DETAILED ACTION

The present application is being examined under the pre-AIA  first to invent provisions. 

General Remarks
-Claims 1, 8 and 15 are independent
-Claims 1-20 are pending
-Previous IDS has been considered
-112 A rejection is not withdrawn

Response to Arguments
Applicant’s arguments, filed 03/21/2022, with respect to the rejection(s) of claim(s)  1, 8, and 15 under the combination of prior arts  have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Pillay-Esnault (US pg. no. 20180343236).
-The other prior arts previously used are being relied up on for other limitations.
-Regarding 112 a rejection,  applicant`s argument is not persuasive. For support for the following limitations such as: 
“receiving data from a first edge node of a network fabric at the network element out of a data path of the data…” 
“instructions for implementing topology agnostic security functions outside of the data path of the data received from the first edge node…”
“providing the processed data to a second edge node of the network fabric that is in the data path of the data…”
	Applicant argued that support is provided in [0070], [0072], and [0109].
	 in relation to the limitation “receiving data from a first edge node of a network fabric at the network element out of a data path of the data…”, applicant argued that the Specification [0109] recites “the service instructions can include at least one of security functions or instructions for redirecting network traffic.” However, this is a generic statement where nowhere in the specification that equates sending data out of a data path and redirecting or explicitly indicating the relationship between the two. The only place data path mentioned is in [0070] that is ““The security functions need not be in a packet path, but can be hosted in physical or virtual form factors on premise” where it lacks providing written description support for the above limitation. 
-Further, and in relation to the limitation “providing the processed data to a second edge node of the network fabric that is in the data path of the data…”, the applicant argued that the specification in [0072] recites “another tunnel can be set up between the cloud and the fabric border node such that all of the security-processed traffic can be sent back without losing context that may be required.” However, again there is nowhere in the specification that recites using tunnel corresponds to communicating data in a data path. Applicant tends to use piecemeal recitation of content from the disclosure to provide written description support where the recitations are not explicit indication and description of the limitation; however, for written description support see 35 USC § 112  states that “The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected” (see 35 USC § 112).



Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a)  IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1, 8, and 15 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement.  The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for pre-AIA  the inventor(s), at the time the application was filed, had possession of the claimed invention.  
Claims 1, 8, and 15 includes:
“receiving data from a first edge node of a network fabric at the network element out of a data path of the data…” 
“instructions for implementing topology agnostic security functions outside of the data path of the data received from the first edge node…”
“providing the processed data to a second edge node of the network fabric that is in the data path of the data…”
where these are limitations that does not have support in the specification at the time the application was filed.
The instant application in [0070] discloses 
	“The security functions need not be in a packet path, but can be hosted in physical or virtual form factors on premise”. This is the only description in the disclosure with regard to packet path that does not correspond to the scope and detail of the above claim limitations.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 1-2, 4-9, 11-16, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Pillay-Esnault (US pg. no. 20180343236), further in view of Trustsec “Cisco TrustSec Configuration Guide, Cisco IOS XE Amsterdam 17.3.x”, further in view of Ahmed (US pg. no. 20200274852).
	Regarding claim 1. Pillay-Esnault discloses a computer-implemented method comprising:
	 receiving data from a first edge node (fig. 1, 160) of a network fabric at the network element (fig. 1, 123 firewall) out of a data path of the data and the data is redirected out of the data path to the network element according to the service instructions ( [0058] discloses  The Tx 225 of the sending host entity 160 (edge node 1)  may transmit data packets to firewalls 123 (network element). In light of the disclosure of the instant application indicated in figure 6, the communication of data from edge node 1 to firewall that is indicated by line3 and from firewall to edge node 2 indicated by line 6 to enable the devices communicate through the firewall instead of direct link between the devices that corresponds to out of a data path of the data. The direct connection between devices corresponds to direct data path. Similarly Pillay-Esnault discloses connection of the two devices, node 150 and 160,  indirectly through the firewall 123 that corresponds to out of a data path of the data; [0053] discloses  the receiving host entity 150 (edge node 2) may advertise firewall policies that indicate whether to forward a data packet from a sending host entity 160 to a receiving host entity 150. In an embodiment, the firewall policy may be an identity based firewall policy indicating that data packets from entities having certain identities should be dropped before being received by the receiving host entity 150… The distributed mapping system 130 or the receiving host entity 150 may send the firewall policies to one or more associated firewalls 123. A firewall device 123 positioned closer to the sending host entity 160 may be configured to perform firewalling according to firewall policies (service instruction) of the receiving host entity 150);
	processing the data received from the first edge node at the network element according to the service instructions regarding the network function ([0060] discloses The firewall module 260 of the firewall device 123 may be configured to determine whether to pass or drop data packets destined for the receiving host entity 150 based on the firewall policies 290  (service instructions) of the receiving host entity 150. For example, the firewall module 260 may block locator requests from being passed to the distributed mapping system 130 when a firewall policy 290 indicates that the sending host entity 160 is not permitted to communicate with the receiving host entity 150 identified by the locator request.), 
	providing the processed data from the network element to a second edge node  (fig. 1, 150)  of the network fabric that is in the data path of the data based on the service instructions ([0060] discloses The firewall module 260 of the firewall device 123 may be configured to determine whether to pass or drop data packets destined for the receiving host entity 150 based on the firewall policies 290 of the receiving host entity 150. For example, the firewall module 260 may block locator requests from being passed to the distributed mapping system 130 when a firewall policy 290 indicates that the sending host entity 160 is not permitted to communicate with the receiving host entity 150 identified by the locator request. The Tx 225 of the firewall device 123 may forward the data packet to the receiving host entity 150 (second edge node) when the firewall policy 290 of the receiving host entity permits receiving packets from a sending host entity 160).
	But, Pillay-Esnault does not explicitly disclose: wherein the service instructions include instructions for implementing topology agnostic security functions to data received from the first edge node;
	However, in the same field of endeavor Pillay-Esnault discloses wherein the service instructions include instructions for implementing topology agnostic security functions to data received from the first edge node (SGACL Policies, discloses by assigning users and devices within the network to security groups (service instruction policy) and applying access control between the security groups, Cisco TrustSec achieves role-based topology-independent access control within the network. Because SGACLs define access control policies based on device identities instead of IP addresses as in traditional ACLs, network devices are free to move throughout the network and change IP addresses. As long as the roles and the permissions remain the same, changes to the network topology do not change the security policy. When a user is added to the device, you simply assign the user to an appropriate security group and the user immediately receives the permissions of that group; fig. 4 discloses the host is not directly linked with Cisco TrustSec egress device that receives SGT tag about the host. Taking broadest reasonable interpretation in light of the disclosure, TrustSec egress device that receives SGT tag about the host that is not directly linked corresponds to receiving communication outside of the data path; the web server is directly connected to Cisco TrustSec egress device  that corresponds to in the data path); 
	Therefore, it would have been obvious to a person having ordinary skill in the art ate the time of the invention was effectively filed to combine the teaching of Pillay-Esnault with Trustesec. The modification would allow topology intendent security where devices security would not be limited by the devices address identifier or location as a result enabling effective security system.
	But, the combination does not explicitly disclose: receiving service instructions from a client regarding a network function at a network element, the service instructions including a table of network policies and rules; 
	However, in the same field of endeavor, Ahmed discloses receiving service instructions from a client regarding a network function at a network element, the service instructions including a table of network policies and rules ([0038] discloses Security management system 34 may push the one or more configured security policies (service instruction) to perimeter firewall (network element) 35 such that perimeter firewall 35 may apply the security policies at the perimeter level of data center 10. That is, perimeter firewall 35 may apply the security policies for the cluster of VMs originally identified in the security group information; [0039] discloses by obtaining security group information configured for a virtual firewall and configuring the perimeter firewall based on security group information, the network security for the virtual network is bridged with the network security for the physical network. Moreover, by implementing the techniques described herein, a perimeter firewall may dynamically apply security policies for a security group regardless of whether the virtual machines have changed location; [0045] discloses in response configuring the one or more security policies, firewall configuration module 57 may direct policy deployment engine 56 to deploy the configured one or more security policies to perimeter firewall 35);
Therefore, it would have been obvious to a person having ordinary skill in the art at the time of the invention was effectively filed to combine the teaching of the combination with Ahmed. The modification would allow a system to flexibly configure firewall using security group information policies to enable topology agnostic access control system to ensure security of services independent of topology of the device.


		Regarding claim 2.    The combination discloses the computer-implemented method of claim 1.
Trustsec further discloses, wherein the service instructions includes instructions for redirecting network traffic (The Cisco TrustSec ingress device modifies the packet to add an SGT with security group number 3, the security group number assigned by the authentication server for the host PC. The Cisco TrustSec egress device enforces the SGACL policy that applies to source group 3 and destination group 4, the security group number assigned by the authentication server for the web server. Forwarding traffic based on enforcing firewall policy corresponds to re-directing).
Regarding claim 4.    The combination discloses computer-implemented method of claim 1.
Trustsec discloses, wherein the network element is at least one of a fabric border node of the network fabric or a firewall (fig. 4 discloses Trustsec egress firewall).
		Regarding claim 5.    The combination discloses computer-implemented method of claim 1.
		Ahmed discloses, further comprising providing instructions to routers of the network fabric based on the service instructions regarding the network function (fig. 3 discloses inbound traffic enters firewall 300; policy engine process access control and the data is forwarded to outbound traffic. The routers subsequent to the firewall corresponds to router receiving firewall instruction to direct data to destination).
Regarding claim 6.    The combination discloses computer-implemented method of claim 1.
Trustsec discloses, further comprising providing the data from the first edge node of the network fabric to a firewall designated in the service instructions (fig. 4 discloses the Trustsec ingress firewall sends data to Trustsec egress firewall).
		Regarding claim 7.    The combination discloses computer-implemented method of claim 6.
		Trustsec discloses, wherein the firewall applies security functions included in the service instructions (Ingress Tagging and Egress Enforcement discloses The Cisco TrustSec egress device enforces the SGACL policy (processing according to service instruction) that applies to source group 3 and destination group 4, the security group number assigned by the authentication server for the web server. If the SGACL allows the packet to be forwarded, the Cisco TrustSec egress switch modifies the packet to remove the SGT and forwards the packet to the web server).
		Regarding claim 8, Trustsec discloses a system comprising:
		 one or more processor (fig. 4 Trustsec ingress node (firewall)); and 
		At least one computer-readable storage medium having stored therein instructions (fig. 4 Trustsec ingress node (firewall)) which, when executed by the one or more processors, cause the system to:
		All other limitations of claim 8 are similar with the limitations of claim 1 above. Claim 8 is rejected on the analysis of claim 1 above.
		Regarding claim 9, the combination discloses the system of claim 8.
		All other limitations of claim 9 are similar with the limitations of claim 2 above. Claim 9 is rejected on the analysis of claim 2 above.
		Regarding claim 11, the combination discloses the system of claim 8.
		All other limitations of claim 11 are similar with the limitations of claim 4 above. Claim 9 is rejected on the analysis of claim 4 above.
		Regarding claim 12, the combination discloses the system of claim 8.
		All other limitations of claim 12 are similar with the limitations of claim 5 above. Claim 12 is rejected on the analysis of claim 5 above.
		Regarding claim 13, the combination discloses the system of claim 13.
		All other limitations of claim 13 are similar with the limitations of claim 6 above. Claim 13 is rejected on the analysis of claim 6 above.


