with the second group of services that fails to meet any of the first set of filtering rules; 
distributing over a network, the segmentation policy instructions and the enforcement policy instructions to the enforcement module executing remotely from the policy management server;
receiving over the network from the enforcement module, first traffic data meeting the first set of filtering rules as allowed traffic;
receiving over the network from the enforcement module, second traffic data meeting the first default filtering rule as unenforced impermissible traffic; 
receiving, over the network from the enforcement module, third traffic data meeting the second default filtering rule as blocked traffic; and
generating a traffic flow graph representing the allowed traffic, the unenforced impermissible traffic, and the blocked traffic as visually distinguishable lines.


Please cancel claim 21;

Please cancel claim 22;

Please cancel claim 23;


Allowable Subject Matter
Claims 1-5, 7-12, 14-19 are allowed.
The following is an examiner's statement of reasons for allowance:

Independent Claim(s) and their respective dependent claims are allowable over prior arts since the prior arts taken individually or in combination fails to particular discloses, fairly suggest or render obvious the following italic limitations:

In regards to claim(s) 1, 8 and 15, the prior art of record (Kung et al. (US 2018/0234459 A1; hereinafter Kung) in view of Fainberg et al. (US 2020/0296139 A1; hereinafter Fainberg)) does not disclose:

“distributing over a network, the segmentation policy instructions and the enforcement policy instructions to the enforcement module executing remotely from the policy management server;
receiving over the network from the enforcement module, first traffic data meeting the first set of filtering rules as allowed traffic;
receiving over the network from the enforcement module, second traffic data meeting the first default filtering rule as unenforced impermissible traffic; 
receiving, over the network from the enforcement module, third traffic data meeting the second default filtering rule as blocked traffic; and
generating a traffic flow graph representing the allowed traffic, the unenforced impermissible traffic, and the blocked traffic as visually distinguishable lines.” in combination with other limitations recited as specified in the independent claim(s). 

Rather, Kung discloses “securing computer networks against unauthorized access” ([0003-0006], [0069], [0150], and [0229]). Similarly, Fainberg teaches “only allow the device to communicate with anti-virus definitions” ([0010-0011] and [0090]). Accordingly, the claims are allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/Primary Examiner, Art Unit 2497