DETAILED ACTION
This Action is in consideration of the Applicant’s response on September 23, 2022.  Claims 1, 13, and 20 are amended by the Applicant.  Claims 1 – 20, where Claims 1, 13, and 20 are in independent form, are presented for examination.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on September 23, 2022 has been entered.
Response to Arguments
	Applicant's arguments filed on September 23, 2022 have been fully considered but they are moot based on the new grounds of rejection as stated below.
Claim Rejections - 35 USC § 103
The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1 – 6, 13 – 17, 19, and 20 are rejected under 35 U.S.C. 103 as being obvious over PGPub. 2018/0191729 (hereinafter “Whittle”), in view of PGPub. 2008/0046995 (hereinafter “Satterlee”).
1.	Regarding Claims 1, 13, and 20, Whittle discloses of a system [Figs. 1 and 6; analyzing tier, adapting tier, and executing tier], comprising: 
at least one processor [Fig. 6; Para. 0057-58]; and 
memory storing instructions configured to instruct the at least one processor to [Fig. 6; Para. 0056-57, 0060]: 

receive a client access list comprising a script [Fig. 4; Para. 0039, 0048-49, 0054; retrieve profiled element baseline models (“PEBs”) from the adaptive tier which comprise scripts (receive client access list) for a new IoT device]; 
derive a set of firewall rules from the client access list [Fig. 4; Para. 0038, 0049, 0054; generate corresponding network security policies to implement management defined in the PEB for the new IoT device]; 
execute the script to obtain one or more destinations [Para. 0052; scripts in the PEB may describe general network characteristics, such as remote services and applications that are generally used by the IoT device];
update the set of firewall rules based on the obtained destinations [Para. 0039, 0049, 0054; previous network security policies now include security policies for the new IoT device];
 and
apply the set of firewall rules to selectively block and allow network traffic between a client device and one or more network devices [Fig. 4; Para. 0050, 0054].
	Whittle further discloses that one of the services provided by the network security device is a VPN [Para. 0022].  Whittle, however, does not specifically disclose of receiving a client tunnel list over a first connection, the client tunnel list including information in order to establish a networking tunnel, establishing a second connection using the client tunnel list, and applying the firewall on the second connection.
	Satterlee discloses of a system and method for establishing VPN connections for authorized clients [Abstract].  Satterlee further discloses of receiving a client tunnel list over a first connection, the client tunnel list including information in order to establish a networking tunnel and establishing a second connection using the client tunnel list [Fig. 3; Para. 0041-42].  The combination of Satterlee with Whittle would establish the second connection to the specifically disclosed VPN server and apply the firewall rules for the second connection.  It would have been obvious to one skilled in the art before the effective filing date of the current invention to incorporate the teachings of Satterlee with Whittle since both systems provide VPN services to a client.  The motivation to do so is to provide selection criteria to be used for establishing VPN tunnels to improve VPN performance [Saterlee, Para. 0003, 0044].
2.	Regarding Claim 2, Whittle, in view of Satterlee, discloses the limitations of Claim 1. Whittle further discloses that the script is a destination firewall rule of the client access list [Para. 0027, 0047, 0050; firewall between private network and Internet with IoT device accessing remote resources].
3.	Regarding Claim 3, Whittle, in view of Satterlee, discloses the limitations of Claim 2. Whittle further discloses that:
the computer system implements a gateway to a private network [Fig. 1; Para. 0026-27]; and
the script is executed when the client device deploys a tunnel between the client device and the gateway [Para. 0023, 0039; new IoT device may be detected by the firewall when it tries to establish a VPN or use IPSec/SSL, which triggers the generation and retrieval of a PEB and/or modified PEB for the new IoT device].
4.	Regarding Claim 4, Whittle, in view of Satterlee, discloses the limitations of Claim 3. Whittle further discloses that the client access list is received from an authentication service that manages access to network devices in the private network [Para. 0032-33, 0052-53; PEB retrieved from the upper tiers which can include authentications for the IoT devices].
5.	Regarding Claim 5, Whittle, in view of Satterlee, discloses the limitations of Claim 4. Whittle further discloses that the client access list comprises a first access rule identifying a first network device of the network devices in the private network, and deriving the set of firewall rules comprises translating the first access rule into multiple firewall rules [Para. 0032-33, 0047, 0052-53; PEB for an IoT device can comprise of authentications, services that the IoT device will access, application that are used for controlling the IoT device, protocols used, port numbers used, etc.; the PEB are then used by the executing tier to create network policies for controlling network traffic and activities for the IoT device].
