Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
	Claims 1-20 are presented for examination.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1)/(a)(2) as being anticipated by Mishra et al., US 10,785,115.

Regarding claim 1, Mishra teaches a method for managing enforcement of a segmentation policy, comprising: 
obtaining, at a policy management server (fig. 1, segmentation server 120), a segmentation policy comprising a set of segmentation rules that specify a white list of permissible connections between workloads providing and consuming network-based services (col. 3, lines 8-15: the segmentation policy is set forth using permissive rules that specify the communications that are permitted. For example, a rule pertaining to a particular workload 138 may specify a whitelist of workloads 138 with which the particular workload 138 is permitted to communicate. ); 
obtaining, at the policy management server, policy constraints comprising a set of constraint rules that control compliance of the segmentation rules (col. 2, lines 35-42: The network devices 140 may each include an integrated configurable firewall that enforces a set of firewall rules to permit or block different communications over the network 110. ); 
applying the constraint rules to the set of segmentation rules to identify a non-compliant segmentation rule that is within a scope of a matching constraint rule (col. 3, lines 10-15:  the segmentation policy includes a set of rules specifying whether certain workloads 138 are allowed to provide services to or receive services from other workloads 138, and may place restrictions on how those workloads 138 are allowed to communicate when providing or consuming the services); 
initiating a workflow process to resolve the non-compliant segmentation rule (col. 10, lines, 44-48: two or more strategies may be assigned different importance levels and if the allocation decision of two different applied strategies conflicts, the allocation decision module 306 resolves the conflict by applying the strategy with the higher importance level.); and 
distributing the segmentation policy to the distributed enforcement modules to enable the distributed enforcement modules to enforce the segmentation policy (col. 10, lines 49-53:  configuration module 310 obtains management instructions allocated for enforcement on the hosts 130 and distributes the relevant management instructions to the respective hosts 130.).Regarding claim 2, Mishra discloses the method of claim 1, wherein initiating the workflow process comprises: determining that the matching constraint rule has a pre-approval workflow requirement and that the matching constraint rule existed prior to creation of the non-compliant segmentation rule; associating an unapproved state with the non-compliant segmentation rule; and sending a notification to an administrative client indicating non-compliance of the non-compliant segmentation rule, wherein the segmentation policy distributed to the enforcement modules omits the non-compliant segmentation rule while in the unapproved state (col. 8, line 66: the allocation decision module 306 may allocate management instructions by giving first priority to enforcement on the network devices 140 and second priority to enforcement on the hosts 130 when it is not possible to enforce additional management instructions on the network devices 140.).Regarding claim 3, Mishra discloses the method of claim 2, further comprising: receiving an approval for the non-compliant segmentation rule; associating an approved state with the non-compliant segmentation rule; and responsive to receiving an action to make the non-compliant segmentation rule effective, distributing the non-compliant segmentation rule to the enforcement modules for enforcement (col. 9, lines 22-25: an adjusted allocation may be determined that re-allocates the management instructions associated with lower priority services for enforcement by the host 130 while enforcing the higher priority services on the network device 140.).Regarding claim 4, Mishra discloses the method of claim 1, wherein initiating the workflow process comprises: determining that the matching constraint rule has a pre-approval workflow requirement and that the non-compliant segmentation rule existed prior to creation of the matching constraint rule; associating a pending state with the non-compliant segmentation rule (col. 7, lines 49-54: the topology discovery module 304 may determine if a particular network device 140 is capable of egress filtering (i.e., blocking outgoing traffic) or whether the particular network device 140 is capable of operating as stateful (as opposed to a stateless) firewall.); and sending a notification to an administrative client indicating non-compliance of the non-compliant segmentation rule, wherein the segmentation policy distributed to the enforcement modules includes the non-compliant segmentation rule while in the unapproved state (col. 2, line 66: The segmentation server 120 manages a segmentation policy for the administrative domain 150 that regulates communications between workloads 138 within the administrative domain 150.).Regarding claim 5, Mishra discloses the method of claim 4, further comprising: receiving an approval for the non-compliant segmentation rule; associating an approved state with the non-compliant segmentation rule (col. 