DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this Application after Final Rejection. Since this Application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office Action has been withdrawn pursuant to 37 CFR 1.114. Applicant’s submission filed on 07/20/2022 has been entered. 
Claims 1, 11 and 20 are amended and claims 1-20 remain pending.

Response to Arguments
Applicant’s arguments, see Remarks: pages 7-8, filed 07/20/2022, with respect to the rejection(s) of claim(s) 1-20 under 35 U.S.C. 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Kailash, US8458786.
Further, please find a list of pertinent but not relied on prior arts in the conclusion and the attached PTO – 892. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s)  1-3, 7, 9-13, 17 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan, US2014/0208426A1 in view of Kailash, US8458786.

Per claim 1, Natarajan discloses a  non-transitory computer-readable storage medium having computer readable code stored thereon for programming a processor, in a node of a cloud-based security system (the systems and methods leverage a distributed, cloud-based security system to sandbox unknown content (which can also be referred to as BA content) in the cloud, to install the unknown content for observation and analysis, and to leverage the results in the cloud for near immediate protection from newly detected malware – Natarajan: par. 0032), to perform steps of: 
receiving a plurality of packets, each of the plurality of packets being received from a respective network device (each of the processing nodes 110 may include a decision system, e.g., data inspection engines that operate on a content item, e.g., a web page, a file, an email message, or some other data or data communication that is sent from or requested by one of the external systems – Natarajan: par. 0033), each respective device being associated with one of a plurality of tenants associated with the cloud-based security system and being external to the node, the cloud-based security system enabling communication over a Wide Area Network (WAN) (users of the external systems may provide and define security policies, e.g., whether email traffic is to be monitored, whether certain web sites are to be precluded, etc. … the distributed security system 100 can be viewed as "security as a service" allowing threat detection, malware preclusion, etc. without having native applications installed on each individual user device or user equipment – Natarajan: par. 0038 and 0041), 
selecting firewall policies for processing each respective packet (content item) of the plurality of packets based on a matching criteria (Based on the subset classification, the processing node 110 may allow distribution of the content item, preclude distribution of the content item, allow distribution of the content item after a cleaning process, or perform threat detection on the content item – Natarajan: par. 0034 – Note: matching criteria is equivalent to classification), wherein the cloud-based security system supports the plurality of tenants and the firewall policies are selected based on which tenant is in the matching criteria for the respective packet and which of a plurality of firewall policies are associated with the tenant (the processing nodes 110 are external to network edges of the external systems 200, 220 and 230. Each of the processing nodes 110 stores security policy data 113 received from the authority node 120 and monitors content items requested by or sent from the external systems 200, 220 and 230. In an exemplary embodiment, each of the processing nodes 110 may also store a detection process filter 112 and/or threat data 114 to facilitate the decision of whether a content item should be processed for threat detection. A processing node manager 118 may manage each content item in accordance with the security policy data 113, and the detection process filter 112 and/or threat data 114, if stored at the processing node 110, so that security policies for a plurality of external systems in data communication with the processing node 110 are implemented external to the network edges for each of the external systems 200, 220 and 230 – Natarajan: par. 0045 – Note: external systems are equivalent to tenants); 
In the alternative where one argues “selecting firewall policies for processing each respective packet of the plurality of packets based on a matching criteria” is not inherently disclosed by Natarajan, Kailash discloses selecting firewall policies for processing each respective packet of the plurality of packets based on a matching criteria (FIG. 6A is a flow diagram of an example process 600 for managing tunnels in response to receiving a packet. The process 600 can, for example, be performed by a tunnel manager in a processing node to determine whether an existing session exists for a received packet – Kailash: col. 9-10, lines 1-67 and lines 1-16 – Note: Table 1 describes actions that the tunnel manager takes in response to particular events and the presence or absence of entries of tunnel sessions and location sessions in the corresponding data structures stored in the location/tunnel data. Each listed state corresponds to the tunnel session status and location status, and each listed tunnel action manager occurs for its given state and tunnel event).
