DETAILED ACTION
This communication is responsive to the application # 17/063,415 filed on October 05, 2020. By preliminary amendment claims 1-25 were canceled and claims 26-47 were added new. Claims 26-47 are pending and are directed toward DISTRIBUTED IDENTITY-BASED FIREWALLS.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.


 Claims 26-30, 34-42, and 43-45 are rejected under 35 U.S.C. 102(a)(2) as being unpatentable over Beliveau et al. (US 9,413,667, Filed: Feb.15, 2013 ) from IDS, hereinafter referred to as Beliveau.
As per claim 26, Beliveau teaches for a virtual machine (VM) executing on a host computer (For example, a service network node can be provided by a virtual machine (VM). Beliveau, Column 7, lines 40-41), a method for providing firewall services on the host computer (a plurality of service network nodes ( or services) 112, offering functionalities such as Virus Scan, Firewall, Deep Packet Inspection (DPI), etc., are connected to the communication network 100 through the perimeter switches 104-110. Beliveau,  Column 5, lines 10-15), the method comprising:
after a process of the VM requests a network connection (The notification message may include traffic characteristic information, obtained by deep packet inspection, which includes extracting information from layers 5 to 7, traffic pattern matching, using heuristics. The service network node, such as a DPI node can obtain that information. For example, the traffic characteristic information can be the type of traffic, or a Uniform Resource Locator (URL). The notification message also includes other information, such as an-tuple identification which uniquely identifies the traffic flow to which the packet belongs. Beliveau, Column 7, lines 8-17), receiving a record associating a set of header values of packets sent from the VM with an identifier associated with at least one firewall rule (In step 204, based on the traffic characteristic information received from the service network node (at step 202), the controller 122 creates a set of rules to be applied to the subsequent packets of the identified traffic flow. Beliveau,  Column 7, lines 18-21);
associating a packet received from the VM with the identifier by comparing the packet's set of header values with the set of header values of the record (In step 206, the controller 122 propagates or sends the set of rules to the plurality of switches so that the subsequent packets of the traffic flow will traverse a second service path, as indicated by the set of rules. As an alternative, the set of rules could be sent only to the particular switches that will handle the traffic flow. Beliveau,  Column 7, lines 22-27);
using the identifier to identify a firewall rule from a plurality of firewall rules that have rule identifiers defined by reference to a plurality of identifiers (Then-tuple identification that uniquely identifies the traffic flow allows the controller 122 to associate the created set of rules with the traffic characteristic information. For example, the controller 122 sends the set of rules in a flow message to the plurality of switches for this identified/recognized traffic flow (through its n-tuple) with associated actions such as drop the packet, forward the packet to the next service network node, etc. Therefore, the set of rules including the n-tuple identification of the traffic flow and the associated actions. Beliveau,  Column 7, lines 28-36);
performing a firewall operation on the received packet based on the identified firewall rule (When the switches receive a traffic flow that corresponds to the n-tuple identification, the switches apply the associated actions of the set of rules to the received traffic flow. Beliveau,  Column 7, lines 37-39).
As per claim 27, Beliveau teaches the method of claim 26, wherein performing the firewall operation comprises forwarding the received packet when the identified firewall rule specifies that the packet should be allowed to pass through (The forwarding rules derived from these policies can be pushed dynamically by the controller, even in mid-flow to the plurality of switches, effectively re-steering the rest of the traffic flow towards a different set of services. Beliveau,  Column 6, lines 20-24).
As per claim 28, Beliveau teaches the method of claim 27, wherein forwarding the received packet comprises forwarding the packet to a virtual switch executing on the host computer for distribution to a destination of the packet (The communication network 100 comprises an inner network 102 which includes a plurality of switches and other components, known to the skilled person in the art, for forwarding data packets between perimeter switches using efficient layer 2 switching. Beliveau,  Column 4, lines 66-67 - Beliveau,  Column 5, lines 1-3).
As per claim 29, Beliveau teaches the method of claim 26, wherein performing the firewall operation comprises dropping the received packet when the identified firewall rule specifies that the packet should be blocked (the controller 122 sends the set of rules in a flow message to the plurality of switches for this identified/recognized traffic flow (through its n-tuple) with associated actions such as drop the packet, forward the packet to the next service network node, etc. Beliveau,  Column 7, lines 31-35).
As per claim 30, Beliveau teaches the method of claim 26, wherein performing the firewall operation comprises redirecting the received packet to a different destination according to the identified firewall rule (Also, embodiments of the present invention can redirect packets of a same traffic flow differently. For example, the first few packets may traverse a first set of services but the subsequent packets of the traffic flow may traverse a second set of services, which is different from the first set of services. Beliveau,  Column 4, lines 38-43).
As per claim 34, Beliveau teaches the method of claim 26 further comprising storing the record that associates the identifier with the set of header values before associating the packet with the identifier (In step 204, based on the traffic characteristic information received from the service network node (at step 202), the controller 122 creates a set of rules to be applied to the subsequent packets of the identified traffic flow. Beliveau,  Column 7, lines 18-21).
As per claim 35, Beliveau teaches the method of claim 34, wherein the set of header values are associated with the network connection, and comprise an Internet Protocol (IP) address and one or more port numbers assigned to the network connection (Subscriber-based policies are policies that are defined on a per subscriber basis. These policies specify the Internet Protocol (IP) address of the subscriber and the set of services that each particular subscriber's traffic should traverse. Beliveau,  Column 5, lines 42-45, AND For example, YouTube™ can be identified by a destination IP address and HTTP applications can be determined based on the ports, such as the well-known port 80. Beliveau,  Column 5, lines 52-54).
As per claim 36, Beliveau teaches the method of claim 34 further comprising configuring a guest driver module executing on the VM to perform the operation of the identified firewall rule for subsequent packets that belong to a same flow as the received packet (In step 204, based on the traffic characteristic information received from the service network node (at step 202), the controller 122 creates a set of rules to be applied to the subsequent packets of the identified traffic flow. Beliveau,  Column 7, lines 18-21).
Claims 37-42 have limitations similar to those treated in the above rejection, and are met by the references as discussed above, and are rejected for the same reasons of anticipation as used above.
As per claim 43, Beliveau teaches a method for providing firewall services on the host computer for a machine executing on the host computer, the method comprising: receiving, for a network connection initiated on the machine, an identifier associated with the network connection, the identifier being a value different than a layer 2 (L2), a layer 3 (L3), or a layer 4 (L4) header value; using, for a packet received for the network connection, the identifier to identify a firewall rule by comparing the identifier with one or more match attributes of one or more firewall rules, said match attributes of at least a subset of the firewall rules comprising non-L2 to L4 identifiers; performing a firewall operation on the received packet based on the identified firewall rule (More specifically, complex traffic steering is based on installing per-flow forwarding rules dynamically, in response  to the first few packets of a traffic flow being processed by a service network node. To do so, deep packet inspection (DPI) based on inspection of  layer 5 to layer 7 (L5-L 7) traffic flow contents and/or traffic pattern matching and/or heuristics can be used. These per-flow rules are installed by the controller in response to notification messages from the service network node, such as a DPI node. Therefore, complex traffic steering is based on flow policies. The flow policies are used to dynamically override subscriber and application policies (provided by the basic traffic steering) for specific flows. The forwarding rules derived from these policies can be pushed dynamically by the controller, even in mid-flow to the plurality of switches, effectively re-steering the rest of the traffic flow towards a different set of services. Beliveau, Column 6, lines 1-24).
As per claim 44, Beliveau teaches the method of claim 43, wherein receiving the identifier comprises receiving the identifier with the packet (More specifically, this message includes: 1) traffic flow identification which contains an-tuple identification for uniquely identifying a traffic flow. For example, the n-tuple can be a 5-tuple identification, including a source IP, a destination IP, a protocol, a source port and a destination port. 2) traffic characteristic information, provided by inspecting layers 5 to 7 of a packet header or using traffic pattern matching and heuristics. For example, the traffic characteristic information can be a traffic type, Session Initiation Protocol (SIP), Uniform Resource Locator (URL), etc. 3) statistics: this information is optional, it gives the number of packets received for this traffic flow to the controller.. Beliveau, Column 6, lines 49-63).
As per claim 45, Beliveau teaches the method of claim 44, wherein receiving the identifier with the packet comprises receiving the packet with an encapsulating header of the packet (In complex traffic steering, a new communication protocol has been defined, referred to as the steering Service Protocol (StSP). Similar to the OpenFlow interface between the switches and the controller, the StSP interface runs directly over Transmission Control Protocol (TCP) or is encrypted using Transport Layer Security (TLS). Beliveau, Column 6, lines 25-30).
 
