Prosecution Insights
Last updated: July 17, 2026
Application No. 18/160,725

Multi-tenant cloud-based firewall systems and methods

Final Rejection §103§112
Filed
Jan 27, 2023
Priority
Nov 17, 2015 — continuation of 10/594,656 +1 more
Examiner
HOLLISTER, JAMES ROSS
Art Unit
2499
Tech Center
2400 — Computer Networks
Assignee
Zscaler Inc.
OA Round
4 (Final)
76%
Grant Probability
Favorable
5-6
OA Rounds
0m
Est. Remaining
99%
With Interview

Examiner Intelligence

Grants 76% — above average
76%
Career Allowance Rate
166 granted / 220 resolved
+17.5% vs TC avg
Strong +25% interview lift
Without
With
+24.9%
Interview Lift
resolved cases with interview
Typical timeline
2y 7m
Avg Prosecution
6 currently pending
Career history
235
Total Applications
across all art units

Statute-Specific Performance

§101
0.2%
-39.8% vs TC avg
§103
98.9%
+58.9% vs TC avg
§102
0.2%
-39.8% vs TC avg
Black line = Tech Center average estimate • Based on career data from 220 resolved cases

Office Action

§103 §112
DETAILED ACTION Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Summary This action is a responsive to the request for amendment filed on 2/18/2026. Claims 1-20 are pending and have been examined. Claims 1-20 are rejected. Response to Arguments Rejection of Claims under 35 USC 103 Applicant’s Response: Applicant submits that the cited references fail to teach the newly added limitations. Examiner’s Response: Applicant’s arguments with respect to claims 1, 8, 15 have been considered but are moot because the arguments are directed to amended subject matter properly addressed with the newly cited references of Sinha et al. (US 8464335 B1) and Nantel (US 20160173446 A1). The combination of Sinha et al. (US 8464335 B1) and Purusothaman et al. (US 20170017720 A1) and Nantel (US 20160173446 A1) teaches the language of the independent claims. All remaining arguments are now moot in regards to the new rejection. Claim Rejections - 35 USC § 112 The following is a quotation of the first paragraph of 35 U.S.C. 112(a): (a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention. The following is a quotation of the first paragraph of pre-AIA 35 U.S.C. 112: The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention. Claims 1-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA 35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The newly added claim limitation in claims 1, 8 , 15 (“the tenant-specific reports are generated from the logging without reliance on host-based capture agents or external audit proxy log annotation”) is not supported by the specification. Nowhere in the specification is it taught that “reports are generated from the logging without reliance on host-based capture agents or external audit proxy log annotation”. The specification only cites host-based agents in the background and fails to positively recite this negative limitation when describing the invention. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 5, 8, 12, 15 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Sinha et al. (US 8464335 B1) and further in view of Purusothaman et al. (US 20170017720 A1) and Nantel (US 20160173446 A1). As to claim 1, Sinha et al. teaches A non-transitory computer-readable storage medium having computer readable code stored thereon for programming a processor, in a node of a multi-tenant cloud-based security system, to perform steps of: receiving one or more packets associated with a plurality of tenants of the cloud- based security system, the one or more packets being received from a network device external to the node (See Col 16 Ln 14, Col 3 Ln 53, Teaches that Referring to FIG. 6, in an exemplary embodiment, a network 600 illustrates the client 504 connected to an enforcement node 602 via a VPN tunnel 604. In an exemplary embodiment, the present invention may include the enforcement node 602 which is the VPN gateway 510 and provides data inspection, policy enforcement, malware detection, and the like through an inspection block 606. The enforcement node 602 serves as a gateway to a third party network/Internet 608. Further, in an exemplary embodiment, the enforcement node 602 may include one of the processing nodes 110 in the system 100. In operation, the enforcement node 602 is configured to terminate VPN tunnels from different mobile devices 504, such as through the third party network/Internet 608. Since the VPN brings all traffic to the enforcement node 602, not just HTTP(s)-based web traffic, the enforcement node 602 may be configured to separate out the protocols for further processing with the inspection block 606 (e.g., web, email) from others that are bypassed. Once processed or bypassed from the enforcement node 602, data may be communicated to the Internet 608. Traffic from various mobile user devices are securely brought to various distributed enforcement nodes using a multi-tenant VPN.); processing the one or more packets utilizing firewall policies of one or more firewall sessions based on a tenant associated with each of the one or more packets to determine whether or not to block the one or more packets from transmission over a network (See Col 2 Ln 28, Col 3 Ln 57, Teaches that By inspecting traffic from that known location, malware could be filtered out and user based policy could be enforced. This means all network content is scanned, both browser and application generated web traffic, to ensure that malicious content is blocked in the cloud—long before it reaches the mobile device, or the corporate network.); logging information associated with the one or more firewall sessions (See Col 5 Ln 50, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system.); and