DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 02/12/2021, 09/14/2021 and 12/27/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Objections
Claim 9 is objected to because of the following informalities: 
Claim 9, line 2, replace “the corresponding rule” with “corresponding to the each rule”
        Appropriate correction is required.
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. 
For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-5 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 12-13 & 15-17 of U.S. Patent No. US 10,924,325 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-5 are “anticipated by” claims 12-13 & 15-17 of U.S. Patent No. US 10,924,325 B2.

Application No. 17/175,551 (Instant)
US 10,924,325 B2
1. A method comprising: identifying a map that includes a plurality of rules for handling data packets; associating each rule of the plurality of rules with an action set, wherein each action set is to be executed when a corresponding rule is considered a match, and wherein the corresponding rule is considered a match when a corresponding criterion is satisfied by a data packet; and causing the map to be implemented by a network visibility appliance to which a traffic stream is directed for analysis, wherein the map is implemented such that all rules of the plurality of rules are applied to each data packet included in the traffic stream.

2. The method of claim 1, wherein each action set includes at least one of a pass action that causes data packets that satisfy the corresponding criterion to be forwarded downstream to a network object, or a drop action that causes data packets that do not satisfy the corresponding criterion to be dropped.

3. The method of claim 1, wherein at least two rules of the plurality of rules share an action set in common.

4. The method of claim 1, further comprising: assigning a priority value to each rule of the plurality of rules.

5. The method of claim 4, wherein action sets corresponding to higher priority rules are to be executed before action sets corresponding to lower priority rules.

12. A computer-implemented method comprising: identifying, by a controller, a map that includes a plurality of rules for filtering data packets from a traffic stream, wherein each rule of the plurality of rules is associated with a different filtering criterion, and wherein each rule is considered a match when a corresponding filtering criterion is satisfied; associating, by the controller, each rule of the plurality of rules with an action set, wherein each action set is to be executed only when a corresponding rule is considered to be matched; and causing, by the controller, the map to be implemented by a network visibility appliance that is communicatively coupled to the controller, wherein the map is implemented so that the network visibility appliance concurrently applies all rules of the plurality of rules associated with different filtering criteria to a data packet received by the network visibility appliance.

13. The computer-implemented method of claim 12, wherein each action set includes at least one of a pass action that causes data packets satisfying the filtering criterion to be forwarded downstream to a network object, or a drop action that causes data packets that do not satisfy the filtering criterion to be dropped.
15. The computer-implemented method of claim 12, wherein at least two rules of the plurality of rules share an action set.
16. The computer-implemented method of claim 12, further comprising: assigning a priority value to each rule of the plurality of rules.
17. The computer-implemented method of claim 16, wherein action sets corresponding to higher priority rules are to be executed before action sets corresponding to lower priority rules.








Claims 8-10 & 12  are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 19-20 & 22of U.S. Patent No. US 10,924,325 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 8-10 & 12 are “anticipated by” claims 19-20 & 22 of U.S. Patent No. US 10,924,325 B2 .

Application No. 17/175,551 (Instant)
US 10,924,325 B2
8. A programmable switch comprising: an ingress port at which to receive a data packet transmitted by an agent that is hosted on a virtual machine; and a processor configured to: identify a map to be applied to the data packet, wherein the map includes a plurality of rules, each rule being associated with a respective entry in a data structure that specifies (i) a criterion and (ii) an action set that is to be executed when the criterion is satisfied; apply the plurality of rules to the data packet to identify at least one matching rule; and executing at least one action set corresponding to the at least one matching rule.
9. The programmable switch of claim 8, wherein each entry further specifies (iii) a priority value assigned to the corresponding rule.
10. The programmable switch of claim 9, wherein the at least one action set is executed in order of priority.
12. The programmable switch of claim 8, further comprising: a ternary content-addressable memory (TCAM) in which the data structure is stored.

19. A programmable switch comprising: an ingress port at which to receive a data packet transmitted by an agent on a virtual machine over a network to which the programmable switch is coupled, wherein the data packet is included in a stream of data packets indicative of traffic handled by a cloud computing platform of which the virtual machine is a part; and a processor configured to: identify a plurality of data structure entries associated with a map to be applied to the received data packet, wherein the map includes a plurality of rules, each rule being associated with a respective data structure entry that includes a filtering criterion, and an action set that is to be executed on the data packet only when the data packet satisfies the filtering criterion; concurrently apply all rules of the plurality of rules in the map to the data packet to identify at least one matching rule; and in response to identification of the at least one matching rule, executing at least one action set corresponding to the at least one matching rule in order of priority.
20. The programmable switch of claim 19, wherein priority is determined based on a priority value assigned to each rule of the plurality of rules.
22. The programmable switch of claim 21, wherein the data store is a ternary content-addressable memory (TCAM), and wherein the data structure is a programmable flow table.


Claims 14, 18 & 20 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1 & 7-8 of U.S. Patent No. US 10,924,325 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because claims14, 18 & 20  are “anticipated by” claims 1 & 7-8 of U.S. Patent No. US 10,924,325 B2

Application No. 17/175,551 (Instant)
US 10,924,325 B2
14. A method comprising: identifying a plurality of network objects that are interconnected through a network visibility appliance to which data packets are to be routed for analysis; associating each network object of the plurality of network objects with an action set; constructing a data structure that is representative of the network visibility appliance by— creating a separate entry for each network object of the plurality of network objects, and establishing an association between a pair of entries for each traffic flow between a pair of network objects of the plurality of network objects, wherein each action set includes at least one of a pass action that is represented in the data structure as an established association, or a drop action that is represented in the data structure as a lack of established associations; and storing the data structure in a memory that is accessible to the network visibility appliance.