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 31-33 and 47 are rejected under 35 U.S.C. 103 as being unpatentable over Beliveau et al. (US 9,413,667, Filed: Feb.15, 2013 ) from IDS, in view of Schmidt et al. (US 2006/0184646, Pub. Date: Aug. 17, 2006), hereinafter referred to as Beliveau and Schmidt.
As per claim 31, Beliveau teaches the method of claim 26, and further teaches (Furthermore, it is assumed that all the authentication procedures, for allowing the end-user device 120 to connect to the communication network 100, or internet or other communication network, have been performed and were successful. Beliveau,  Column 8, lines 56-60), but silent wherein the identifier is a security identifier (SID) of a user associated with the process. Schmidt however teaches wherein the identifier is a security identifier (SID) of a user associated with the process (If the user's account domain SID is accepted (i.e., "yes" from block 604), a received SID is compared against the list of trusted domain SIDs at block 608. Based on the comparison, the root domain determines whether to accept or reject the received SID. Further, only user and group SIDs that are relative to the list of trusted domain SIDs will be accepted, as well as the user's account domain SID itself. This restriction applies to all authentication requests, Schmidt, [0110]).
Beliveau in view of Schmidt are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Beliveau in view of Schmidt. This would have been desirable because A network system manages different namespaces that identify different types of network domain components such as users, computers, applications, COM objects, and the like, within a network architecture. A namespace is identified by the range of names that it contains, some of which are used to communicate authentication and/or authorization requests to a trusted domain when a security principal name cannot be resolved locally. Examples of such namespaces include namespaces constructed for a domain tree name, a user principal name, a service principal name, or for specific identifiers associated with a specific domain, such as a domain's domain name system (DNS), Netbios name, or its Security Identifier (SID) (Schmidt, [0049]).

