Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Response to Arguments
Applicant's arguments filed 11/3/2022 have been fully considered, and are partially persuasive. An updated grounds of rejection is presently presented in order to address the amended claim language. Applicant’s arguments directed to the allowability of the present claims cannot be held as persuasive for the reasons discussed below.
On page 9, Applicant specifically addresses the amendments made to claim 1, arguing the limitation “where the specified firewall rule directs the network element to examine a first set of firewall rules . . . before the second data of firewall rules” and that in Williams, “there is no discussion . . . about a specified firewall rule that directs a network element to use a first set of application-specific firewall rules instead of a second set of non-application specific firewall rules . . .”. In response, the Examiner notes that the pending claims do not recite a first set of application specific rules and a second set of non-application specific rules, and thus arguments directed to such disclosure cannot be held as persuasive. 	Applicant’s arguments reliant on “a second set of non-application-specific firewall rules” continues through page 10, but cannot be held as persuasive for the reasons given above.	Furthermore, disclosure regarding multiple sets of firewall rules applied in particular orders (e.g., a first set applied before a second set) is prevalent in the prior art. For example, previously cited prior art reference Fulp discusses a first firewall node implementing a first rule set and a second firewall node that implements a second rule set; the first node applies its ruleset first, prior to other rules. In addition, such a first node may apply a particular local rule set prior to further firewall operations; see [11,104,108-109] in Fulp. 	In addition, prior art previously not cited is made of record below. These references discuss application of tiered/prioritized firewall rule sets and are highly relevant to the amended claim language. See, e.g.,	Chanda (US-20200014662-A1) in [22,33];	Panchalingam (US-20190297114-A1) in [20-24,26,57-62]; and	Naveen (US-20200076684-A1) in [39-40,57,60-61].