6.	Regarding Claim 6, Whittle, in view of Satterlee, discloses the limitations of Claim 1. Whittle further discloses that the one or more destinations comprise at least one of network addresses or ports [Para. 0032; IP header of data packet used to adjust PEB for IoT devices].
7.	Regarding Claim 11, Whittle, in view of Satterlee, discloses the limitations of Claim 1. Whittle further discloses that the computer system implements a gateway [Para. 0022-33; gateway], the method further comprising:
adding the obtained destinations to the client access list [Fig. 4; Para. 0047; Para. PEB may define multiples remote or local network resources that the IoT device may access]; 
after adding the obtained destinations to the client access list, deriving, using the client access list, one or more new firewall rules [Fig. 4; Para. 0049; executing tier creates network policies for controlling network traffic and activities of IoT devices based on the PEBs or modified PEBs]; and 
applying, by a firewall service, the new firewall rules for a network tunnel between the client device and the gateway [Fig. 4; Para. 0050; executing tier intercepts network traffic of the IoT devices and manages the network traffic and activities of the IoT devices in accordance with corresponding network security policies].
8.	Regarding Claim 12, Whittle, in view of Satterlee, discloses the limitations of Claim 1. Whittle further discloses that updating the set of firewall rules based on the obtained destinations comprises updating the client access list by adding the obtained destinations [Para. 0047-48; detect new IoT device to retrieve PEB or modified PEB of the new IoT device; PEB may define multiples remote or local network resources that the IoT device may access], and wherein the set of firewall rules is updated based on the updated client access list [Fig. 4; Para. 0049; executing tier creates network policies for controlling network traffic and activities of IoT devices based on the PEBs or modified PEBs].
9.	Regarding Claim 14, Whittle, in view of Satterlee, discloses the limitations of Claim 13. Whittle further discloses that the instructions are further configured to instruct the at least one processor to receive a connection request from the client device [Para. 0039; firewall detects new IoT device], wherein the client access list is received after receiving the connection request [Para. 0039; PEB of the IoT device is retrieved].
10.	Regarding Claim 15, Whittle, in view of Satterlee, discloses the limitations of Claim 14. Whittle further discloses that the client access list indicates network devices in a private network that are allowed to communicate with the client device [Para. 0037, 0047; local resources of a private network].
11.	Regarding Claim 16, Whittle, in view of Satterlee, discloses the limitations of Claim 15. Whittle further discloses that the client access list comprises an access rule that identifies a first network device of the private network by specifying a web service that can access the first network device [Para. 0032, 0037; applications that are used for controlling the IoT device is also included in the PEB; remote access through HTTP can be removed for an IoT device based on local network security policies].
12.	Regarding Claim 17, Whittle, in view of Satterlee, discloses the limitations of Claim 13. Whittle further discloses that the instructions are further configured to instruct the at least one processor to start a firewall service for a network tunnel between the client device and a gateway, wherein the set of firewall rules is applied by the firewall service [Para. 0023, 0038, 0047; security policies corresponding to the security operations, such as VPN, IPSec/SSL, to remote resources].
13.	Regarding Claim 19, Whittle, in view of Satterlee, discloses the limitations of Claim 13. Whittle further discloses that the client access list is received from at least one of the client device, or an authentication service [Para. 0048, 0054; PEB retrieved from adapting tier].
Claims 7 – 10 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Whittle, in view of Satterlee, in further view of PGPub. 2015/0378769 (hereinafter “Buck”).
14.	Regarding Claim 7, Whittle, in view of Satterlee, discloses the limitations of Claim 1. Whittle further discloses that of querying a second computer system to obtain the destinations [Para. 0048].  Whittle further discloses the scripts in the PEB are interpreted to obtain general network characteristics, such as remote services and applications that are generally used by the IoT device [Para. 0052].  Whittle, however, does not describe that the script queries the second computer system.
	Buck discloses a system and method for configuring a firewall based on network traffic characteristics [Para. 0037] by accessing a database [Para. 0038] by passing a user credential, such as a username, to request connection information associated with the credential, identification of a data center, identification of at least one virtual machine in the data center, assigned servers, etc. [Fig. 4; Para. 0051, 0071, 0083-84].  It would have been obvious to one skilled in the art before the effective filing date of the current application to incorporate the teachings of Buck with Whittle since both systems generate dynamic firewall policies based on detect network traffic and devices.  The combination would enable the script found within the Whittle PEBs to pass user credentials with a database request to identify destinations associated with the user credentials.  The motivation to do so is to additionally associate security and access polices with user credentials for improved security and system management [obvious to one skilled in the art].