18. The method of claim 14, further comprising: causing a graph that visually represents the network visibility appliance to be presented on a display of a computing device; and enabling an individual to specify a modification to the network visibility appliance by modifying the graph.
20. The method of claim 14, wherein the plurality of network objects includes at least one of a raw endpoint, a tunnel endpoint, an application endpoint, or a map, and wherein each raw endpoint, if any, receives traffic from a Network Interface Card (NIC) of the network visibility appliance, each tunnel endpoint, if any, receives traffic from, or sends traffic to, an environment outside of the network visibility appliance, each application endpoint, if any, receives traffic from, or sends traffic to, an application program, and each map, if any, includes at least one rule for managing traffic.
1. A computer-implemented method comprising: identifying a plurality of network objects that are interconnected through a network visibility appliance that is coupled to a public cloud infrastructure accessible to multiple users; associating each network object of the plurality of network objects with an action set to be applied to incoming data packets; constructing a data structure indicative of the network visibility appliance by creating a separate entry in the data structure for each network object of the plurality of network objects, and establishing an association between a pair of entries in the data structure for each traffic flow between a pair of network objects of the plurality of network objects, wherein each action set includes at least one of a pass action represented in the data structure as an established association, or a drop action represented in the data structure as a lack of established associations, and wherein a particular action set corresponding to a particular network object includes a plurality of actions to be concurrently applied to the incoming data packets, the plurality of actions including a plurality of pass actions that are represented as a plurality of established associations between a particular entry associated with the particular network object and a plurality of other entries; acquiring, from the public cloud infrastructure, data packets indicative of traffic associated with a given user of the multiple users; routing the data packets acquired from the public cloud infrastructure through the plurality of network objects based on the data structure; and forwarding at least some of the data packets acquired from the public cloud infrastructure that were not dropped by the plurality of network objects to the public cloud infrastructure.
7. The computer-implemented method of claim 1, wherein the plurality of network objects includes at least one of a raw endpoint, a tunnel endpoint, an application endpoint, or a map.
8. The computer-implemented method of claim 7, wherein each raw endpoint, if any, receives traffic from a Network Interface Card (NIC) of the network visibility appliance, each tunnel endpoint, if any, receives traffic from, or sends traffic to, an environment outside of the network visibility appliance, each application endpoint, if any, receives traffic from, or sends traffic to, an application program, and each map, if any, includes a rule for managing traffic.



Similarly all other dependent claims of the instant application (Application No. 17/175,551) are  rejected on the ground of nonstatutory double patenting as being unpatentable over combinations of dependent claims (similar to combinations of independent/dependent claims as shown above)  of U.S. Patent No. US 10,924,325 B2. Although those claims at issue are not identical, they are not patentably distinct from each other because combination of those dependent claims  are “anticipated by” the combination of dependent claims of U.S. Patent No. US 10,924,325 B2



Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

In event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-3, 7-8 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Jaushin Lee (2014/0244851), Lee hereinafter, in view of Goldfarb et al. (2017/0366395), Goldfarb hereinafter.


Re. claim 1,  Lee teaches a method (Fig. 6/Fig. 9/Fig. 11 A) comprising: identifying a map that includes a plurality of rules for handling data packets (Fig. 1-18 & ¶0020 - creating at the first end point a first dynamic routing table having first routing information, the first routing information including a first session identifier for the virtual network connection, and forwarding the first routing information to a virtual network switch between the first and second network domains. The virtual network switch consults a second dynamic virtual routing table having second routing information, the second routing information a second session identifier. When the second session identifier matches the first session identifier, the virtual network switch forwards a payload of a data packet from the first end point to the second end point according to the second routing information. Fig. 1-18 & ¶0095 - The physical networking device may include its own set of rules (Map is a collection of one or more rule as per applicant’s disclosure in ¶0056) … forwarding the data packet.. These rules and logic are separate from or independent of the rules and logic of the virtual network platform. ¶0099 - central controller is responsible for implementing and maintaining security policies in a central database, evaluating the security policies, .. a security policy can be a rule.. Fig. 1-18 & ¶0163 - In a step 1125, traffic or data packets are received and filtered according to the static virtual routing tables); associating each rule of the plurality of rules with an action set, wherein each action set is to be executed when a corresponding rule is considered a match, and wherein the corresponding rule is considered a match when a corresponding criterion is satisfied by a data packet (Fig.9 & ¶0163 -In a step 1125, traffic or data packets are received and filtered according to the static virtual routing tables…..determining …comparing one or more … associated with the second end point ....¶0164 - if a data packet includes a routing address that matches an entry in the static virtual routing table, a security check 1135 is performed to determine whether a virtual network connection should be established. That is, a plurality of rules associated with two different filtering/matching criteria in step 1125 and 1135. Also, Fig. 11B/Fig.10 show traffic/data flow between a pair of network objects along with Fig.11A. ¶0168 - if the security check passes (step 1145), the controller informs the virtual network proxies and virtual network switches to create a session for the virtual network connection..); and causing the map to be implemented by a network visibility appliance to which a traffic stream is directed for analysis (Fig. 1-18 & ¶0095 - The physical networking device may include its own set of rules (Map is a collection of one or more rules as per applicant’s disclosure in ¶0056) … forwarding the data packet.. Fig. 1-18 & ¶0169 - Traffic between the first and second network domains is then routed according to the dynamic routing tables (step 1155)…. Fig.1, Fig.4 & ¶0023 - virtual network includes a virtual network switch connected between the first and second network domains, and a virtual routing table. The virtual network switch receives a data packet from the first end point, and based on the virtual routing table, forwards a payload in the data packet to the second end point in the second network domain.), 

    PNG
    media_image1.png
    815
    1295
    media_image1.png
    Greyscale

Yet, Lee does not explicitly teach wherein the map is implemented such that all rules of the plurality of rules are applied to each data packet included in the traffic stream.
However, in the analogous art, Goldfarb discloses wherein the map is implemented such that all rules of the plurality of rules are applied to each data packet included in the traffic stream.(Fig.1 & ¶0026 –  the computing environment 10 is a geographically distributed computing environment, with various components disposed in different data centers, public clouds… ¶0052 - a classification tree may be trained on past network traffic to classify the sending unit of profiling (like a user/computing device/protocol combination) based on a collection of corresponding vectors. ..Classifiers may take as inputs scores indicative of confidents, mismatches, errors, or fitness from these models to detect anomalous behavior… Fig.1-10 & ¶0053 - the classifiers, either concurrently or consecutively, may apply these rules to the respective data feeds to determine which rules are satisfied …… a plurality of processes may process these rules concurrently, such as a distinct process corresponding to each rule for instance as may be implemented in a graphical processing unit. The above disclosures by Goldfarb is similar to instant application, at least, mentioned in ¶0082 in the instant application). 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains to include Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels, because it enables virtual private network connection settings to be configured automatically based on sensed network conditions. (Title, ¶0005, Goldfarb)


