Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This communication is responsive to the application # 16/239,492 filed on January 03, 2019. An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with JASON AMSEL (R# 60650) on 06/08/2022 (see attached interview summary).
The application has been amended as follows:
1.	A method for reducing a number of firewall rules for enforcing a segmentation policy, the method comprising:
obtaining, at an enforcement module of a distributed firewall system, initial management instructions for controlling communications of a target workload executing on an operating system instance of a computing device, the initial management instructions comprising:
(a) an initial set of rules, wherein each rule specifies:
(i) at least one group of workloads permitted to communicate with the target workload under the rule, and 
(ii) a constraint on the communications between the target workload and the at least one group of workloads associated with the rule, and 
(b) initial membership information providing, for respective groups of workloads in the initial set of rules, a set of workload identifiers having membership in each of the respective groups of workloads;
identifying, in the initial set of rules, unique constraints on communications of the target workload with the respective groups of workloads;
 collapsing the initial set of rules into a reduced set of rules that combines groups of workloads referenced in rules having common constraints into combined groups of workloads each associated with only one of the unique constraints;
generating, from the initial membership information and the combined groups, a reduced set of group identifiers that each represent a unique group of workloads;
re-mapping the reduced set of rules to the reduced set of group identifiers; and
configuring, by the enforcement module, a firewall executing on the operating system instance according to the re-mapped rules to enforce the segmentation policy with respect to traffic to and from the target workload.  
2.	The method of claim 1, wherein the initial set of rules comprises at least a first initial rule referencing a first group of workloads permitted to communicate with the target workload in accordance with a first connection constraint, and a second initial rule referencing a second group of workloads permitted to communicate with the target workload in accordance with a second connection constraint, wherein generating the reduced set of rules comprises:
determining that the first connection constraint and the second connection constraint are a matching connection constraint;
collapsing the first initial rule and the second initial rule into a collapsed rule specifying the matching connection constraint and specifying that a union of the first group of workloads and the second group of workloads are permitted to communicate with the target workload in accordance with the matching connection constraint; and
replacing the first initial rule and the second initial rule with the collapsed rule in the reduced set of rules.
3.	The method of claim 2, wherein the first connection constraint comprises a first port and protocol and wherein the second connection constraint comprises a second port and protocol matching the first port and protocol.  
4.	The method of claim 1, wherein the membership information comprises at least a first group of workload identifiers for workloads in a first workload group and a second group of workload identifiers for workloads in a second workload group, wherein generating the reduce set of group identifiers comprises:
determining that the first group of workload identifiers and the second group of workload identifiers are a matching set of workload identifiers; and
assigning a unique group identifier to the matching set of workload identifiers.  
5.	The method of claim 4, wherein determining that the first group of workload identifiers and the second group of workload identifiers are a matching set of workload identifiers comprises:
removing first redundant workload identifiers within the first set of workload identifiers and ordering the first set of workload identifiers according to predefined ordering rules to generate a first processed set of workload identifiers;
removing second redundant workload identifiers within the second set of workload identifiers and ordering the second set of workload identifiers according to the predefined ordering rules to generate a second processed set of workload identifiers; and
comparing the first processed set of workload identifier to the second processed set of workload identifier to identify the matching set of workloads.
6.	The method of claim 5, wherein comparing the first processed set of workload identifiers to the second processed set of workload identifiers comprises:
computing a first hash of the first processed set of workload identifiers; 
computing a second hash of the second processed set of workload identifiers; and
comparing the first hash to the second hash to identify the matching set of workloads.  
7.	A method for optimizing management instructions for enforcing a segmentation policy, the method comprising:
receiving, by an enforcement agent executing on an operating system instance of a computing device, an initial rule set for enforcing the segmentation policy with respect to a target workload by a local firewall of a distributed firewall, the initial rule set including:
a first initial rule permitting communications between a first group of workloads with the target workload executing on the operating system instance in accordance with a first connection constraint, and 
a second initial rule permitting communications between a second group of workloads with the target workload executing on the operating system instance in accordance with a second connection constraint;
receiving, by the enforcement agent, first membership information specifying a first set of workload identifiers having membership in the first group of workloads, second membership information specifying a second set of workload identifiers having membership in the second group of workloads; 
processing the first membership information and the second membership information to determine that the first set of workload identifiers and the second set of workload identifiers are a matching set of workload identifiers;
assigning a unique group identifier to the matching set of workload identifiers;
generating from the initial rule set, a simplified first rule and a simplified second rule each referencing the unique group identifier for the matching set of workload identifiers; and
configuring, by the enforcement module, the local firewall executing on the operating system instance to enforce the reduced rule set with respect to traffic to and from the target workload. 
8.	The method of claim 7, wherein processing the first membership information and the second membership information comprises:
removing first redundant workload identifiers within the first set of workload identifiers and ordering the first set of workload identifiers according to predefined ordering rules to generate a first processed set of workload identifiers;
removing second redundant workload identifiers within the second set of workload identifiers and ordering the second set of workload identifiers according to the predefined ordering rules to generate a second processed set of workload identifiers; and
comparing the first processed set of workload identifier to the second processed set of workload identifier to identify the matching set of workloads.
9.	The method of claim 8, wherein comparing the first processed set of workload identifiers to the second processed set of workload identifiers comprises:
computing a first hash of the first processed set of workload identifiers; 
computing a second hash of the second processed set of workload identifiers; and
comparing the first hash to the second hash to identify the matching set of workloads.  
10.	The method of claim 7, further comprising:
determining that the first connection constraint and the second connection constraint are a matching connection constraint;
collapsing the first rule and the second rule into a collapsed rule specifying the matching connection constraint and specifying that a union of the first group of workloads and the second group of workloads are permitted to communicate with the operating system instance in accordance with the matching connection constraint.