15.	Regarding Claim 8, Whittle, in view of Satterlee, discloses the limitations of Claim 1. Whittle further discloses that of querying a remote computer system to obtain the destinations and the list of destinations comprises IP addresses or ports [Para. 0048-49].  Whittle further discloses the scripts in the PEB are interpreted to obtain general network characteristics, such as remote services and applications that are generally used by the IoT device [Para. 0052].  Whittle, however, does not describe that the script is configured to make a query, using an application programming interface, to the remote system.
Buck discloses a system and method for configuring a firewall based on network traffic characteristics [Para. 0037] by accessing a database [Para. 0038] by passing a user credential, such as a username, to request connection information associated with the credential, identification of a data center, identification of at least one virtual machine in the data center, assigned servers, etc. [Fig. 4; Para. 0051, 0071, 0083-84].  Buck further discloses the query to the system can be through an API [Para. 0052, 0058].  It would have been obvious to one skilled in the art before the effective filing date of the current application to incorporate the teachings of Buck with Whittle since both systems generate dynamic firewall policies based on detect network traffic and devices.  The combination would enable the script found within the Whittle PEBs to use known interfaces to web-based databases.  The motivation to do so is to provide an accessible database using well-known techniques for storing security information [obvious to one skilled in the art].
16.	Regarding Claim 9, Whittle, in view of Satterlee, discloses the limitations of Claim 1. Whittle further discloses of querying a remote computer system to obtain the destinations and the list of destinations comprises IP addresses or ports [Para. 0048-49].  Whittle further discloses the scripts in the PEB are interpreted to obtain general network characteristics, such as remote services and applications that are generally used by the IoT device [Para. 0052].  
Whittle, however, does not describe that the script passes a username for an active session to an application programming interface and receiving a list of names for computers associated with the username to which access is granted.
	Buck discloses a system and method for configuring a firewall based on network traffic characteristics [Para. 0037] by accessing a database [Para. 0038] by passing a user credential, such as a username, to request connection information associated with the credential, identification of a data center, identification of at least one virtual machine in the data center, assigned servers, etc. [Fig. 4; Para. 0051, 0071, 0083-84].  Buck further discloses the query to the system can be through an API [Para. 0052, 0058].  It would have been obvious to one skilled in the art before the effective filing date of the current application to incorporate the teachings of Buck with Whittle since both systems generate dynamic firewall policies based on detect network traffic and devices.  The combination would enable the script found within the Whittle PEBs to pass user credentials with a database request to identify destinations associated with the user credentials.  The motivation to do so is to additionally associate security and access polices with user credentials for improved security and system management [obvious to one skilled in the art].
17.	Regarding Claim 10, Whittle, in view of Satterlee and Buck, discloses the limitations of Claim 9. Whittle further discloses that a token or condition is associated with the username [Para. 0074-75; e.g. business hours, VOIP application], the method further comprising updating the client access list in response to expiration or revocation of the token or condition [Para. 0071, 0075; conflicting conditions are removed to update the security policy to allow particular network traffic associated with particular services].
18.	Regarding Claim 18, Whittle, in view of Satterlee, discloses the limitations of Claim 13. Whittle further discloses of querying a remote computer system to obtain the destinations and the list of destinations comprises IP addresses or ports [Para. 0048-49].  Whittle further discloses the scripts in the PEB are interpreted to obtain general network characteristics, such as remote services and applications that are generally used by the IoT device [Para. 0052].
Whittle, however, does not disclose that the client access list comprises a first access rule that is a call to a web service, and wherein the instructions are further configured to instruct the at least one processor to receive, in reply to the call to the web service, a list of network devices using an API according to metadata assigned to virtual instances.
Buck discloses a system and method for configuring a firewall based on network traffic characteristics [Para. 0037] by accessing a database [Para. 0038] by passing a user credential, such as a username, to request connection information associated with the credential, identification of a data center, identification of at least one virtual machine in the data center, assigned servers, etc. [Fig. 4; Para. 0051, 0071, 0083-84].  Buck further discloses the query to the system can be through a web service API [Para. 0052, 0058].  It would have been obvious to one skilled in the art before the effective filing date of the current application to incorporate the teachings of Buck with Whittle since both systems generate dynamic firewall policies based on detect network traffic and devices.  The combination would enable the script found within the Whittle PEBs to pass user credentials with a database request to identify destinations associated with the user credentials.  The motivation to do so is to additionally associate security and access polices with user credentials for improved security and system management [obvious to one skilled in the art].