producing one or more tenant-specific reports based on the logging of the one or more firewall sessions (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like.), the tenant-specific reports including a plurality of fields associated with the one or more firewall sessions comprising at least a session duration, a time stamp, a user, a location, source and destination Internet Protocol (IP) addresses, ports, matched firewall rules, firewall services, firewall applications, and actions (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like), wherein the logging is performed by the node in-line in a firewall engine data path for the one or more packets and the tenant-specific reports are generated from the logging without reliance on host-based capture agents or external audit proxy log annotation (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like). However, it does not expressly teach the details of a session duration, a time stamp, source and destination Internet Protocol (IP) addresses, ports, matched firewall rules, firewall services, firewall applications, and actions. Purusothaman et al., from analogous art, teaches source and destination Internet Protocol (IP) addresses, matched firewall rules, firewall services, firewall applications, and actions (See ¶ [0030], Teaches that The ADC support module 210 may be configured to back up and restore the ADC device. The firewall support module 212 is configured to search and retrieve at least one of (i) one or more rules, and (ii) one or more policies of firewall devices based on the search query. In one embodiment, the firewall support module 212 is configured to provide details of the one or more rules inside a policy of the firewall devices as follows: (i) a rule name, (ii) source/destination network objects (e.g., IP, Netmask, Range, fully qualified domain name, Dynamic, single network object, multiple network objects, or group of network objects) of a rule, (iii) an application ID of a rule, (iv) an application/services (e.g., single service, multiple services, or group of services), (v) action taken on a rule, (vi) log settings of a rule, (vii) details of installation of a rule/policy in a firewall device, and (viii) a policy name of the rule. In another embodiment, the firewall support module 212 is configured to provide details of the one or more rules inside a policy of the firewall devices such as source zone of the rule, source user of the rule, destination zone of the rule, profile information of the rule, profile type of the rule, context name of the rule, description of the rule, schedule profile information of the rule, vendor of the rule, target device of the rule. In yet another embodiment, the firewall support module 212 is further configured to tag the one or more rules, and the one or more policies that match the search query to an application ID to manage the one or more rules, and the one or more policies.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Purusothaman et al. into Sinha et al. in order to search and manage one or more objects (e.g., a rule/policy of a firewall device, a certificate, a domain name system (DNS) record, an application delivery controller (ADC) device, and objects of the ADC device) across data centers (See Purusothaman et al. ¶ [0006]). However, it does not expressly teach the details of a session duration, a time stamp, ports. Nantel, from analogous art, teaches source and destination Internet Protocol (IP) addresses, matched firewall rules, firewall services, firewall applications, and actions (See ¶ [0039], Teaches that generate customized/generic reports that can include different attributes of threats, including, but not limited to timestamp/timeframe of threat, duration of threat, source-destination details of threat, severity, action taken, ports involved, volume, and impact on system, among other such parameters.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Nantel into the combination of Sinha et al. and Purusothaman et al. in order to protect end-points 102 from security threats (e.g., viruses, intrusions, trojans, exploits, spyware, unexpected data streams, blocked content, security breaches, security violating applications, malware attacks and Denial of Service (DoS)/Distributed DoS (DDoS) attacks). (See Nantel ¶ [0035]). As to claim 5, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the non-transitory computer-readable storage medium according to claim 1 above. Sinha et al. further teaches wherein the steps include producing a plurality of reports, and wherein the plurality of reports are produced for any of a particular user, a particular Internet Protocol (IP) address, or group of IP addresses (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like). As to claim 8, Sinha et al. teaches A node in a multi-tenant cloud-based security system, comprising: a processor and memory storing instructions that, when executed, cause the processor to: receive one or more packets associated with a plurality of tenants of the cloud-based security system, the one or more packets being received from a network device external to the node (See Col 16 Ln 14, Col 3 Ln 53, Teaches that Referring to FIG. 6, in an exemplary embodiment, a network 600 illustrates the client 504 connected to an enforcement node 602 via a VPN tunnel 604. In an exemplary embodiment, the present invention may include the enforcement node 602 which is the VPN gateway 510 and provides data inspection, policy enforcement, malware detection, and the like through an inspection block 606. The enforcement node 602 serves as a gateway to a third party network/Internet 608. Further, in an exemplary