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 4 – 10, 13 – 15, and 17 - 21 are rejected under 35 U.S.C. 103 as being unpatentable over Liu (US-20180191682-A1) in view of Dixit (US-20200007584-A1), Williams (US-10298489-B2), and Fulp (US-20060195896-A1).
	Regarding claim 1, Liu shows a network management and control system that manages a virtual infrastructure (Fig. 3 discussing a “cloud management platform”) deployed across a set of datacenters, a method comprising:	receiving a definition ([31,80]) of an application to be deployed ([26]) in the virtual infrastructure ([31, 46, 81] discussing a cloud managed by a cloud management platform), and 	based on the application definition:
	defining a first set of firewall rules for the application ([41]) that indicate conditions for allowing data traffic ([41] and Table 1) directed to the application ([3, 26, 63, 84]), and 	Liu does not show specifying a requirement that the application receive data traffic from sources external to the virtual infrastructure;	a first set of firewall rules indicate conditions for allowing data traffic from sources external to the virtual infrastructure, 	a second set of higher-level firewall rules,	where the firewall rules are applicable to traffic from sources external to the virtual infrastructure.	Dixit shows specifying a requirement ([61] discussing a “security requirement”) that the application receive data traffic from sources external to the virtual infrastructure ([75], e.g., “must talk to different EPG” where EPGs include those that are “external outside network”, see [141, 176]);	a first set of firewall rules indicate conditions for allowing data traffic ([62,71-72, 85-86] discussing where data traffic is “routed based on tenant policies”, said policies including what type of communication may be, must be, or must not be allowed) from sources external to the virtual infrastructure ([141,176]), and 	a second set of higher-level firewall rules ([128], where polices can both be requested and implemented for new tenants, but are done in a cloud environment with existing firewall policies common to all tenants);	where the firewall rules are applicable to traffic from sources external to the virtual infrastructure ([141,176] discussing policies that apply to traffic coming from “external outside network” endpoint groups).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the application deployment and applicable based traffic management of Liu with the external traffic consideration and rule sets of Dixit in order to facilitate more precise, customizable control of the data traffic and security provided to the virtualized client/tenant resources. 
Liu in view of Dixit do not show specifying a new firewall rule that directs a network element implementing the sets of firewall rules to apply the first set of firewall rules.	Williams shows specifying a new firewall rule that directs a network element implementing the sets of firewall rules to apply the first set of firewall rules (col. 2 lines 20 – 24 discussing application of firewall rules in a multi-tenant environment and col. 13 lines 34 – 50 discussing tenants A and B, each with a distinct firewall policy, each policy being applied to the traffic relevant to the applicable tenant).	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the cloud datacenter firewall of Liu in view of Dixit with the rule set specification of Williams in order to ensure the correct firewall preferences and traffic control is applied based on the cloud tenant the traffic is relevant to.
	Liu in view of Dixit and Williams do not show a firewall rule that directs a network element, which enforces a second set of firewall rules for data traffic entering and exiting the virtual interface to examine the first set of firewall rules before the second set of firewall rules.	Fulp shows a firewall rule that directs a network element, which enforces a second set of firewall rules for data traffic entering and exiting the virtual interface to examine the first set of firewall rules before the second set of firewall rules([7, 11, 104, 108-110] where a firewall applies rules by first applying a “local rule list in a top down fashion to find the first match” when processing arriving packets; as shown in Fig. 19, different firewall nodes implement different portions of an overall rule set, the rules enforced in a “first match” manner).	It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the firewall and traffic control implementation of Liu in view of Dixit and Williams with the firewall ruleset application of Fulp in order to improve the robustness and efficiency of the result firewall (Fulp, [24-25]).	Regarding claim 2, Liu in view of Dixit, Williams, and Fulp further show wherein the network element that enforces the second set of firewall rules is an edge device implementing a logical network gateway (Dixit, [89] and Fig. 1 showing a leaf gateway 104 to a virtual network on server 1; see also Fulp, Fig. 2).
	Regarding claim 4, Liu in view of Dixit, Williams, and Fulp further show wherein the first set of firewall rules and the second set of firewall rules comprise distributed firewall rules (Dixit, [90]).
	Regarding claim 5, Liu in view of Dixit, Williams, and Fulp further show wherein the data traffic directed to the application comprises data traffic directed to a particular set of network addresses associated with the application (Dixit, [87,290]).
	Regarding claim 6, Liu in view of Dixit, Williams, and Fulp further show wherein the data traffic directed to the application comprises data traffic directed to a particular set of transport layer ports associated with the application (Dixit, [65]).
	Regarding claim 7, Liu in view of Dixit, Williams, and Fulp further show wherein the conditions for allowing data traffic from sources external to the virtual infrastructure comprises allowing any data traffic from sources external to the virtual infrastructure (Dixit, Fig. 17 item 1758A).
	Regarding claim 8, Liu in view of Dixit, Williams, and Fulp further show wherein the conditions for allowing data traffic from sources external to the virtual infrastructure comprises allowing data traffic from a particular set of network addresses (Dixit, Fig. 17 item 1758C and [290]).
	Regarding claim 9, Liu in view of Dixit, Williams, and Fulp further show wherein defining the first set of firewall rules comprises:	defining a first firewall rule that allows data traffic meeting specified conditions for data traffic to the application (Dixit, [112,295]) from sources external to the virtual infrastructure (Dixit, [141]); and	defining a second firewall rule that denies data traffic directed to the application from sources external to the virtual infrastructure that does not meet the specified conditions (Dixit, [63,295]).
	Regarding claim 10, Liu in view of Dixit, Williams, and Fulp further show based on the application definition, defining a third set of firewall rules (Fulp, Fig. 12) for allowing a first set of data compute nodes (DCNs; Liu, [26,96] discussing virtual machines deployed in a cloud environment with specific firewall policies) that implement the application to access a second set of DCNs in the virtual infrastructure (Dixit, [62,65]).
	Regarding claim 13, Liu in view of Dixit, Williams, and Fulp further show wherein the second set of firewall rules  have a higher priority than the first set of firewall rules (Fulp, [24,60] and Fig. 12).
	Regarding claim 14, Liu in view of Dixit, Williams, and Fulp further show wherein the new firewall rule directs the network element to skip the second set of firewall rules (Fulp, [24,60] and Fig. 12; e.g., rule pathway from r1 to r4 skips rule groups r2 and r3) for any data traffic that is (i) from sources external (Fulp, [64]) to the virtual infrastructure and (ii) directed to the application (Liu, [3, 26, 63, 84] and Dixit, [141,176], discussing policies that apply to traffic coming from “external outside network” endpoint groups).
	Regarding claim 15, the limitations of said claim are addressed in the analysis of claim 1.
	Regarding claim 17, the limitations of said claim are addressed in the analysis of claim 7.
	Regarding claim 18, the limitations of said claim are addressed in the analysis of claim 8.
	Regarding claim 19, the limitations of said claim are addressed in the analysis of claim 9.
	Regarding claim 20, the limitations of said claim are addressed in the analysis of claim 10.
Claims 3 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of Dixit, Williams, and Fulp, as applied to claim 1 above, further in view of Schuba (Schuba, Christoph, et al. "Integrated network service processing using programmable network devices." Sun Microsystems, Inc. Technical Report. (Year: 2005)).
	Regarding claim 3, Liu in view of Dixit, Williams, and Fulp shows the edge device (Dixit, Fig. 1 item 104 and [89]) implemented virtually ([97]).	Liu in view of Dixit, Williams, and Fulp do not show implementing a centralized routing component of a tier-0 router, wherein the first set of firewall rules and the set of firewall rules are associated with the centralized routing component.	Schuba shows implementing a centralized routing component (pg. 7 lines 41-49) of a tier-0 router (pg. 3 lines 13-17, pg. 9 lines 19-20, pg. 13 lines 33-38), wherein the sets of firewall rules are associated with the centralized routing component (pg. 11 lines 18-24, pg. 14 lines 7-11).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the routing of Liu in view of Dixit, Williams, and Fulp with the tier 0 network services supported by Schuba in order to enable flow-based processing  and improve system efficiency (pg. 3 lines 19-22 and lines 40-46).
Regarding claim 16, the limitations of said claim are addressed in the analysis of claim 3.