Claims 1 – 6, 13 – 17, 19, and 20 are rejected under 35 U.S.C. 103 as being obvious over PGPub. 2018/0191729 (hereinafter “Whittle”), in view of U.S. Patent 9,148,408 (hereinafter “Glazemakers”).
The applied reference has a common assignee with the instant application. Based upon the earlier effectively filed date of the reference, it constitutes prior art under 35 U.S.C. 102(a)(2). 
This rejection under 35 U.S.C. 103 might be overcome by: (1) a showing under 37 CFR 1.130(a) that the subject matter disclosed in the reference was obtained directly or indirectly from the inventor or a joint inventor of this application and is thus not prior art in accordance with 35 U.S.C.102(b)(2)(A); (2) a showing under 37 CFR 1.130(b) of a prior public disclosure under 35 U.S.C. 102(b)(2)(B); or (3) a statement pursuant to 35 U.S.C. 102(b)(2)(C) establishing that, not later than the effective filing date of the claimed invention, the subject matter disclosed and the claimed invention were either owned by the same person or subject to an obligation of assignment to the same person or subject to a joint research agreement. See generally MPEP § 717.02.
19.	Regarding Claims 1, 13, and 20, Whittle discloses of a system [Figs. 1 and 6; analyzing tier, adapting tier, and executing tier], comprising: 
at least one processor [Fig. 6; Para. 0057-58]; and 
memory storing instructions configured to instruct the at least one processor to [Fig. 6; Para. 0056-57, 0060]: 

receive a client access list comprising a script [Fig. 4; Para. 0039, 0048-49, 0054; retrieve profiled element baseline models (“PEBs”) from the adaptive tier which comprise scripts (receive client access list) for a new IoT device]; 
derive a set of firewall rules from the client access list [Fig. 4; Para. 0038, 0049, 0054; generate corresponding network security policies to implement management defined in the PEB for the new IoT device]; 
execute the script to obtain one or more destinations [Para. 0052; scripts in the PEB may describe general network characteristics, such as remote services and applications that are generally used by the IoT device];
update the set of firewall rules based on the obtained destinations [Para. 0039, 0049, 0054; previous network security policies now include security policies for the new IoT device];
 and
apply the set of firewall rules to selectively block and allow network traffic between a client device and one or more network devices [Fig. 4; Para. 0050, 0054].
	Whittle, however, does not specifically disclose of receiving a client tunnel list over a first connection, the client tunnel list including information in order to establish a networking tunnel, establishing a second connection using the client tunnel list, and applying the firewall on the second connection.
	Glazemakers discloses of a system and method for protecting network devices from access by unauthorized clients [Abstract].  Glazemakers further discloses of receiving a client tunnel list over a first connection, the client tunnel list including information in order to establish a networking tunnel, establishing a second connection using the client tunnel list, and applying the firewall on the second connection [Fig. 4; Col. 11, lines 3-64].  It would have been obvious to one skilled in the art before the effective filing date of the current invention to incorporate the teachings of Glazemakers with Whittle since both systems utilize firewalls to restrict access to resources.  The combination would provide the client specific resources that can be accessed.  The motivation to do so is to provide additional security measures in that an authorized client can access only devices and services within the private network it is authorized to access [Glazemakers, Col. 2, lines 45-50].
20.	Regarding Claim 2, Whittle, in view of Glazemakers, discloses the limitations of Claim 1. Whittle further discloses that the script is a destination firewall rule of the client access list [Para. 0027, 0047, 0050; firewall between private network and Internet with IoT device accessing remote resources].
21.	Regarding Claim 3, Whittle, in view of Glazemakers, discloses the limitations of Claim 2. Whittle further discloses that:
the computer system implements a gateway to a private network [Fig. 1; Para. 0026-27]; and
the script is executed when the client device deploys a tunnel between the client device and the gateway [Para. 0023, 0039; new IoT device may be detected by the firewall when it tries to establish a VPN or use IPSec/SSL, which triggers the generation and retrieval of a PEB and/or modified PEB for the new IoT device].
22.	Regarding Claim 4, Whittle, in view of Glazemakers, discloses the limitations of Claim 3. Whittle further discloses that the client access list is received from an authentication service that manages access to network devices in the private network [Para. 0032-33, 0052-53; PEB retrieved from the upper tiers which can include authentications for the IoT devices].