Kailash further discloses generating a new firewall session, at the node, for each packet matching a distinctive firewall policy by allocating resources thereto, wherein the new firewall session is generated for each packet if the packet is location-based and is not destined for the cloud node (in response to determining the absence of a session entry and the existence of a location entry in the tunnel session data and the location data, respectively, creating a corresponding session entry in the tunnel session data structure and requesting a location certificate from a client device associated with the tunnel packet – Kailash: Summary); and 
processing each of the plurality of packets utilizing one of the firewall sessions generated by directing packets to a respective firewall session based on the matching criteria to determine whether or not to block the respective packet from transmission over the WAN, the block is performed in the node in the cloud-based security system (A processing node manager 118 can manage each content item in accordance with the security policy data 112 and threat data 114, if stored at the processing node 110, so that security policies for a plurality of external systems in data communication with the processing node are implemented external to the network edges for each of the external systems 200, 220 and 230. For example, depending on the classification resulting from the monitoring, the content item can be allowed, precluded, or threat detected. In general, content items that are already classified as "clean" or not posing a threat can be allowed, while those classified as "violating" can be precluded. Those content items having an unknown status, e.g., content items that have not been processed by the system 100, can be threat detected to classify the content item according to threat classifications  – Kailash: col. 6, lines 10-25 – Note: Table 1 describes actions that the tunnel manager takes in response to particular events and the presence or absence of entries of tunnel sessions and location sessions in the corresponding data structures stored in the location/tunnel data. Each listed state corresponds to the tunnel session status and location status, and each listed tunnel action manager occurs for its given state and tunnel event).
Similarly, Natarajan discloses processing each of the plurality of packets utilizing one of the firewall sessions generated by directing packets to a respective firewall session based on the matching criteria to determine whether or not to block the respective packet from transmission over the WAN, the block is performed in the node in the cloud-based security system (A processing node manager 118 may manage each content item in accordance with the security policy data 113, and the detection process filter 112 and/or threat data 114, if stored at the processing node 110, so that security policies for a plurality of external systems in data communication with the processing node 110 are implemented external to the network edges for each of the external systems 200, 220 and 230. For example, depending on the classification resulting from the monitoring, the content item may be allowed, precluded, or threat detected. In general, content items that are already classified as "clean" or not posing a threat can be allowed, while those classified as "violating" may be precluded. Those content items having an unknown status, e.g., content items that have not been processed by the system 100, may be threat detected to classify the content item according to threat classifications – Natarajan: par. 0045).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan in view of Kailash to include selecting firewall policies for processing each respective packet of the plurality of packets based on a matching criteria; generating a new firewall session, at the node, for each packet matching a distinctive firewall policy by allocating resources thereto, wherein the new firewall session is generated for each packet if the packet is location-based and is not destined for the cloud node; and processing each of the plurality of packets utilizing one of the firewall sessions generated by directing packets to a respective firewall session based on the matching criteria to determine whether or not to block the respective packet from transmission over the WAN, the block is performed in the node in the cloud-based security system.
One of ordinary skill in the art would have been motivated because it would allow using tunnel session data and location data for managing tunnels and applying policies for authenticated tunnel sessions – Kailash: col. 3, lines 25-35.

