continued from PTO-303, item 3(a):
The amendments to the independent claims are new issues requiring further search and/or consideration. Such further consideration and search was performed under AFCP 2.0 per Applicant’s request. However, because the amendments do not place the application in condition for allowance, as detailed below, and because they raise potential new grounds of rejection, the amendments do not materially reduce or simplify the issues for appeal, and therefore, the amendments have not been entered.

continued from PTO-303, item 12:
(a)	Applicant submits:
 “Accordingly, Harrison’s rules do not include a source security zone address, a source port, a destination security zone address, a destination port, a cluster listening address, a communications protocol, a policy, a description, and an action. For instance, Harrison’s rules clearly do not include a cluster listening address, a communications protocol, a policy, or a description. Additionally, Mfomchilov and
Markham do not make up for the shortcomings in Harrison.” (page 17, last par, emphasis added)
Examiner maintains: 
(i) With regard to ‘security zone’:
The spec. discloses “In an actual application process, a data center network is usually divided into several security zones by using the firewall. A security zone is a logical area. Same or similar security protection requirements exist in the area, and a security risk of data flowing in a same security zone is relatively low; however, due to different security levels, access between security zones is usually prohibited by default.” (spec. [0004]); and
 	“As shown in Table 1, a first security access control policy template is used as an example, the source security zone is the App server, the destination security zone is the DB server,…” (see spec. [0041]).
Therefore, the spec. disclose that the security zone is a logical area in a network, divided by the firewall, such as App server security zone, the DB server security zone.
Madhu, [0086] disclose “cloud availability zones”.
 	(ii) With regard to cluster listening address:
The spec. discloses “When the column of the cluster listening address is filled with a subsequently-obtained IP address of the DB server,” (spec. [0041]), and “the column of the cluster listening address is filled with an IP address of a virtual machine corresponding to the DB server,” (spec. [0054]).
Therefore, cluster listening address is the IP address of a server, such as the IP address or DB server, or the IP address of a VM corresponding to the DB server.
Momchilov, [0091] disclose “cluster”; [0032] discloses or suggests the” cluster listening address”.
(iii)  Harrison discloses:
“[0074] A service can be selected from a list of predefined services or can be defined as a new service. A service can be characterized by name, protocol, the application type (as used by next-generation firewalls [i.e., dividing the network into logical areas by the firewalls, each logical area corresponds to a security zone ]), port number, timeout value in seconds (optional) and description of the service [i.e., the description ]. Alternatively or additionally, an application can be defined with the help of application templates. The template includes one or more connections specified by names of source, destination and respective service therebetween (e.g. Web Server.fwdarw.HTTP.fwdarw.App Server), while the resources (Web to Server and App Server in the previous example) do not need to be defined, they can be just placeholders. A user can instantiate the template into an application connectivity definition by adding the missing details (e.g. Web Server: 192.168.1.2. [i.e., the source security zone address, the source port ] fwdarw.HTTP [i.e., where HTTP is the communication protocol ] .fwdarw.App Server: 172.16.2.4 [i.e., the destination security zone address, the destination port, the cluster listening address (of App Server) ]).”; and
 	“[0046] The security gateways [i.e., dividing the network into logical areas by the firewalls, each logical area corresponds to a security zone ] operate in accordance with one or more rules controlling, at least, inbound and/or outbound traffic with regard to respective resources. These rules (including combinations and/or hierarchies thereof) are referred to hereinafter as a rule-set or rule base. A single rule typically includes several fields (e.g. source (IP address and/or port), destination (IP address and/or port), service type, user, application, etc.), and an action which shall be drawn from the rule when a certain condition with regard to the field values is satisfied. The fields included in such condition(s) are referred to hereinafter as "fields engaged in the rules". A field can be characterized by a specified set of values (e.g. a certain IP address, a certain range of TCP ports, a certain range of IP addresses in a LAN defined by a mask, any port, etc.). The action in the rule can specify accepting or denying the respective traffic [i.e., the policy/action ], authentication, encryption, etc.”

Therefore, Harrison in combination of Momchilov and Madhu disclose or suggest the limitations in the amendments.


/PEILIANG PAN/Examiner, Art Unit 2492                                                                                                                                                                                                        
/KHANG DO/Primary Examiner, Art Unit 2492