Re. claim 2, Lee and Goldfarb teach claim 1.
Lee further teaches wherein each action set includes at least one of a pass action that causes data packets that satisfy the corresponding criterion to be forwarded downstream to a network object (Fig. 1-18 & ¶0168 - if the security check passes (step 1145), the controller informs the virtual network proxies and virtual network switches to create a session for the virtual network connection.. Fig. 1-18 & ¶0169 - Traffic between the first and second network domains is then routed according to the dynamic routing tables (step 1155)….¶0023 - virtual network switch receives a data packet from the first end point, and based on the virtual routing table, forwards a payload in the data packet to the second end point in the second network domain)), or a drop action that causes data packets that do not satisfy the corresponding criterion to be dropped (Fig. 1-18 & ¶0167 - If the security check fails (step 1140), the application client is blocked from connecting to the application server).
Re. claim 3, Lee and Goldfarb teach claim 1.
Yet, Lee does not explicitly teach wherein at least two rules of the plurality of rules share an action set in common.
However, in the analogous art, Goldfarb discloses wherein at least two rules of the plurality of rules share an action set in common. (Fig.1-10 & ¶0026 –  the computing environment 10 is a geographically distributed computing environment, with various components disposed in different data centers, public clouds… ¶0052 - a classification tree may be trained on past network traffic to classify the sending unit of profiling (like a user/computing device/protocol combination) based on a collection of corresponding vectors. ..Classifiers may take as inputs scores indicative of confidents, mismatches, errors, or fitness from these models to detect anomalous behavior… Fig.1-10 & ¶0053 - the classifiers, either concurrently or consecutively, may apply these rules to the respective data feeds to determine which rules are satisfied a plurality of processes may process these rules concurrently, such as a distinct process corresponding to each rule for instance as may be implemented in a graphical processing unit. The above disclosures by Goldfarb is similar to instant application, at least, mentioned in ¶0082 in the instant application). 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains to include Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels, because it enables virtual private network connection settings to be configured automatically based on sensed network conditions. (Title, ¶0005, Goldfarb)
Re. claim 7, Lee and Goldfarb teach claim 1.
Lee further teaches wherein said identifying, said associating, and said causing are performed by a controller that is communicatively connected to the network visibility appliance. (Fig. 1-18 & ¶0020 - When the second session identifier matches the first session identifier, the virtual network switch forwards a payload of a data packet from the first end point to the second end point according to the second routing information. Fig. 1-18 &¶0029 - virtual network includes a controller that grants or denies permission to use the virtual network. When the controller grants permission to use the virtual network, the controller provisions an entry in a dynamic virtual routing table at a virtual network switch between the first and second network domains. Fig. 1-18 &¶0099 - central controller is responsible for implementing and maintaining security policies in a central database, evaluating the security policies, .. a security policy can be a rule.. ¶0163 - In a step 1125, traffic or data packets are received and filtered according to the static virtual routing tables. ¶0164 - if a data packet includes a routing address that matches an entry in the static virtual routing table, a security check 1135 is performed to determine whether a virtual network connection should be established. Fig. 1-18 & ¶0169 - Traffic between the first and second network domains is then routed according to the dynamic routing tables (step 1155)).

Re. claim 8, Lee teaches a programmable switch (Fig. 3, Fig. 7-8, Fig. 9, Fig. 11A-C, Fig. 12 & ¶0082 - public cloud include.. … multiple consumers using a multi-tenant. ¶0086 - virtual network platform may be referred to as a software-defined network (SDN), similar to inventor of the instant application in ¶0046) comprising: an ingress port at which to receive a data packet transmitted by an agent that is hosted on a virtual machine (Fig.1-5 & ¶0055 - network interface card (NIC).. ¶0056 -network may include a hub, switch, or router. … receive over one port (ingress port) …. similar to inventor of the instant application in ¶0020& ¶0049 . Fig.6-8 & ¶0101 -  The control daemon, virtual network proxy, or both may be referred to as a virtual network agent. Fig.9 & ¶0148 - virtual network agents (e.g., control daemons and virtual network proxies) and virtual routing tables are provided to the end points and virtual network switches. … virtual machine template that provides for the installation of an agent, table, or both when a virtual machine is created or cloned from the template); and a processor (Fig. 3, 306, Fig. 7, 710, Fig. 8, 855, Fig. 10, 1015, Fig. 12, 1225/1205) configured to: identify a map to be applied to the data packet, wherein the map includes a plurality of rules, each rule being associated with a respective entry in a data structure that specifies (i) a criterion (Fig,1/Fig.4/Fig. 10 & ¶0025 & ¶0057, Fig.11A &  ¶0163 - In a step 1125, traffic or data packets are received and filtered according to the static virtual routing tables. Data packets not having a routing address listed in the static routing table are forwarded to the local TCP/IP network (step 1130). determining …comparing one or more … associated with the second end point. ¶0164 - if a data packet includes a routing address that matches an entry in the static virtual routing table, a security check 1135 is performed to determine whether a virtual network connection should be established. That is, a plurality of rules associated with two different filtering/matching criteria in step 1125 and 113) and (ii) an action set that is to be executed when the criterion is satisfied (Fig.11A & ¶0168 - if the security check passes (step 1145), the controller informs the virtual network proxies and virtual network switches to create a session for the virtual network connection); and executing at least one action set corresponding to the at least one matching rule (Fig.11A & ¶0168 - if the security check passes (step 1145), the controller informs the virtual network proxies and virtual network switches to create a session for the virtual network connection).
Yet, Lee does not explicitly teach apply the plurality of rules to the data packet to identify at least one matching rule;
However, in the analogous art, Goldfarb discloses apply the plurality of rules to the data packet to identify at least one matching rule.(Fig.1 & ¶0026 –  the computing environment 10 is a geographically distributed computing environment, with various components disposed in different data centers, public clouds… ¶0052 - a classification tree may be trained on past network traffic to classify the sending unit of profiling (like a user/computing device/protocol combination) based on a collection of corresponding vectors. ..Classifiers may take as inputs scores indicative of confidents, mismatches, errors, or fitness from these models to detect anomalous behavior… Fig.1-10 & ¶0053 - the classifiers, either concurrently or consecutively, may apply these rules to the respective data feeds to determine which rules are satisfied …… a plurality of processes may process these rules concurrently, such as a distinct process corresponding to each rule for instance as may be implemented in a graphical processing unit. The above disclosures by Goldfarb is similar to instant application, at least, mentioned in ¶0082 in the instant application). 
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains to include Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels, because it enables virtual private network connection settings to be configured automatically based on sensed network conditions. (Title, ¶0005, Goldfarb)
Re. claim 11, Lee and Goldfarb teach claim 8.
Lee further teaches wherein the data packet is included in a stream of data packets indicative of traffic handled by a cloud computing platform of which the virtual machine is a part. (Fig. 3, Fig. 7-8, Fig. 9, Fig. 11A-C, Fig. 12 & ¶0082 - public cloud include .. multiple consumers using a multi-tenant .. ¶0100 -The virtual network switches .. receiving a data packet and forwarding the data packet to the appropriate end point or port for the intended recipient. The virtual network switches ..where the application components are on two different end points in two different or separate network domains. ¶0101 - an end point module includes a control daemon and virtual network proxy.. The control daemon, virtual network proxy, or both may be referred to as a virtual network agent. Fig. 3, Fig. 7-8, Fig. 9, Fig. 11A-C, Fig. 12 & ¶0148 - In a step 920, virtual network agents and virtual routing tables are provided to the end points and virtual network switches. ….. there can be a virtual machine template that provides for the installation of an agent, table, or both when a virtual machine is created or cloned from the template.).


