Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 

DETAILED ACTION
In view of the Appeal Brief filed on 5/10/22, PROSECUTION IS HEREBY REOPENED. New grounds of rejection are set forth below.
To avoid abandonment of the application, appellant must exercise one of the following two options:
(1) file a reply under 37 CFR 1.111 (if this Office action is non-final) or a reply under 37 CFR 1.113 (if this Office action is final); or,
(2) initiate a new appeal by filing a notice of appeal under 37 CFR 41.31 followed by an appeal brief under 37 CFR 41.37. The previously paid notice of appeal fee and appeal brief fee can be applied to the new appeal. If, however, the appeal fees set forth in 37 CFR 41.20 have been increased since they were previously paid, then appellant must pay the difference between the increased fees and the amount previously paid.
A Supervisory Patent Examiner (SPE) has approved of reopening prosecution by signing below:
	/Jeffrey Nickerson/     Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                   

Response to Arguments
This is a reply to the Appeal Brief filed on 5/10/2022, in which, claim(s) 22, 23, and 25-42 are pending.  Claims 22 and 36 are independent.
Applicant’s arguments, see Appeal Brief, filed 5/10/2022, with respect to the rejection(s) of claim(s) under prior art have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made as set forth below.
When making claim amendments, the applicant is encouraged to consider the references in their entireties, including those portions that have not been cited by the examiner and their equivalents as they may most broadly and appropriately apply to any particular anticipated claim amendments.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under pre-AIA  35 U.S.C. 103(a) are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims under pre-AIA  35 U.S.C. 103(a), the examiner presumes that the subject matter of the various claims was commonly owned at the time any inventions covered therein were made absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and invention dates of each claim that was not commonly owned at the time a later invention was made in order for the examiner to consider the applicability of pre-AIA  35 U.S.C. 103(c) and potential pre-AIA  35 U.S.C. 102(e), (f) or (g) prior art under pre-AIA  35 U.S.C. 103(a).
Claim 22, 23, 25-29, and 31-42 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over US 20090249472 A1 (hereinafter ‘Litvin’) in view of US 20100333165 A1 (hereinafter ‘Basak’).

As regards claim 22, Litvin (US 20090249472 A1) teaches: For a firewall application executing on a physical host computer, a method comprising: (Litvin: Fig. 2, 4, ¶7, ¶15, ¶69-¶70, ¶77, i.e., firewall application running on a host nodes)
receiving a packet from a managed forwarding element executing on the physical host computer; (Litvin: Figs. 2, 4, 6, ¶13-¶14, ¶82, i.e., the virtual switch (i.e., the forwarding element) sending/receiving packets on the host node)
identifying which of a plurality of sets of processing rules enforced by the firewall application applies to the packet, (Litvin: Abstract, Figs. 2, 4-6, ¶11, ¶13-¶15, i.e., the firewalls for each of the set of nodes hosting VMs are configured with firewall policies pertinent to the particular VMs, on a particular node and associated with the particular network wherein the firewall coordinator manages the firewall policies for different nodes) 
wherein: (i) each set of processing rules of the plurality of sets of processing rules corresponds to a different one of a plurality of distributed firewalls; (Litvin: Abstract, Figs. 2, 4-6, ¶11, ¶13-¶15, i.e., the firewalls for each of the set of nodes hosting VMs are configured with firewall policies pertinent to the particular VMs, on a particular node and associated with the particular virtual network (i.e., logical network) wherein the firewall coordinator manages the firewall policies for different nodes)
Although Litvin explicitly discloses a firewall architecture wherein a firewall coordinator system manages and configures multiple firewalls across multiple nodes of virtual machines connected via virtual firewall networks (logical network) wherein the firewall policies are managed and configured by the firewall coordinator and the policies are specific to each of the virtual firewall network and virtual machines for a particular node (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶69-¶70, ¶77). However, Litvin does not explicitly use the commonly used industry term ‘distributed’.
In analogous art, Basak (US 20100333165 A1) teaches a distributed firewall system implementing multiple firewall engines across multiple VLAN (i.e., logical network) networks and allow different firewall policies/rules to be distributed to different firewall agents (Basak: Fig. 1, 6A-6B, 10, ¶35-¶38, ¶64-¶78)
Before the time the invention was made it would have been obvious to one of ordinary skill in the art to modify Litvin to include a distributed firewall system implementing multiple firewall engines across multiple VLAN (i.e., logical network) networks and allow different firewall policies/rules to be distributed to different firewall agents as taught by Basak with the motivation to control flow of packets between networks and subnetworks (Basak: ¶1, ¶11)   
Litvin et al combination further discloses: (ii) each distributed firewall of the plurality of distributed firewalls is associated with a different one of a plurality of logical networks; (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶69-¶71, ¶77, i.e., a firewall architecture wherein a firewall coordinator system manages and multiple firewalls across multiple nodes of virtual machines connected via virtual firewall networks (logical network) wherein the firewall policies are managed and configured by the firewall coordinator and the policies are specific to each of the virtual firewall network and virtual machines for a particular node. See also, Basak: Fig. 1, 6A-6B, 10, ¶1, ¶11, ¶35-¶38, ¶64-¶78)
(iii) each respective logical network of the plurality of logical networks logically connects a respective set of end machines that operate on the physical host computer with other end machines that operate on a respective plurality of other physical host computers and that are connected to the respective logical network; (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶69-¶70, ¶77. See also, Basak: Fig. 1, 6A-6B, 10, ¶1, ¶11, ¶35-¶38, ¶64-¶78) 
(iv) each respective logical network is implemented by a respective plurality of managed forwarding elements executing on the respective plurality of physical host computers on which at least one end machine connected to the respective logical network operates; (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶69-¶70, ¶77, ¶82-¶83, i.e., the multiple virtual switches for each of the nodes)
(v) for each respective logical network, the respective set of processing rules corresponding to the respective distributed firewall associated with the respective logical network is enforced by the firewall application executing on the physical host computer and by firewall applications executing on each of the other physical host computers on which at least one end machine connected to the respective logical network operates; and  (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶69-¶70, ¶77, ¶82-¶83, i.e., a firewall architecture wherein a firewall coordinator system manages and multiple firewalls across multiple nodes of virtual machines connected via virtual firewall networks (logical network) wherein the firewall policies are managed and configured by the firewall coordinator and the policies are specific to each of the virtual firewall network and virtual machines for a particular node. See also, Basak: Fig. 1, 6A-6B, 10, ¶1, ¶11, ¶35-¶38, ¶64-¶78)
(vi) identifying which of the plurality of sets of processing rules enforced by the firewall application applies to the packet comprises determining which of the plurality of logical networks the packet is traversing; (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶69-¶70, ¶77, ¶82-¶83, i.e., determining whether the packet is an incoming packet from an outside network, outgoing packet going to an outside network, and so forth based on the rules) 
determining whether to allow the packet based on the identified set of processing rules; and (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, determining whether to allow the packet to pass)
when the packet is allowed, sending the packet back to the managed forwarding element executing on the physical host computer. (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶82-¶86, i.e., if the packet is allowed to sent back then it goes back through the virtual switch 640 from which it was received)