23.	Regarding Claim 5, Whittle, in view of Glazemakers, discloses the limitations of Claim 4. Whittle further discloses that the client access list comprises a first access rule identifying a first network device of the network devices in the private network, and deriving the set of firewall rules comprises translating the first access rule into multiple firewall rules [Para. 0032-33, 0047, 0052-53; PEB for an IoT device can comprise of authentications, services that the IoT device will access, application that are used for controlling the IoT device, protocols used, port numbers used, etc.; the PEB are then used by the executing tier to create network policies for controlling network traffic and activities for the IoT device].
24.	Regarding Claim 6, Whittle, in view of Glazemakers, discloses the limitations of Claim 1. Whittle further discloses that the one or more destinations comprise at least one of network addresses or ports [Para. 0032; IP header of data packet used to adjust PEB for IoT devices].
25.	Regarding Claim 11, Whittle, in view of Glazemakers, discloses the limitations of Claim 1. Whittle further discloses that the computer system implements a gateway [Para. 0022-33; gateway], the method further comprising:
adding the obtained destinations to the client access list [Fig. 4; Para. 0047; Para. PEB may define multiples remote or local network resources that the IoT device may access]; 
after adding the obtained destinations to the client access list, deriving, using the client access list, one or more new firewall rules [Fig. 4; Para. 0049; executing tier creates network policies for controlling network traffic and activities of IoT devices based on the PEBs or modified PEBs]; and 
applying, by a firewall service, the new firewall rules for a network tunnel between the client device and the gateway [Fig. 4; Para. 0050; executing tier intercepts network traffic of the IoT devices and manages the network traffic and activities of the IoT devices in accordance with corresponding network security policies].
26.	Regarding Claim 12, Whittle, in view of Glazemakers, discloses the limitations of Claim 1. Whittle further discloses that updating the set of firewall rules based on the obtained destinations comprises updating the client access list by adding the obtained destinations [Para. 0047-48; detect new IoT device to retrieve PEB or modified PEB of the new IoT device; PEB may define multiples remote or local network resources that the IoT device may access], and wherein the set of firewall rules is updated based on the updated client access list [Fig. 4; Para. 0049; executing tier creates network policies for controlling network traffic and activities of IoT devices based on the PEBs or modified PEBs].
27.	Regarding Claim 14, Whittle, in view of Glazemakers, discloses the limitations of Claim 13. Whittle further discloses that the instructions are further configured to instruct the at least one processor to receive a connection request from the client device [Para. 0039; firewall detects new IoT device], wherein the client access list is received after receiving the connection request [Para. 0039; PEB of the IoT device is retrieved].
28.	Regarding Claim 15, Whittle, in view of Glazemakers, discloses the limitations of Claim 14. Whittle further discloses that the client access list indicates network devices in a private network that are allowed to communicate with the client device [Para. 0037, 0047; local resources of a private network].
29.	Regarding Claim 16, Whittle, in view of Glazemakers, discloses the limitations of Claim 15. Whittle further discloses that the client access list comprises an access rule that identifies a first network device of the private network by specifying a web service that can access the first network device [Para. 0032, 0037; applications that are used for controlling the IoT device is also included in the PEB; remote access through HTTP can be removed for an IoT device based on local network security policies].
30.	Regarding Claim 17, Whittle, in view of Glazemakers, discloses the limitations of Claim 13. Whittle further discloses that the instructions are further configured to instruct the at least one processor to start a firewall service for a network tunnel between the client device and a gateway, wherein the set of firewall rules is applied by the firewall service [Para. 0023, 0038, 0047; security policies corresponding to the security operations, such as VPN,  IPSec/SSL, to remote resources].
31.	Regarding Claim 19, Whittle, in view of Glazemakers, discloses the limitations of Claim 13. Whittle further discloses that the client access list is received from at least one of the client device, or an authentication service [Para. 0048, 0054; PEB retrieved from adapting tier].
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. PGPub. 2007/0300296; U.S. Patent 9,628,444.
Contacts
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Tae K. Kim, whose telephone number is (571) 270-1979.  The examiner can normally be reached on Monday - Friday (10:00 AM - 6:30 PM EST).
If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jorge Ortiz-Criado, can be reached on (571) 272-7624.  The fax phone number for submitting all Official communications is (703) 872-9306.  The fax phone number for submitting informal communications such as drafts, proposed amendments, etc., may be faxed directly to the examiner at (571) 270-2979.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov.  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).
/TAE K KIM/Primary Examiner, Art Unit 2496