Claims 4-6 and 9-10 are rejected under 35 U.S.C. 103 as being unpatentable over Lee, in view of Goldfarb, further in view of further in view of  Chalvadi et al. (2017/0317976), Chalvadi hereinafter.


Re. claim 4, Lee and Goldfarb teach claim 1.
Yet, Lee and Goldfarb do not expressly teach further comprising: assigning a priority value to each rule of the plurality of rules.
However, in the analogous art, Chalvadi explicitly  discloses  further comprising: assigning a priority value to each rule of the plurality of rules. (Fig. 1-14 & ¶0031 - a network controller (operating, e.g., on the same physical machine as the MFE) receives the distributed service rules, assigns priorities to the rules, and generates configuration data (e.g., flow entries) for the rules in an optimized manner. Fig. 1-14 & ¶0036 - the rules might be organized with all layer 2 (L2) rules in a first set and all layer 3 (L3) rules in a second set….. These sets of service rules (also referred to as rule sections) are organized with priorities, from a highest-priority rule section to a lowest-priority rule section. In addition, within each rule section, the service rules themselves are organized from a highest-priority rule to a lowest-priority rule. Fig. 1-14 & ¶0043 - The priority allocator 220 of some embodiments starts with the highest-priority rule section, and assigns those service rules the highest priorities (in the same order in which the service rules are ordered within the section), then proceeds to the next-highest-priority rule section and assigns those service rules the next highest priorities (again in the same order in which the service rules are ordered within the section), and so on through the lowest-priority rule section, with the lowest priority assigned to the lowest-priority service rule in the lowest-priority rule section).


Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels to include Chalvadi’s invention of priority allocation for distributed service rules in a virtualized network security system,  because it provides an efficient mechanism in generating configuration data for a flow-based managed forwarding element (MFE) in order for the MFE to implement distributed service rules (e.g., distributed firewall rules) in the virtualized network security system.(¶0002/¶0031, Chalvadi)

Re. claim 5, Lee, Goldfarb and Chalvadi teach claim 4.
Yet, Lee and Goldfarb do not expressly teach wherein action sets corresponding to higher priority rules are to be executed before action sets corresponding to lower priority rules.
However, in the analogous art, Chalvadi explicitly  discloses wherein action sets corresponding to higher priority rules are to be executed before action sets corresponding to lower priority rules. (Fig. 1-14 & ¶0036 - These sets of service rules (also referred to as rule sections) are organized with priorities, from a highest-priority rule section to a lowest-priority rule section. Fig. 1-14 & ¶0043 - The priority allocator 220 of some embodiments starts with the highest-priority rule section, and assigns those service rules the highest priorities, then proceeds to the next-highest-priority rule section and assigns those service rules the next highest priorities…. and so on through the lowest-priority rule section, with the lowest priority assigned to the lowest-priority service rule in the lowest-priority rule section. Fig. 1-14 & ¶0047 - …. the MFE will execute the actions of the highest-priority matching flow entry on the packet).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels to include Chalvadi’s invention of priority allocation for distributed service rules in a virtualized network security system,  because it provides an efficient mechanism in generating configuration data for a flow-based managed forwarding element (MFE) in order for the MFE to implement distributed service rules (e.g., distributed firewall rules) in the virtualized network security system.(¶0002/¶0031, Chalvadi)
Re. claim 6, Lee, Goldfarb and Chalvadi teach claim 4.
Yet, Lee and Goldfarb do not expressly teach wherein action sets corresponding to rules having identical priority values are to be executed based on an order of the rules within a data structure that is representative of the map.
However, in the analogous art, Chalvadi explicitly  discloses wherein action sets corresponding to rules having identical priority values are to be executed based on an order of the rules within a data structure that is representative of the map. (Fig. 1-14 & ¶0031 - a network controller (operating, e.g., on the same physical machine as the MFE) receives the distributed service rules, assigns priorities to the rules (Map is a collection of one or more rules as per applicant’s disclosure in ¶0056), and generates configuration data (e.g., flow entries) for the rules in an optimized manner. Fig. 1-14 & ¶0070 -  the process 300 generates (at 345) flow entries for the rules (Map is a collection of one or more rules as per applicant’s disclosure in ¶0056) according to the assigned priority values. …., the network controller generates multiple stages of flow entries for some or all of the rules. …..all flow entries for a rule are assigned the same priority based on the process 300).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels to include Chalvadi’s invention of priority allocation for distributed service rules in a virtualized network security system,  because it provides an efficient mechanism in generating configuration data for a flow-based managed forwarding element (MFE) in order for the MFE to implement distributed service rules (e.g., distributed firewall rules) in the virtualized network security system.(¶0002/¶0031, Chalvadi)