Per claim 11, it recites a node in a cloud-based security system, comprising: a processor and memory storing instructions that, when executed, cause the processor to perform the steps as recited in claim 1.
Therefore, claim 11 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claim 20, it recites a method implemented in a node of a cloud-based security system, the method comprising the steps as recited in claim 1.
Therefore, claim 20 is rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 1 above. 

Per claims 2 and 12, Natarajan in view of Kailash discloses features of claims 1 and 11, wherein the firewall policies are further based on a location in the matching criteria (According to a service agreement between a provider of the system 100 and an owner of an external system, the system 100 may thus provide security protection to the external system at any location throughout the geographic region …in the cloud system 500, traffic from various locations (and various devices located therein) such as a regional office 510, headquarters 520, various employee's homes 530, mobile laptop 540, and mobile device 550 is redirected to the cloud system 500 through the cloud nodes 502.  That is, each of the locations 510, 520, 530, 540, 550 is communicatively coupled to the Internet 504 through the cloud nodes 502 – Natarajan: par. 0035 and 0068).

Per claims 3 and 13, Natarajan in view of Kailash discloses features of claims 1 and 11, wherein each respective network device is configured to route Internet-bound traffic to the cloud-based security system (the distributed security system 100 may generally refer to an exemplary cloud-based security system.  Cloud computing systems and methods abstract away physical servers, storage, networking, etc. and instead offer these as on-demand and elastic resources.  The National Institute of Standards and Technology (NIST) provides a concise and specific definition which states cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction – Natarajan: par. 0041).

Per claims 7 and 17, Natarajan in view of Kailash discloses features of claims 1 and 11, wherein the cloud- based security system is configured to operate the firewall policies in a cloud without firewall hardware deployed at local Internet breakouts (the distributed security system 100 may generally refer to an exemplary cloud-based security system.  Cloud computing systems and methods abstract away physical servers, storage, networking, etc. and instead offer these as on-demand and elastic resources.  The National Institute of Standards and Technology (NIST) provides a concise and specific definition which states cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.  Cloud computing differs from the classic client-server model by providing applications from a server that are executed and managed by a client's web browser, with no installed client version of an application required.  Centralization gives cloud service providers complete control over the versions of the browser-based applications provided to clients, which removes the need for version upgrades or license management on individual client computing devices – Natarajan: par. 0041).

Per claim 9, Natarajan in view of Kailash discloses the non-transitory computer-readable storage medium of claim 1, wherein the steps further include logging every firewall session for multiple users, multiple user devices, multiple locations, multiple applications, multiple ports, and multiple protocols (Other application layer functions may also be provided in a data logging layer 170, such as a user interface (UI) front-end 130.  The user interface front-end 130 may provide a user interface through which users of the external systems may provide and define security policies, e.g., whether email traffic is to be monitored, whether certain web sites are to be precluded, etc. Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting.  The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 170.  Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system.  In an exemplary embodiment, the logging node 140 data may be anonymized so that data identifying an enterprise is removed or obfuscated – Natarajan: par. 0038 – Note: Example external systems may include an enterprise 200, a computer device 220, and a mobile device 230, or other network and computing systems communicatively coupled to the system 100 – par. 0033, wherein according to a service agreement between a provider of the system 100 and an owner of an external system, the system 100 may thus provide security protection to the external system at any location throughout the geographic region – par. 0035. Further, and the authority nodes 120 may serve as an application layer 160.  The application layer 160 may, for example, manage and provide policy data, threat data, and data inspection engines and dictionaries for the processing nodes 110.  In an exemplary embodiment, the application layer 160 can continually update the processing nodes 110 with newly detected malware as described herein for zero day/zero hour protection – par. 0037).

Per claims 10 and 19, Natarajan in view of Kailash discloses features of claims 1 and 11, wherein the steps further include receiving an update based on detection of zero-day/zero-hour threats (The FCC components 704 is a BA Analysis Engine which includes secure content storage with data destruct capabilities, is a scalable and flexible platform for VM based execution sandboxes, includes a smart scheduler to determine what needs to be analyzed and manage BA content from the cloud, and includes threat reporting storage and UI infrastructure for malware result analysis and research.  The FCC components 704 can provide dynamic updates based on latest malware analysis thereby providing zero day/zero hour protection – Natarajan: par. 0076 – Note: Server SMBE 720 which is part of FCC Components 704 provides updates to the cloud components 702); and updating the firewall based on the update (The server 710 is configured to enforce policy based on configuration, to log transactions to the data store 712 with information included therein such as policy reason and Threat category/super category information, and to send BA content to the BA infrastructure (specifically the server 720).  In an exemplary embodiment, the server 710 can be the processing node 110, the cloud node 502, etc. That is, the server 710 is generally performing inline traffic processing between a user and another domain in an external fashion as a cloud-based system (security-as-a-service) – Natarajan: par. 0077 – Note: Server SME 710 which is part of cloud components 702 receives and process the updates and logs the transactions to the data store 712).