Claim 36 recites substantially the same features recited in claim 22 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 23, Litvin et al combination discloses the method of claim 22, wherein the plurality of sets of processing rules are received by the firewall application from a network control system that also configures the managed forwarding element. (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶82-¶86)

Claim 37 recites substantially the same features recited in claim 23 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 25, Litvin et al combination discloses the method of claim 22, wherein: the plurality of distributed firewalls comprises a particular distributed firewall with a corresponding particular set of processing rules enforced by the firewall application; and (Litvin: Figs. 1, 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶82-¶86) a particular logical network that comprises the particular distributed firewall logically connects a particular set of end machines through a set of logical forwarding elements. (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶69-¶71, ¶77. See also, Basak: Fig. 1, 6A-6B, 10, ¶1, ¶11, ¶35-¶38, ¶64-¶78)

As regards claim 26, Litvin et al combination discloses the method of claim 25, wherein the particular distributed firewall logically connects to a logical router implemented by a particular one of the pluralities of managed forwarding elements, including the managed forwarding element executing on the physical host computer, the logical router comprising a set of routing policies that determines whether the managed forwarding element executing on the physical host computer sends the packet to the distributed firewall. (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶82-¶86, i.e., the virtual switch performing the routing function. Note: Switches/routers can perform the function of routing packets and thus can be used interchangeably. See e.g., US 20120147894 A1: ¶60, ¶87)

As regards claim 27, Litvin et al combination discloses the method of claim 25, wherein the managed forwarding element implements the particular logical network by implementing the set of logical forwarding elements. (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶82-¶86

As regards claim 28, Litvin et al combination discloses the method of claim 22, wherein when the identified set of processing rules specifies to drop the packet, the firewall application executing on the physical host computer does not send the packet back to the managed forwarding element executing on the physical host computer. (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶82-¶86, i.e., the packet is allowed to forwarded to a different virtual switch then from the one it was received and the packet is dropped)

Claim 42 recites substantially the same features recited in claim 28 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 29, Litvin et al combination discloses the method of claim 22, wherein the packet sent back to the managed forwarding element is treated as a new packet by the managed forwarding element. (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶82-¶86, i.e., if the packet is allowed to sent back then it goes back through the virtual switch 640 from which it was received)

As regards claim 31, Litvin et al combination discloses the method of claim 22, wherein identifying which of the plurality of sets of processing rules applies to the packet comprises (Litvin: Abstract, Figs. 2, 4-6, ¶11, ¶13-¶15): after receiving the packet, reading a slice identifier appended to the packet; and (Litvin: Abstract, Figs. 2, 4-6, 9-10, 15, ¶11, ¶13-¶24, ¶99, ¶139-142, i.e., applying the policies according to the firewall associated with the VMs wherein the information in the packet is used to determine which firewall and policies are to be applied to a packet) matching the slice identifier with a particular set of processing rules that corresponds to a particular one of the plurality of distributed firewalls. (Litvin: Abstract, Figs. 2, 4-6, 9-10, 15, ¶11, ¶13-¶24, ¶99, ¶139-142, i.e., applying the policies according to the firewall associated with the VMs wherein the information in the packet is used to determine which firewall and policies are to be applied to a packet, matching the policies that matches the identifiers in the packet header to process the packet)