As per claim 32, Beliveau teaches the method of claim 26, wherein the identifier identifies a user logged onto the VM (For example, a user having an account managed or maintained by domain controller in forest B can logon and be authenticated via workstation 218 in forest A. Schmidt, [0091], AND Furthermore, it is assumed that all the authentication procedures, for allowing the end-user device 120 to connect to the communication network 100, or internet or other communication network, have been performed and were successful. Beliveau,  Column 8, lines 56-60).
Beliveau in view of Schmidt are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Beliveau in view of Schmidt. This would have been desirable because A network system manages different namespaces that identify different types of network domain components such as users, computers, applications, COM objects, and the like, within a network architecture. A namespace is identified by the range of names that it contains, some of which are used to communicate authentication and/or authorization requests to a trusted domain when a security principal name cannot be resolved locally. Examples of such namespaces include namespaces constructed for a domain tree name, a user principal name, a service principal name, or for specific identifiers associated with a specific domain, such as a domain's domain name system (DNS), Netbios name, or its Security Identifier (SID) (Schmidt, [0049]).

As per claim 33, Beliveau in view of Schmidt teaches the method of claim 26, wherein the identifier comprises a username or a group identifier that identifies a user group to which the user belongs (Authentication is the process of verifying the identity of a security principal when access to a secured resource is requested. The verification process can be applied to users, computers, and/or services executing in the security context of a user or computer. Typically, user authentication is implemented in either of two ways. One way is to associate a username with a password and require both the username and password at the time of an initial request to access a network system. A second way is to use secure access tokens granted by an operating system to authentic users. Schmidt, [0011]).
Beliveau in view of Schmidt are analogous art to the claimed invention, because they are from a similar field of endeavor of systems, components and methodologies for providing secure communication between computer systems. It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to modify Beliveau in view of Schmidt. This would have been desirable because A network system manages different namespaces that identify different types of network domain components such as users, computers, applications, COM objects, and the like, within a network architecture. A namespace is identified by the range of names that it contains, some of which are used to communicate authentication and/or authorization requests to a trusted domain when a security principal name cannot be resolved locally. Examples of such namespaces include namespaces constructed for a domain tree name, a user principal name, a service principal name, or for specific identifiers associated with a specific domain, such as a domain's domain name system (DNS), Netbios name, or its Security Identifier (SID) (Schmidt, [0049]).

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Claims 26-47 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-20 of US patent No. 10798058.  Although the conflicting claims are not identical, they are not patentably distinct from each other because all elements of claims 26-47 of the instant application correspond to elements of claims 1-20 of US patent No. 10798058. The above claims of the present application would have been obvious over claims 1-20 of US patent No. 10798058 because each element of the claims of the present application is anticipated by the claims of the US patent No. 10798058 and as such are unpatentable for obviousness-type double patenting (In re Goodman (CAFC) 29 USPQ2D 2010 (12/3/1993)).
Allowable Subject Matter
Claim 46 is indicated as allowable over prior art.
As allowable subject matter has been indicated, applicant's reply must either comply with all formal requirements or specifically traverse each requirement not complied with.  See 37 CFR 1.111(b) and MPEP § 707.07(a).

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to OLEG KORSAK whose telephone number is (571)270-1938.  The examiner can normally be reached on Monday-Friday 7:30am - 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Saleh Najjar can be reached on (571)272-4006.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/OLEG KORSAK/
Primary Examiner, Art Unit 2492