Re. claim 9, Lee and Goldfarb teach claim 8.
Yet, Lee and Goldfarb do not expressly teach wherein each entry further specifies (iii) a priority value assigned to the corresponding rule.
However, in the analogous art, Chalvadi explicitly  discloses wherein each entry further specifies (iii) a priority value assigned to the corresponding rule. (Fig. 1-14 & ¶0031 - a network controller (operating, e.g., on the same physical machine as the MFE) receives the distributed service rules, assigns priorities to the rules, and generates configuration data (e.g., flow entries) for the rules in an optimized manner. Fig. 1-14 & ¶0036 - the rules might be organized with all layer 2 (L2) rules in a first set and all layer 3 (L3) rules in a second set….. These sets of service rules (also referred to as rule sections) are organized with priorities, from a highest-priority rule section to a lowest-priority rule section. In addition, within each rule section, the service rules themselves are organized from a highest-priority rule to a lowest-priority rule. Fig. 1-14 & ¶0043 - The priority allocator 220 of some embodiments starts with the highest-priority rule section, and assigns those service rules the highest priorities (in the same order in which the service rules are ordered within the section), then proceeds to the next-highest-priority rule section and assigns those service rules the next highest priorities (again in the same order in which the service rules are ordered within the section), and so on through the lowest-priority rule section, with the lowest priority assigned to the lowest-priority service rule in the lowest-priority rule section).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels to include Chalvadi’s invention of priority allocation for distributed service rules in a virtualized network security system,  because it provides an efficient mechanism in generating configuration data for a flow-based managed forwarding element (MFE) in order for the MFE to implement distributed service rules (e.g., distributed firewall rules) in the virtualized network security system.(¶0002/¶0031, Chalvadi)

Re. claim 10, Lee, Goldfarb and Chalvadi teach claim 9.
Yet, Lee and Goldfarb do not expressly teach wherein the at least one action set is executed in order of priority.
However, in the analogous art, Chalvadi explicitly discloses wherein the at least one action set is executed in order of priority. ( Fig. 1-14 & ¶0031 - a network controller (operating, e.g., on the same physical machine as the MFE) receives the distributed service rules, assigns priorities to the rules, and generates configuration data (e.g., flow entries) for the rules in an optimized manner. Fig. 1-14 & ¶0036 - the rules might be organized with all layer 2 (L2) rules in a first set and all layer 3 (L3) rules in a second set….. These sets of service rules (also referred to as rule sections) are organized with priorities, from a highest-priority rule section to a lowest-priority rule section. In addition, within each rule section, the service rules themselves are organized from a highest-priority rule to a lowest-priority rule. Fig. 1-14 & ¶0043 - The priority allocator 220 of some embodiments starts with the highest-priority rule section, and assigns those service rules the highest priorities (in the same order in which the service rules are ordered within the section), then proceeds to the next-highest-priority rule section and assigns those service rules the next highest priorities (again in the same order in which the service rules are ordered within the section), and so on through the lowest-priority rule section, with the lowest priority assigned to the lowest-priority service rule in the lowest-priority rule section. Fig. 1-14 & ¶0063 - process 300 begins by receiving (at 305) service rule sets (i.e., rule sections) with a priority order and with each set having an internal priority order for its rules. ….The network administrator may group the rules into sections and determine the relative order of priority within that section. Fig. 1-14 & ¶0064 - a set of rule sections 405 received from the central control plane. Specifically, this figure illustrates X rule sets, each with multiple ordered rules. These X rule sets are arranged in priority order from 1 to X, with 1 being the highest-priority rule set and X being the lowest-priority rule set. Fig. 1-14 & ¶0145 - This stage contains one flow entry for each of the seven rules, arranged in priority order. If all of the conjunctive parameters have been matched for one of the rules, then its corresponding flow entry will be matched. They are arranged with the priority values of the rules, because a packet could (depending on the parameters for the rules) match multiple rules. If all of the conjunctive parameters for a particular rule are matched, the corresponding flow entry specifies to perform the actions for that rule).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels to include Chalvadi’s invention of priority allocation for distributed service rules in a virtualized network security system,  because it provides an efficient mechanism in generating configuration data for a flow-based managed forwarding element (MFE) in order for the MFE to implement distributed service rules (e.g., distributed firewall rules) in the virtualized network security system.(¶0002/¶0031, Chalvadi)









Claims 12-13 are rejected under 35 U.S.C. 103 as being unpatentable over Lee, in view of Goldfarb, further in view of further in view of  He at al. (2020/0314179), He hereinafter.

Re. claim 12, Lee and Goldfarb teach claim 8.
Yet, Lee and Goldfarb do not expressly teach further comprising: a ternary content-addressable memory (TCAM) in which the data structure is stored.
However, in the analogous art, He explicitly  discloses further comprising: a ternary content-addressable memory (TCAM) in which the data structure is stored. (Fig. 1-6 & ¶0007 - A method is implemented by a network device acting as a controller in a control plane of a software defined networking (SDN) network. The controller is communicatively coupled to a switch in a data plane of the SDN network, where the controller manages packet processing functionality of the switch. The method to manage data storage resource utilization of the switch. The method includes receiving data storage resource sharing information from the switch, where the data storage resource sharing information includes an indication of tables stored in the switch that share a data storage resource of the switch. The method further includes transmitting instructions to the switch to insert one or more entries in a first table from the tables that share the data storage resource. Fig. 1-6 & ¶0035 -  switch 120 includes data storage resources 130A-C. A data storage resource 130, as used herein, refers to a physical or logical repository that can store data. Examples of data storage resources include, … Ternary Content Addressable Memory (TCAM), hash memory, and counter memory. A data storage resource 130 can store table entries for one or more tables. … Examples of tables include, … routing tables, an Access Control List (ACL). Fig. 1-6 & ¶0041 - table X, table Y, and table Z share the same data storage resource 130 (e.g., same hash memory 230A, TCAM 230B, or counter memory 230C)).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels to include HE’s invention of advertising network resource sharing status in software defined networking (SDN) network,  because it provides an efficient mechanism in adjusting data storage resource utilization among various tables (e.g., Access Control List (ACL), Forwarding Database (FDB), Label Forwarding Information Base (LFIB) as used by a plurality virtual switches in the SDN network. (¶0003-¶0006, He)
Re. claim 13, Lee,  Goldfarb and He teach claim 12.
Yet, Lee and Goldfarb do not expressly teach wherein the data structure is a programmable flow table.
However, in the analogous art, He explicitly  discloses wherein the data structure is a programmable flow table. (Fig. 1-6 & ¶0004 - in SDN (Software Defined Networking) networks, where switches are programmable, multiple tables implemented on a given hardware platform may share the same data storage resource. For example, a commercial switching chipset may include data storage resources such as a hash memory, a TCAM, and counter memory that each store multiple tables. Fig. 1-6 & ¶0035 -  switch 120 includes data storage resources 130A-C….. Examples of data storage resources include…. Ternary Content Addressable Memory (TCAM), hash memory, and counter memory. A data storage resource 130 can store table entries for one or more tables…..… routing tables, an Access Control List (ACL)).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and Goldfarb’s invention of automated sensing of network conditions for dynamically provisioning efficient VPN tunnels to include HE’s invention of advertising network resource sharing status in software defined networking (SDN) network,  because it provides an efficient mechanism in adjusting data storage resource utilization among various tables (e.g., Access Control List (ACL), Forwarding Database (FDB), Label Forwarding Information Base (LFIB) as used by a plurality virtual switches in the SDN network. (¶0003-¶0006, He)

Claims 14 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Lee, in view of He.