		Regarding claim 14, the combination discloses the system of claim 8.
		All other limitations of claim 14 are similar with the limitations of claim 7 above. Claim 14is rejected on the analysis of claim 7 above.
Regarding claim 15, the combination discloses a non-transitory computer-readable storage medium comprising:
instructions stored on the non-transitory computer-readable storage medium, the instructions, when executed by one or more processors (fig. 4 discloses Trustsec ingress node (firewall)), cause the one or more processors to:
All other limitations of claim 15 are similar with the limitations of claim 1 above. Claim 15 is rejected on the analysis of claim 1 above.
		Regarding claim 16, the combination discloses non-transitory computer readable storage medium of claim 15.
		All other limitations of claim 16 are rejected on the analysis of claim 2 above.
		Regarding claim 18, the combination discloses non-transitory computer readable storage medium of claim 15.
		All other limitations of claim 18 are rejected on the analysis of claim 4 above.
		Regarding claim 19, the combination discloses non-transitory computer readable storage medium of claim 15.
		All other limitations of claim 19 are rejected on the analysis of claim 5 above.
		Regarding claim 20, the combination discloses non-transitory computer readable storage medium of claim 15.
Trustsec discloses wherein the instructions, when executed by one or more processors, cause the one or more processors to provide the data from the first edge node of the network fabric to a firewall designated in the service instructions (fig. 4 discloses host sends data to Trustsec egress (firewall) through Trustsec ingress), wherein the firewall applies security functions included in the service instructions (Ingress Tagging and Egress Enforcement discloses The Cisco TrustSec egress device enforces the SGACL policy (processing according to service instruction) that applies to source group 3 and destination group 4, the security group number assigned by the authentication server for the web server. If the SGACL allows the packet to be forwarded, the Cisco TrustSec egress switch modifies the packet to remove the SGT and forwards the packet to the web server).
Claim 3, 10 and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over The combination of Pillay-Esnault (US pg. no. 20180343236), Trustsec “Cisco TrustSec Configuration Guide, Cisco IOS XE Amsterdam 17.3.x”, and Ahmed (US pg. no. 20200274852), further in view of Phillips (US pg. no. 20190173845).
		Regarding claim 3, the combination discloses the computer-implemented method of claim 1.
		But, the combination does not explicitly disclose:
		wherein the table of network policies and rules further includes at least one of ingress information, or egress information;
		However, in the same field of endeavor, Phillips discloses wherein the table of network policies and rules further includes at least one of ingress information, or egress information ([0061] The policy generation component 302 can also receive user input information (e.g., via the user portal 223) defining one or more variables of the firewall policy rule, including by not limited to: a directionality of the traffic (e.g., ingress or egress)).
		Therefore, it would have been obvious to a person having ordinary skill in the art at the time of the invention was effectively filed to combine the teaching of the combination with Phillips. The modification would allow including directional parameters of the traffic in rules and policy information of access control to effectively steer traffic to authorized network elements for ensuring a secured communication.
		Regarding claim 10, the combination discloses the system of claim 8.
		All other limitations of claim 10 are similar with the limitations of claim 3 above. Claim 10 is rejected on the analysis of claim 3 above.
		Regarding claim 17, the combination discloses non-transitory computer readable storage medium of claim 15.
		All other limitations of claim 17 are rejected on the analysis of claim 3 above.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MESSERET F GEBRE whose telephone number is (571)272-8272.  The examiner can normally be reached on M-F 9:30 AM-5:30 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Oscar Louie can be reached on 571-2701684.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/MESSERET F GEBRE/Examiner, Art Unit 2445

/OSCAR A LOUIE/Supervisory Patent Examiner, Art Unit 2445