Claim 11 is rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of Dixit, Williams, and Fulp, as applied to claim 1 above, further in view of Cole (US-20180083835-A1).
	Regarding claim 11, Liu in view of Dixit, Williams, and Fulp shows sets of DCNs (e.g., Liu, [26,96] and Dixit, [142, 164] discussing different endpoint groups) as well as where a DCN may not be associated with an application (Dixit, showing multiple EPGs, each associated with different tenants and their implemented applications, [127,137,316]).	Liu in view of Dixit, Williams, and Fulp do not a second set of DCNs do not implement the application but are accessible to a plurality of different applications implemented in the virtual infrastructure.	Cole shows a second set of DCNs do not implement the application but are accessible to a plurality of different applications implemented in the virtual infrastructure ([29,38,137] discussing a multi-tenant hybrid cloud where distinct tenants can request and receive access to applications of other tenants).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the cloud resource access control of Liu in view of Dixit, Williams, and Fulp with the tenant-to-tenant resource use in order to enable tenants to benefit from the applications deployed by other tenants.

Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of Dixit, Williams, and Fulp, as applied to claim 1 above, further in view of Wack (Wack, John, Ken Cutler, and Jamie Pole. Guidelines on firewalls and firewall policy. BOOZ-ALLEN AND HAMILTON INC MCLEAN VA. (Year: 2002)).
	Regarding claim 12, Liu in view of Dixit, Williams, and Fulp shows sets of firewall rules associated with a particular security zone in the virtual infrastructure ([99,140]).	Liu in view of Dixit, Williams, and Fulp do not show wherein the second set of firewall rules are associated with a particular security zone in the virtual infrastructure for DCNs that receive data traffic from external sources.	Wack shows wherein the second set of firewall rules are associated with a particular security zone in the virtual infrastructure for DCNs that receive data traffic from external sources (pg. 22 line 43 - pg. 23 lines 15, pg. 31 lines 27-30, pg. 30 lines 36 – pg. 31 line 30 discussing a demilitarized zone and internal and external zones with unique security policies implemented via different firewall placement and rule application).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the networking environment of Liu in view of Dixit, Williams, and Fulp with the network setup recommended by Wack in order to ensure standard network security procedures are followed.

	Regarding claim 21, the limitations of said claim are addressed in the analysis of claim 14.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN M MACILWINEN whose telephone number is (571)272-9686. The examiner can normally be reached Monday - Friday, 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, WILLIAM TROST can be reached on (571)272-7872. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

JOHN MACILWINEN
Primary Examiner
Art Unit 2442



/JOHN M MACILWINEN/Primary Examiner, Art Unit 2442