Re. claim 14,  Lee teaches a method comprising: identifying a plurality of network objects that are interconnected through a network visibility appliance to which data packets are to be routed for analysis (Fig.1/Fig.3/Fig.4/Fig.6/Fig.11A–B & ¶0026 -  a method includes … to determine whether an IP address of the destination is listed in the static routing table, …. upon a determination that use of the virtual network is permitted, establishing for the client a virtual network connection between the first end point and the destination. ¶0027 - The method may further include upon the determination that use of the virtual network is permitted, creating at the first end point a first dynamic routing table having first routing information, the first routing information including a first identifier that identifies the virtual network connection, and forwarding the first routing information to a virtual network switch between the first and second network domains, where the virtual network switch consults a second dynamic virtual routing table having second routing information. ¶0028 - second dynamic virtual routing table is provisioned by a controller after the controller determines that use of the virtual network is permitted. Similar inventive concept is disclosed by the inventor of the instant application in ¶0021-¶0022, in reference to legacy map (or static data structure) and dynamic data structure (e.g. a programmable flow table). Also, in ref. to network objects, see Fig.4/11B-C, end points, Fig.3, network interface (¶0055), similar to applicant’s disclosures in ¶0049). ¶0082 - public cloud include …. multiple consumers using a multi-tenant); associating each network object of the plurality of network objects with an action set (¶0057 -  switch can forward a data packet only to the appropriate port for the intended recipient, based on information in each packet header…the switch establishes a temporary connection between the source and destination…. Fig. 10 & 11A-B ¶0163 - In a step 1125, traffic or data packets are received and filtered according to the static virtual routing tables. Data packets not having a routing address listed in the static routing table are forwarded to the local TCP/IP network (step 1130).¶0164 - if a data packet includes a routing address that matches an entry in the static virtual routing table, a security check 1135 is performed to determine whether a virtual network connection should be established. ¶0082 - public cloud include …. multiple consumers using a multi-tenant); constructing a data structure that is representative of the network visibility appliance by - creating a separate entry for each network object of the plurality of network objects (Fig,1/Fig.4/Fig. 10 & ¶0025 - establishing for the application program a virtual network connection includes creating at the first end point a first dynamic routing table having first routing information, the first routing information including a first session identifier for the virtual network connection, and forwarding the first routing information to a virtual network switch between the first and second network domains. ¶0163 - In a step 1125, traffic or data packets are received and filtered according to the static virtual routing tables. Data packets not having a routing address listed in the static routing table are forwarded to the local TCP/IP network (step 1130). ¶0164 - if a data packet includes a routing address that matches an entry in the static virtual routing table, a security check 1135 is performed to determine whether a virtual network connection should be established), and establishing an association between a pair of entries for each traffic flow between a pair of network objects of the plurality of network objects (Fig,1/Fig.4/Fig. 10 & ¶0025 & ¶0057, Fig.11A-C &  ¶0163 - In a step 1125, traffic or data packets are received and filtered according to the static virtual routing tables. Data packets not having a routing address listed in the static routing table are forwarded to the local TCP/IP network (step 1130). determining …comparing one or more … associated with the second end point. ¶0164 - if a data packet includes a routing address that matches an entry in the static virtual routing table, a security check 1135 is performed to determine whether a virtual network connection should be established. That is, a plurality of rules associated with two different filtering/matching criteria in step 1125 and 1135. Also, Fig. 11B-C/Fig.10 show traffic/data flow between a pair of network objects along with Fig.11A. Fig. 11C shows a plurality of entries in the data structure (routing table), also see ¶0187 which shows a plurality of entries in the data structure when a second client-server application is provisioned to route through the virtual network and another entry can be added to the static virtual table as shown in Table H),wherein each action set includes at least one of a pass action that is represented in the data structure as an established association (¶0168 - if the security check passes (step 1145), the controller informs the virtual network proxies and virtual network switches to create a session for the virtual network connection), or a drop action that is represented in the data structure as a lack of established associations (¶0167 - If the security check fails (step 1140), the application client is blocked from connecting to the application server); 

    PNG
    media_image2.png
    815
    1295
    media_image2.png
    Greyscale


Yet, Lee does not expressly teach storing the data structure in a memory that is accessible to the network visibility appliance.
However, in the analogous art, He explicitly discloses storing the data structure in a memory that is accessible to the network visibility appliance (Fig. 1-6 & ¶0007 - A method is implemented by a network device acting as a controller in a control plane of a software defined networking (SDN) network. The controller is communicatively coupled to a switch in a data plane of the SDN network, where the controller manages packet processing functionality of the switch. The method to manage data storage resource utilization of the switch. The method includes receiving data storage resource sharing information from the switch, where the data storage resource sharing information includes an indication of tables stored in the switch that share a data storage resource of the switch. The method further includes transmitting instructions to the switch to insert one or more entries in a first table from the tables that share the data storage resource. Fig. 1-6 & ¶0035 -  switch 120 includes data storage resources 130A-C. A data storage resource 130, as used herein, refers to a physical or logical repository that can store data. Examples of data storage resources include, but are not limited to, Ternary Content Addressable Memory (TCAM), hash memory, and counter memory. A data storage resource 130 can store table entries for one or more tables. … Examples of tables include, … routing tables, an Access Control List (ACL). Fig. 1-6 & ¶0041 - table X, table Y, and table Z share the same data storage resource 130 (e.g., same hash memory 230A, TCAM 230B, or counter memory 230C)).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains to include HE’s invention of advertising network resource sharing status in software defined networking (SDN) network,  because it provides an efficient mechanism in adjusting data storage resource utilization among various tables (e.g., Access Control List (ACL), Forwarding Database (FDB), Label Forwarding Information Base (LFIB) as used by a plurality virtual switches in the SDN network. (¶0003-¶0006, He)
Re. claim 18, Lee  and He teach claim 14.
Lee further teaches further comprising: causing a graph that visually represents the network visibility appliance to be presented on a display of a computing device; and enabling an individual to specify a modification to the network visibility appliance by modifying the graph. (Fig.8-9, Fig.14-15 & ¶0121 - The administration module may include a graphical user interface (GUI) so that the administrator can easily manage the system. Using the administration module, an administrator can identify, create, add, update, delete, modify, alter, and remove users, groups, applications, and end points for the virtual network. ¶0122 - Table A below shows an example listing of users that may be defined through the administration module)
Claims 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Lee, in view of He, further in view of Ching et al. (2015/0295779), Ching hereinafter.

