Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Mani Adeli, Registration No. 39,585, on August 10, 2022.

The application has been amended as follows: 
Claims 11, 14, 21, 24, 28 have been amended, and canceled claims are 13, 15-17, 23, 25-27.

11.	(Currently Amended) A method of performing security services in a software-defined wide area network (SD-WAN) connecting multiple physical sites of an enterprise, the method comprising:
deploying, at a first physical site of the enterprise, an edge device; and
configuring the edge device to forward packets from computers at the first physical site that are addressed to destinations outside of the first physical site to a cloud gateway outside of the first physical site and accessible through the Internet,
the cloud gateway having an associated cloud web security (CWS) service to perform security scanning for packets, which are from the edge device and are addressed to destinations outside of the first physical site, before the packets are forwarded to the destinations of the packets; wherein the cloud gateway forwards packets to the CWS service along a first tunnel for the CWS service to perform the security scanning on the packets before the packets are forwarded to their destinations;
said configuring the edge device comprises (i) configuring the edge device to forward packets to the cloud gateway along a second tunnel through a first link of a first Internet Service Provider (ISP), and (ii) configuring the edge device to dynamically shift to a third tunnel through a second link of a second ISP to forward packets to the cloud gateway.
12.	(Previously Presented) The method of claim 11, wherein the CWS service performs service insertion for data traffic from the enterprise first network prior to the data traffic being sent to the public Internet.
13.	(Canceled) 
14.	(Currently Amended) The method of claim [[13]] 11, wherein the first tunnel is an IPsec tunnel.
15-17.	(Canceled) 
18.	(Currently Amended) The method of claim [[17]]11 further comprising configuring the edge device to dynamically select between the and third tunnels based on measurement metrics repeatedly taken regarding a state of each tunnel, wherein configuring the edge device to dynamically select between the first and second tunnels comprises said configuring the edge to dynamically shift to the second tunnel third.
19.	(Previously Presented) The method of claim 11, wherein the packets are forwarded to their destinations along the Internet.
20.	(Previously Presented) The method of claim 11, wherein the physical sites, including the first physical site, comprise branch sites of the enterprise.
21.	(Currently Amended) A non-transitory machine readable medium storing a program for performing security services in a software-defined wide area network (SD-WAN) connecting multiple physical sites of an enterprise, the program for execution by at least one processing unit, the program comprising sets of instructions for:
deploying, at a first physical site of the enterprise, an edge device; and
the cloud gateway having an associated cloud web security (CWS) service to perform security scanning for packets, which are from the edge device and are addressed to destinations outside of the first physical site, before the packets are forwarded to the destinations of the packets; wherein the cloud gateway forwards packets to the CWS service along a first tunnel for the CWS service to perform the security scanning on the packets before the packets are forwarded to their destinations;
said configuring the edge device comprises (i) configuring the edge device to forward packets to the cloud gateway along a second tunnel through a first link of a first Internet Service Provider (ISP), and (ii) configuring the edge device to dynamically shift to a third tunnel through a second link of a second ISP to forward packets to the cloud gateway.
22.	(Previously Presented) The non-transitory machine readable medium of claim 21, wherein the CWS service performs service insertion for data traffic from the enterprise first network prior to the data traffic being sent to the public Internet.
23.	(Canceled) 
24.	(Currently Amended) The non-transitory machine readable medium of claim [[23]] 21, wherein the first tunnel is an IPsec tunnel.
25-27.	(Canceled) 
28.	(Currently Amended) The non-transitory machine readable medium of claim [[27]] 21, wherein the program further comprises a set of instructions for configuring the edge device to dynamically select between the and third tunnels based on measurement metrics repeatedly taken regarding a state of each tunnel, wherein configuring the edge device to dynamically select between the first and second tunnels comprises said configuring the edge to dynamically shift to the second tunnel third.
29.	(Previously Presented) The non-transitory machine readable medium of claim 21, wherein the packets are forwarded to their destinations along the Internet.
30.	(Previously Presented) The non-transitory machine readable medium of claim 21, wherein the physical sites, including the first physical site, comprise branch sites of the enterprise.


Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance: 

Claims 11 - 30 are pending.  
Claims 11, 21 are allowed based on the following:

        The prior art of record considered individually or in combination, fails to fairly show or suggest wherein performing security services in a software-defined wide area network (SD-WAN) connecting multiple physical sites of an enterprise, wherein deploying an edge device, at a first physical site of an enterprise, and wherein configuring the edge device to forward packets from computers at a first physical site that are addressed to destinations outside of the first physical site to a cloud gateway outside of the first physical site and accessible through the Internet, and wherein a cloud gateway having an associated cloud web security (CWS) service in order to perform security scanning for packets, which are from the edge device and are addressed to destinations outside of the first physical site, before the packets are forwarded to their destinations, and wherein the cloud gateway forwards packets to the CWS service along a first tunnel for the CWS service in order to perform security scanning on packets before the packets are forwarded to their destinations, and wherein said configuring the edge device comprises the following: (i) configuring the edge device to forward packets to the cloud gateway along a second tunnel through a first link of a first Internet Service Provider (ISP), and (ii) configuring the edge device to dynamically shift to a third tunnel through a second link of a second ISP in order to forward packets to the cloud gateway, in addition to the other limitations in the specific manner as recited in claims 11 - 30.  
  
Claims 12, 14, 18 - 20 are allowed due to allowed base claim 11.  
Claims 22 , 24, 28 - 30 are allowed due to allowed base claim 21.  

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

/KYUNG H SHIN/                                                                                              8-10-2022Primary Examiner, Art Unit 2452