2.	Claims 4-6, 8, 14-16 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Natarajan, US2014/0208426A1 in view of Kailash, US8458786 as applied to claims 1 and 11 above, in further view of Buruganahalli, US2017/0302703A1 (references through-out are either supported by or from provisional 61/831,391 filed 06/05/2013). 

Per claims 4 and 14, Natarajan in view of Kailash discloses features of claims 1 and 11. 
Natarajan in view of Kailash is not relied on to disclose but Buruganahalli discloses wherein the firewall policies are configured to operate over all ports and protocols associated with the WAN (As shown in FIG. 1, network traffic monitoring begins at 102.  An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis.  In some embodiments, user identification is then determined (e.g., user ID can be deduced based on the source IP address).  A policy check engine 106 determines whether any policies can be applied based on the IP address and port number.  As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan in view of Kailash further in view of Buruganahalli to include wherein the firewall policies are configured to operate over all ports and protocols associated with the WAN.
One of ordinary skill in the art would have been motivated because it would allow “to securely enable application usage using business-relevant concepts, instead of following the traditional approach offered by traditional port-blocking firewalls” – Buruganahalli: par: 0021.

Per claims 5 and 15, Natarajan in view of Kailash discloses features of claims 1 and 11.
Natarajan in view of Kailash is not relied on to disclose but Buruganahalli discloses wherein each of the plurality of packets includes one of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) traffic (Various techniques described herein can be used to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy).  For example, if a new flow is determined to violate a policy prior to the set-up of the encrypted data communication for that flow between a client and a remote server, then the flow can be blocked and decryption is not required.  As an example, Bob who is a user (e.g., an employee) of ACME Company may attempt to logon using a web browser executing on his desktop office computer to a remote server that is associated with the online banking site (e.g., web site) of Banking Corporation.  If the firewall policy of ACME Company has white listed the domain associated with the Banking Corporation as a trusted domain, then Bob's connection (e.g., an SSL/TLS session) with the web site for the Banking Corporation can be allowed using various techniques described herein – Buruganahalli (provisional): par. 0030 – Note: also see details in par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan in view of Kailash further in view of Buruganahalli to include wherein each of the plurality of packets includes one of Secure Sockets Layer (SSL) and Transport Layer Security (TLS) traffic.
One of ordinary skill in the art would have been motivated because it would allow “to determine whether a new session using a secure protocol violates a policy (e.g., security policy, such as a firewall policy)” – Buruganahalli: par. 0030.

Per claims 6 and 16, Natarajan in view of Kailash discloses features of claims 1 and 11.
Although Natarajan discloses Deep Packet Inspection (DPI) (The cloud components 702 monitor inline users such as using HTTP and non-HTTP protocols (to cover proxy and firewall/DPI) to detect and block/preclude malware – Natarajan: par. 0076), it is not relied on to explicitly disclose but Buruganahalli discloses wherein the steps further include performing Deep Packet Inspection (DPI) on each of the plurality of packets in a same session (Various techniques described herein can also be applied to efficiently handle a session resumption (e.g., resumption of an SSL/TLS session) that does not involve any server certificate exchange.  For example, in such a scenario it can be challenging to determine the domain name unless the data communications of that resumed session are decrypted.  Using the techniques described herein allow for the resumed session to be associated with a destination domain without requiring decryption of such data communications.  For example, in the case of a session resumption, there is a client hello message followed by server hello but no certificate is provided from the server (e.g., as it was previously sent to the client at the previous handshake for the initial session setup) – Buruganahalli (provisional): par. 0033 – Note: Stateful firewalls can also perform stateful-based packet inspection in which each packet is examined within the context of a series of packets associated with that network transmission's flow of packets/packet flow (e.g., stateful firewalls or third generation firewalls) – Buruganahalli (provisional): par. 0021, wherein stateful-based packet inspection is inherently performed on packets within flow of an existing/same session); and 
determining an application associated with the same session based on the DPI (As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Natarajan in view of Kailash further in view of Buruganahalli to include wherein the steps further include performing Deep Packet Inspection (DPI) on each of the plurality of packets in a same session; and determining an application associated with the same session based on the DPI.
One of ordinary skill in the art would have been motivated because it would allow “to securely enable application usage using business-relevant concepts, instead of following the traditional approach offered by traditional port-blocking firewalls” – par: 0021 and further allow “facilitating deep packet inspection of the session traffic, which can include unencrypted and possibly encrypted data communications associated with the session using a secure protocol, such as SSL/TLS” – par. 0044.