Re. claim 15, Lee  and He teach claim 14.
Lee further teaches routing the data packets through the plurality of network objects based on the data structure (Fig.1, Fig.4 & ¶0023 - virtual network includes a virtual network switch connected between the first and second network domains, and a virtual routing table. The virtual network switch receives a data packet from the first end point, and based on the virtual routing table, forwards a payload in the data packet to the second end point in the second network domain. ¶0081 -  the first or second domains is a public cloud….A public cloud refers to a computing infrastructure in which services are rendered over a network that is open for public use (e.g., Internet) . ¶0082 - public cloud include on-demand self-service …provider's computing resources are pooled to serve multiple consumers using a multi-tenant model…).
Yet, Lee  and He  do not expressly teach -acquiring, from a public cloud infrastructure, the data packets that are indicative of traffic associated with a given user;
However, in the analogous art, Ching explicitly discloses  acquiring, from a public cloud infrastructure, the data packets that are indicative of traffic associated with a given user (Fig. 1-23 & ¶0011 - Configuration or management of event streams generated from network packets captured by the remote capture agents may be performed through a GUI. The GUI may allow a user (e.g., an administrator) to specify a protocol used by network packets from which an event stream is created. Fig. 1-23 & ¶0012 - The GUI may also include a number of user-interface elements that further assist the user with management and use of the event streams. Fig. 1-23 & ¶0013 - The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Fig. 1-23 & ¶0151 - Remote capture agent 950 may also be installed in a remote computing environment such as a cloud computing system. For example, remote capture agent 950 may be installed on a physical server and/or in a virtual computing environment (e.g., virtual machine) that is distributed across one or more physical machines. Fig. 1-23 & ¶0273 - The graphs in column 1720 and/or user-interface element 1732 may further be updated in real-time with time-series event data as the time-series event data is received from one more remote capture agents. );
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and HE’s invention of advertising network resource sharing status in software defined networking (SDN) network to include Ching’s invention of a system and a method for distributed processing of network data using remote capture agents,  because it provides an efficient mechanism in capturing network data distributed in remote locations, thereby, allowing users to configure and change the configuration of the  captured network data on-the-fly rather than in fixed formats in a cloud computing environments.(¶0007-¶0010, Ching).
Re. claim 16, Lee, He and Ching teach claim 15.
Yet, Lee  and He  do not expressly teach wherein the given user is one of a plurality of users that are able to access the public cloud infrastructure.
However, in the analogous art, Ching explicitly discloses wherein the given user is one of a plurality of users that are able to access the public cloud infrastructure. (Fig. 1-23 & ¶0011 - Configuration or management of event streams generated from network packets captured by the remote capture agents may be performed through a GUI. The GUI may allow a user (e.g., an administrator) to specify a protocol used by network packets from which an event stream is created. Fig. 1-23 & ¶0012 - The GUI may also include a number of user-interface elements that further assist the user with management and use of the event streams. Fig. 1-23 & ¶0013 - The disclosed embodiments provide a system that facilitates the processing of network data. During operation, the system causes for display a graphical user interface (GUI) for obtaining configuration information for configuring the generation of time-series event data from network packets captured by one or more remote capture agents. Fig. 1-23 & ¶0151 - Remote capture agent 950 may also be installed in a remote computing environment such as a cloud computing system. For example, remote capture agent 950 may be installed on a physical server and/or in a virtual computing environment (e.g., virtual machine) that is distributed across one or more physical machines. Fig. 1-23 & ¶0273 - The graphs in column 1720 and/or user-interface element 1732 may further be updated in real-time with time-series event data as the time-series event data is received from one more remote capture agents.);
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and HE’s invention of advertising network resource sharing status in software defined networking (SDN) network to include Ching’s invention of a system and a method for distributed processing of network data using remote capture agents,  because it provides an efficient mechanism in capturing network data distributed in remote locations, thereby, allowing users to configure and change the configuration of the  captured network data on-the-fly rather than in fixed formats in a cloud computing environments.(¶0007-¶0010, Ching).

Claim 17 is rejected under 35 U.S.C. 103 as being unpatentable over Lee, in view of He, in view of Ching,  further in view of Zourzouvillys et al. (2015/0319063), Zourzouvillys hereinafter.

Re. claim 17, Lee, He and Ching teach claim 15.
Yet, Lee, He and Ching  do not expressly teach further comprising: forwarding at least some of the data packets that were not dropped by the plurality of network objects to the public cloud infrastructure.
However, in the analogous art, Zourzouvillys explicitly discloses further comprising: forwarding at least some of the data packets that were not dropped by the plurality of network objects to the public cloud infrastructure. (Fig. 1-9 & ¶0072 -  monitoring network traffic and congestion, the network monitor 210 may monitor the number or percentage of dropped packets in each connection. For example, the connection between the network device 202 and the first datacenter 204a may have 40% dropped packets while the connection with the second datacenter 204b has 1% dropped packets….. Thus, dropped packets may indicate only partial amounts of information being sent between users. Fig. 1-9 & ¶0184 - Embodiments of the invention can also be implemented in cloud computing environments. …, cloud computing can be employed in the marketplace to offer ubiquitous and convenient on-demand access to the shared pool of configurable computing resources).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and HE’s invention of advertising network resource sharing status in software defined networking (SDN) network and Ching’s invention of a system and a method for distributed processing of network data using remote capture agents to include Zourzouvillys’s invention of a system and a method for monitoring and analyzing network characteristics between a plurality of network devices and a plurality of datacenters,  because it provides an efficient mechanism in utilizing network resources by dynamically mapping the plurality of network devices to the plurality of datacenters, in turns, improves the overall reliability and quality of a network-based communication system. (¶0005-¶0012, Zourzouvillys)

Claim 19 is rejected under 35 U.S.C. 103 as being unpatentable over Lee, in view of He, further in view of Doctor et al (2016/0182336), Doctor  hereinafter.