8, lines 4-8: Enforcement at the host 130 and at the network device 140 each may have advantages and disadvantages. For example, hosts 130 are generally beneficially able to implement a stateful firewall while at least some network devices 140 may enable only stateless firewall enforcement. ).Regarding claim 6, Mishra discloses the method of claim 1, wherein initiating the workflow process comprises: determining that the matching constraint rule has a post-approval workflow requirement; associating a pending state with the non-compliant segmentation rule; and sending a notification to an administrative client indicating non-compliance of the non-compliant segmentation rule, wherein the segmentation policy distributed to the enforcement modules includes the non-compliant segmentation rule while in the unapproved state (col. 9, line 66: the allocation decision module 306 may allocate the management instructions based on whether they relate to controlling communications associated with a stateless protocol or a stateful protocol. For example, the allocation decision module 306 may allocate management instructions associated with stateless communication protocols for enforcement by the network devices 140, and may allocate management instructions associated with a stateful communication protocol for enforcement by the hosts 130.).Regarding claim 7, Mishra discloses the method of claim 6, further comprising: receiving an approval for the non-compliant segmentation rule; associating an approved state with the non-compliant segmentation rule (col. 10, lines 19-23: he network device 140, and may allocate management instructions permitting communications of the particular workload with a whitelist of other workloads for enforcement by the host 130.).Regarding claim 8, Mishra discloses the method of claim 1, wherein initiating the workflow process comprises: automatically generating one or more modified segmentation rules having a more limited scope than the non-compliant segmentation rule and that does not violate the policy constraints; and distributing the modified segmentation rules to the enforcement modules for enforcement (col. 1, lines 32-37: he segmentation server generates, for a particular workload, a plurality of management instructions for enforcing the rules of the segmentation policy controlling communications to and from the particular workload.).Regarding claim 9, Mishra discloses the method of claim 1, wherein the constraint rules specify a specified service, a specified set of provider workloads, and a specified set of consumer workloads, wherein applying the constraint rules comprises identifying the non-complaint segmentation rule as permitting at least one of the provider workloads to provide the service to at least one of the consumer workloads (col. 2, lines 38-43: the network devices 140 may each include an integrated configurable firewall that enforces a set of firewall rules to permit or block different communications over the network 110. The network devices 140 may additionally include dedicated firewall devices.).Regarding claim 10, Mishra discloses the method of claim 9, wherein the constraint rules identify the specified consumer workloads and the specified provider workloads by respective multi-dimensional label sets (col. 2 lines 57-63: host 130 may operate multiple workloads 138 that may be independently addressable and may perform different independent computing functions. The workloads 138 on the hosts 130 may communicate with other workloads 138 on different hosts 130 within the administrative domain 150 to perform various tasks.).Regarding claim 11, Mishra discloses the method of claim 9, wherein the constraint rules identify the specified service by at least one of: a port, a protocol, and a service identifier (col 3, lines 38-42: A rule may be specified as a plurality of fields including a “service,” a “provided-by” portion that identifies one or more workloads 138 that is permitted to provide the service (which may be specified by a port number) ).As per claims 12-17 and 18-20, this is a non-transitory computer readable medium and system version of the claimed method discussed above in claims 1-11 wherein all claimed limitations have also been addressed and/or cited as set forth above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
US 2020/0220845 to Cook et al. teaches the enforcement module then configures a firewall according to the optimized rules to enforce the segmentation policy. The optimization process beneficially improves performance of the firewall and thereby enables more efficient enforcement of the segmentation policy utilizing fewer computing resources.
US 2012/0116749 to Choi et., teaches applying context based constraints and rules corresponding thereto.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUBREY H WYSZYNSKI whose telephone number is (571)272-8155. The examiner can normally be reached M-F 9-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, KAMBIZ ZAND can be reached on 571-272-3811. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/AUBREY H WYSZYNSKI/Examiner, Art Unit 2434                                                                                                                                                                                                        

/TESHOME HAILU/Primary Examiner, Art Unit 2434