Per claims 8 and 18, Natarajan in view of Kailash discloses features of claims 1 and 11.
Although Natarajan discloses security policies based on location (Note: see rejection of claim 2), it is not relied on to disclose but Natarajan in view of Kailash further in view of Buruganahalli discloses wherein the firewall policies are security policies based on user identity application awareness, and location (As shown in FIG. 1, network traffic monitoring begins at 102.  An IP address and port engine 104 determines an IP address and port number for a monitored traffic flow (e.g., a session) based on packet analysis.  In some embodiments, user identification is then determined (e.g., user ID can be deduced based on the source IP address).  A policy check engine 106 determines whether any policies can be applied based on the IP address and port number.  As also shown in FIG. 1, an application signature check engine 108 identifies an application (e.g., using an APP-ID engine using various application signatures for identifying applications based on packet flow analysis).  For example, APP-ID engine 108 can be configured to determine what type of traffic the session involves, such as HTTP traffic, HTTPS traffic, SSL/TLS traffic, SSH traffic, DNS requests, FTP traffic, unknown traffic, and various other types of traffic, and such classified traffic can be directed to an appropriate decoder, such as decoders 112, 114, and 116, to decode the classified traffic for each monitored session's traffic flow – Buruganahalli (provisional): par. 0047).
Therefore, claims 8 and 18 are rejected based on the same analysis and motivation to combine as set forth in the rejection of claim 4 above. 

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 

Mahaffey (US2015/0188949) discloses a cloud-based network security platform in a distributed computing network connecting a server and clients, wherein when the geographical context (location of user and mobile device) dictates, according to user preference or policy (set by user or by user's parent or by user's corporate administrator or set by the destination itself (e.g., a banking site that requires a secured connection be used)), a secured network connection is established.

Bryson (US2006/0056297) discloses applying the policy relating to the relevant source and destination zones to determine from that policy whether the packet should be acted upon or discarded, characterized in that at least one of said source and destination zones includes both physical entities and logical entities, wherein a source and destination zone may comprise logical security zones which can be associated with any group of network locations, including physical ports, VLANs, or logical tunnel termination points for IPSec, GRE, PPTP (Point to Point Tunnelling Protocol) or L2TP (Layer 2 Tunnelling Protocol).

Foxhoven (US2016/0036857) discloses a multi-tenant cloud service implemented in the cloud as a distributed security software functionality, via APIs, wherein the multi-tenant cloud service utilizes DNS to perform user-level differentiated policy and reporting with seamless/transparent authentication. The multi-tenant cloud service includes domain databases, configuration and policy (both system and customer), logging, and forward and reverse proxies. A DNS VM is operated on the internal network of an enterprise behind the firewall NAT boundary and includes DNS, a captive proxy/login, a login, and a local user IP database.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to AREZOO SHERKAT whose telephone number is (571)272-8533. The examiner can normally be reached Monday - Friday 8:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung Kim can be reached on 571 - 272 - 3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AREZOO SHERKAT/            Examiner, Art Unit 2494