Re. claim 19, Lee and He teach claim 14.
Yet, Lee  and He  do not expressly teach wherein the data packets are replicated when leaving a network object that corresponds to an entry that has more than one established association.
However, in the analogous art, Doctor explicitly discloses wherein the data packets are replicated when leaving a network object that corresponds to an entry that has more than one established association. (Fig.2 & ¶0045 - Distributed virtual switch 270, which monitors the ports of a distributed virtual switch to which tenant VMs connect, receives the data packet. After distributed virtual switch 270 receives the data packet, distributed virtual switch 270 sends a copy of the packet to the destination tenant VM, based upon the tenant address included in the packet header. Fig. 3 & ¶0052 - if more than one sniffer VM corresponds to the monitored tenant VM, then packet processor 242 creates multiple copies of the originally transmitted data packet, one copy for each corresponding sniffer VM, and replaces the address in the header of each of the data packets. Then, each data packet may then be transmitted to an appropriate target sniffer VM.).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and HE’s invention of advertising network resource sharing status in software defined networking (SDN) network to include Doctor’s invention of monitoring network traffic in a cloud computing system, because it provides a tenant application programming interface (API) which supports operations for manipulating IaaS constructs such as virtual machines (VMs) and logical networks in a hybrid cloud network monitoring system. (Abstract, ¶0002,¶0005, Doctor)
Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Lee, in view of He, further in view of Chandrashekar (2018/0063193), Chandrashekar hereinafter.

Re. claim 20, Lee and He teach claim 14.
Lee further teaches wherein the plurality of network objects includes at least one of a raw endpoint, a tunnel endpoint, an application endpoint, or a map (Fig. 1-18 & ¶0020 - creating at the first end point a first dynamic routing table having first routing information, the first routing information including a first session identifier for the virtual network connection, and forwarding the first routing information to a virtual network switch between the first and second network domains. ¶0055 - A network generally includes: .. (2) a network interface or network interface card (NIC) … The NIC is a device that lets the computer talk to the network.Fig.3 & ¶0063 - network interface 318. ¶0073 - an end point may include a user interface, .. a network interface.  Fig. 1-18 & ¶0095 - The physical networking device may include its own set of rules (Map is a collection of one or more rule as per applicant’s disclosure in ¶0056) … forwarding the data packet.. These rules and logic are separate from or independent of the rules and logic of the virtual network platform.  Fig.9 & ¶0163 -In a step 1125, traffic or data packets are received and filtered according to the static virtual routing tables…..determining …comparing one or more … associated with the second end point ....¶0164 - if a data packet includes a routing address that matches an entry in the static virtual routing table, a security check 1135 is performed to determine whether a virtual network connection should be established. Fig. 11B/Fig.10 show traffic/data flow between a pair of network objects along with Fig.11), and wherein each raw endpoint, if any, receives traffic from a Network Interface Card (NIC) of the network visibility appliance (¶0055 - A network generally includes: .. (2) a network interface or network interface card (NIC) … The NIC is a device that lets the computer talk to the network.Fig.3 & ¶0063 - network interface 318. ¶0073 - an end point may include a user interface, .. a network interface. This is similar to applicant’s disclosures in ¶0049.Fig.6 & ¶0091- step 610, a data packet (e.g., request) is received at a first end point in a first network domain to be sent to a destination), an environment outside of the network visibility appliance (Fig.6 & ¶0095 - in a step 625 if the connection should not be provided through the virtual network, the data packet is passed outside the virtual network), each application endpoint, if any, receives traffic from, or sends traffic to, an application program (¶0096 - the administrator can use the system to control which applications will use the virtual network… Fig.7-8 & ¶0099 - for such a security policy can be a rule for a GDB server application that is running on certain server machines in a network domain which can be accessed by a certain group of client machines running the GDB client software in a different network domain), and each map, if any, includes at least one rule for managing traffic (Fig. 1-18 & ¶0095 - The physical networking device may include its own set of rules (Map is a collection of one or more rule as per applicant’s disclosure in ¶0056) … forwarding the data packet.. These rules and logic are separate from or independent of the rules and logic of the virtual network platform).
Yet, Lee  and He  do not expressly teach each tunnel endpoint, if any, receives traffic from, or sends traffic to.
However, in the same field of endeavor, Chandrashekar discloses each tunnel endpoint, if any, receives traffic from, or sends traffic to, (Fig.11 & ¶0149 - IP address of the VM with regard to the cloud provider is different than the IP address of the logical port mapped to that VM, as the IP address facing the cloud provider network is that of the tunnel endpoint created for the MFE operating on the VM.  In this case, the logical switch 1110 is assigned the subnet 192.168.1.0/24.  In addition, four VMs are shown attached to the logical switch 1110. Fig.12 & ¶0152 - tunnels are created (through the underlay network) between each pair of the MFEs operating on the VMs 1205-1220.  The gateway can also send packets to (and receive packets from) destinations within the on-premises private datacenter 1230.  To send these packets, the gateway 1225 encapsulates the packets using its VTEP IP (10.1.0.5), so that the destination will identify the incoming packet as a logical network packet).
Therefore, it would have been obvious to one of the ordinary skill in the art before the effective filling date of the claimed invention to combine Lee’s invention of virtual network platform for enterprise hybrid cloud computing environments to facilitate secure communications between two or more network domains and HE’s invention of advertising network resource sharing status in software defined networking (SDN) network to include Chandrashekar’s invention of distributed network encryption for logical network implementation in public cloud, because it provides an enterprise network the ability to manage a logical network that spans across one or more public multi-tenant datacenters. (¶0001/¶0003, Chandrashekar)











Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED SHAMSUL CHOWDHURY whose telephone number is (571)272-0485.  The examiner can normally be reached on Monday-Thursday 9 AM- 6 PM EST (Friday Var.).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Hassan Phillips can be reached on 571-272-3940.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/MOHAMMED S CHOWDHURY/Examiner, Art Unit 2467