Claim 38 recites substantially the same features recited in claim 31 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 32, Litvin et al combination discloses the method of claim 31, wherein the packet is a first packet, the particular set of processing rules is a first set of processing rules, the slice identifier is a first slice identifier, and the particular distributed firewall is a first distributed firewall, the method further comprising (Litvin: Abstract, Figs. 2, 4-6, 9-10, 15, ¶11, ¶13-¶24, ¶99, ¶139-142, i.e., applying the policies according to the firewall associated with the VMs wherein the information in the packet is used to determine which firewall and policies are to be applied to a packet, matching the policies that matches the identifiers in the packet header to process the packet): receiving a second packet, with a second slice identifier appended, from the managed forwarding element executing on the physical host computer; (Litvin: Abstract, Figs. 2, 4-6, 9-10, 15, ¶11, ¶13-¶24, ¶99, ¶139-142, i.e., applying the policies according to the firewall associated with the VMs wherein the information in the packet is used to determine which firewall and policies are to be applied to a packet, matching the policies that matches the identifiers in the packet header to process the packet) matching the second slice identifier with a second set of processing rules of the plurality of sets of processing rules enforced by the firewall application, different from the first set of processing rules, that corresponds the second set of processing rules corresponding to a second distributed firewall of the plurality of distributed firewalls; and (Litvin: Abstract, Figs. 2, 4-6, 9-10, 15, ¶11, ¶13-¶24, ¶99, ¶139-142, i.e., applying the policies according to the firewall associated with the VMs wherein the information in the packet is used to determine which firewall and policies are to be applied to a packet, matching the policies that matches the identifiers in the packet header to process the packet) determining whether to allow the second packet based on the second set of processing rules. (Litvin: Abstract, Figs. 2, 4-6, 9-10, 15, ¶11, ¶13-¶24, ¶99, ¶139-142, i.e., applying the policies according to the firewall associated with the VMs wherein the information in the packet is used to determine which firewall and policies are to be applied to a packet, matching the policies that matches the identifiers in the packet protocol to process the packet)

Claim 39 recites substantially the same features recited in claim 32 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 33, Litvin et al combination discloses the method of claim 32, wherein the first and second slice identifiers are appended to the first and second packets, respectively, by the managed forwarding element. (Litvin: Abstract, Figs. 2, 4-6, 9-10, 15, ¶11, ¶13-¶24, ¶99, ¶139-142, i.e., applying the policies according to the firewall associated with the VMs wherein the information in the packet is used to determine which firewall and policies are to be applied to a packet, matching the policies that matches the identifiers in the packet protocol to process the packet. Note: packet routing is based on the information in the packet headers that are appended to a packet in the OSI networking model. See e.g., US 7941837 B1, Fig. 4, col. 6:15-24, i.e., the ID appended to the packet header prior to forwarding the packet to a firewall for processing)

As regards claim 34, Litvin et al combination discloses the method of claim 22, wherein each set of processing rules of the plurality of sets of processing rules comprises a set of rules for determining whether to allow, block, or drop packets based on information about the packets. (Litvin: Fig. 2, 4-6, ¶7, ¶11, ¶13-¶15, ¶82-¶86)

Claim 40 recites substantially the same features recited in claim 34 above and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 35, Litvin et al combination discloses the method of claim 34, wherein the information about the packets comprises stateful transport connection information. (Litvin: Fig. 2, 4-6, ¶7, ¶11-¶15, ¶82-¶86, i.e., the connection data/table information)

Claim 41 recites substantially the same features recited in claim 35 above and is rejected based on the aforementioned rationale discussed in the rejection.

Claim 30 is/are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Litvin in view of Basak in view of US 20110255538 A1 (hereinafter ‘Srinivasan’).

As regards claim 30, Litvin et al combination discloses the method of claim 22. However, Litvin does not but in analogous art, Srinivasan (US 20110255538 A1) teaches: further comprising negotiating a software port with the managed forwarding element prior to receiving any packets from the managed forwarding element (Srinivasan: 404, FIG. 4, 612, FIG. 6A , ¶11, ¶30, ¶38 “an SVM port profile may be assigned 404 to port 612” i.e., port 612 was negotiated/assigned to firewall 112 before the latter received any packets), wherein: the packet is received by the firewall application from the managed forwarding element through the negotiated software port; and the packet is sent back to the managed forwarding element through the negotiated software port.
At the time that the invention was made, one of ordinary skill in the art would have recognized the ability to modify Litvin et al with the teachings of Srinivasan for having a firewall negotiate a software port with a managed forwarding element prior to receiving any packets.  The teachings of Srinivasan maintains the integrity of the routing of the system’s port by ensuring that each packet communicated between a firewall and the system’s managed forwarding element is routed through a negotiated port.  Therefore, it would have been obvious for one of ordinary skill in the art to arrive at the above-claimed invention.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        




/SYED A ZAIDI/Primary Examiner, Art Unit 2432