11.	The method of claim 7, wherein the first connection constraint comprises a first port and protocol and wherein the second connection constraint comprises a second port and protocol.  
12.	A method for simplifying a firewall rule set for enforcing a segmentation policy, the method comprising:
receiving, by an enforcement agent executing on an operating system instance of a computing device, an initial rule set for enforcing the segmentation policy with respect to a target workload by a local firewall of a distributed firewall, the initial rule set including:
a first initial rule permitting communications between a first group of workloads with the target workload executing on the operating system instance in accordance with a first connection constraint, and 
a second initial rule permitting communications between a second group of workloads permitted to communicate with the target workload in accordance with a second connection constraint;
receiving, by the enforcement agent, first membership information specifying a first set of workload identifiers having membership in the first group of workloads and second membership information specifying a second set of workload identifiers having membership in the second group of workloads; 
determining that the first connection constraint and the second connection constraint are a matching connection constraint;
collapsing the first initial rule and the second initial rule into a collapsed rule specifying the matching connection constraint and specifying that a union of the first group of workloads and the second group of workloads are permitted to communicate with the target workload in accordance with the matching connection constraint;
generating from the initial rule set, a reduced rule set that replaces the first initial rule and the second initial rule with the collapsed rule; and
configuring, by the enforcement module, the local firewall executing on the operating system instance to enforce the reduced rule set with respect to traffic to and from the target workload. 
13.	(Currently Amended) The method of claim 12, further comprising:
processing the first membership information and the second membership information to determine that the first set of workload identifiers and the second set of workload identifiers are a matching set of workload identifiers;
assigning a unique group identifier to the matching set of workload identifiers[[;]].
14.	The method of claim 12, wherein the first connection constraint comprises a first port and protocol and wherein the second connection constraint comprises a second port and protocol.  
15.	A non-transitory computer-readable storage medium storing instructions for reducing a number of firewall rules for enforcing a segmentation policy, the instructions when executed by a processor causing the processor to perform steps including:
obtaining, at an enforcement module of a distributed firewall system, initial management instructions for controlling communications of a target workload executing on an operating system instance of a computing device, the initial management instructions comprising:
(a) an initial set of rules, wherein each rule specifies:
(i) at least one group of workloads permitted to communicate with the target workload under the rule, and 
(ii) a constraint on the communications between the target workload and the at least one group of workloads associated with the rule, and 
(b) initial membership information providing, for respective groups of workloads in the initial set of rules, a set of workload identifiers having membership in each of the respective groups of workloads;
identifying, in the initial set of rules, unique constraints on communications of the target workload with the respective groups of workloads;
 collapsing the initial set of rule into, a reduced set of rules that combines groups of workloads referenced in rules having common constraints into combined groups of workloads each associated with only one of the unique constraints;
generating, from the initial membership information, a reduced set of group identifiers that each represent a unique group of workloads;
re-mapping the reduced set of rules to the reduced set of group identifiers; and
configuring, by the enforcement module, a firewall executing on the operating system instance according to the re-mapped rules to enforce the segmentation policy with respect to traffic to and from the target workload.  
16.	The non-transitory computer-readable storage medium of claim 15, wherein the initial set of rules comprises at least a first initial rule referencing a first group of workloads permitted to communicate with the target workload in accordance with a first connection constraint, and a second initial rule referencing a second group of workloads permitted to communicate with the target workload in accordance with a second connection constraint, wherein generating the reduced set of rules comprises:
determining that the first connection constraint and the second connection constraint are a matching connection constraint;
collapsing the first initial rule and the second initial rule into a collapsed rule specifying the matching connection constraint and specifying that a union of the first group of workloads and the second group of workloads are permitted to communicate with the target workload in accordance with the matching connection constraint; and
replacing the first initial rule and the second initial rule with the collapsed rule in the reduced set of rules.
17.	The non-transitory computer-readable storage medium of claim 16, wherein the first connection constraint comprises a first port and protocol and wherein the second connection constraint comprises a second port and protocol matching the first port and protocol.  
18.	The non-transitory computer-readable storage medium of claim 15, wherein the membership information comprises at least a first group of workload identifiers for workloads in a first workload group and a second group of workload identifiers for workloads in a second workload group, wherein generating the reduce set of group identifiers comprises:
determining that the first group of workload identifiers and the second group of workload identifiers are a matching set of workload identifiers; and
assigning a unique group identifier to the matching set of workload identifiers.  
19.	(Canceled)
20.	(Currently Amended) The non-transitory computer-readable storage medium of [[19]] 18, wherein determining that the first group of workload identifiers and the second group of workload identifiers are a matching set of workload identifiers comprises:
removing first redundant workload identifiers within the first set of workload identifiers and ordering the first set of workload identifiers according to predefined ordering rules to generate a first processed set of workload identifiers;
removing second redundant workload identifiers within the second set of workload identifiers and ordering the second set of workload identifiers according to the predefined ordering rules to generate a second processed set of workload identifiers; and
comparing the first processed set of workload identifier to the second processed set of workload identifier to identify the matching set of workloads, wherein comparing the first processed set of workload identifiers to the second processed set of workload identifiers comprises:
computing a first hash of the first processed set of workload identifiers; 
computing a second hash of the second processed set of workload identifiers; and
comparing the first hash to the second hash to identify the matching set of workloads.  
21.	The method of claim 1, wherein generating, the reduced set of group identifiers that each represent a unique group of workloads comprises:
computing respective hashes for each of the respective groups of workloads from the set of workload identifiers;
identifying matching hashes;
generating the reduced set of group identifiers by combining groups with the matching hashes.
Allowable Subject Matter
Claims 1-18, 20 and 21 are allowed.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/OLEG KORSAK/
Primary Examiner, Art Unit 2492