embodiment, the enforcement node 602 may include one of the processing nodes 110 in the system 100. In operation, the enforcement node 602 is configured to terminate VPN tunnels from different mobile devices 504, such as through the third party network/Internet 608. Since the VPN brings all traffic to the enforcement node 602, not just HTTP(s)-based web traffic, the enforcement node 602 may be configured to separate out the protocols for further processing with the inspection block 606 (e.g., web, email) from others that are bypassed. Once processed or bypassed from the enforcement node 602, data may be communicated to the Internet 608. Traffic from various mobile user devices are securely brought to various distributed enforcement nodes using a multi-tenant VPN.); process the one or more packets utilizing firewall policies of one or more firewall sessions based on a tenant associated with each of the one or more packets to determine whether or not to block the one or more packets from transmission over a network (See Col 2 Ln 28, Col 3 Ln 57, Teaches that By inspecting traffic from that known location, malware could be filtered out and user based policy could be enforced. This means all network content is scanned, both browser and application generated web traffic, to ensure that malicious content is blocked in the cloud—long before it reaches the mobile device, or the corporate network.); log information associated with the one or more firewall sessions (See Col 5 Ln 50, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system.); and produce one or more tenant-specific reports based on the logging of the one or more firewall sessions (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like.), the tenant-specific reports including a plurality of fields associated with the one or more firewall sessions comprising at least a session duration, a time stamp, a user, a location, source and destination Internet Protocol (IP) addresses, ports, matched firewall rules, firewall services, firewall applications, and actions (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like), wherein the information is logged by the node in-line in a firewall engine data path for the one or more packets and the tenant-specific reports are generated from the logging without reliance on host-based capture agents or external audit proxy log annotation (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like). However, it does not expressly teach the details of a session duration, a time stamp, source and destination Internet Protocol (IP) addresses, ports, matched firewall rules, firewall services, firewall applications, and actions. Purusothaman et al., from analogous art, teaches source and destination Internet Protocol (IP) addresses, matched firewall rules, firewall services, firewall applications, and actions (See ¶ [0030], Teaches that The ADC support module 210 may be configured to back up and restore the ADC device. The firewall support module 212 is configured to search and retrieve at least one of (i) one or more rules, and (ii) one or more policies of firewall devices based on the search query. In one embodiment, the firewall support module 212 is configured to provide details of the one or more rules inside a policy of the firewall devices as follows: (i) a rule name, (ii) source/destination network objects (e.g., IP, Netmask, Range, fully qualified domain name, Dynamic, single network object, multiple network objects, or group of network objects) of a rule, (iii) an application ID of a rule, (iv) an application/services (e.g., single service, multiple services, or group of services), (v) action taken on a rule, (vi) log settings of a rule, (vii) details of installation of a rule/policy in a firewall device, and (viii) a policy name of the rule. In another embodiment, the firewall support module 212 is configured to provide details of the one or more rules inside a policy of the firewall devices such as source zone of the rule, source user of the rule, destination zone of the rule, profile information of the rule, profile type of the rule, context name of the rule, description of the rule, schedule profile information of the rule, vendor of the rule, target device of the rule. In yet another embodiment, the firewall support module 212 is further configured to tag the one or more rules, and the one or more policies that match the search query to an application ID to manage the one or more rules, and the one or more policies.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Purusothaman et al. into Sinha et al. in order to search and manage one or more objects (e.g., a rule/policy of a firewall device, a certificate, a domain name system (DNS) record, an application delivery controller (ADC) device, and objects of the ADC device) across data centers (See Purusothaman et al. ¶ [0006]). However, it does not expressly teach the details of a session duration, a time stamp, ports. Nantel, from analogous art, teaches source and destination Internet Protocol (IP) addresses, matched firewall rules, firewall services, firewall applications, and actions (See ¶ [0039], Teaches that generate customized/generic reports that can include different attributes of threats, including, but not limited to timestamp/timeframe of threat, duration of threat, source-destination details of threat, severity, action taken, ports involved, volume, and impact on system, among other such parameters.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Nantel into the combination of Sinha et al. and Purusothaman et al. in order to protect end-points 102 from security threats (e.g., viruses, intrusions, trojans, exploits, spyware, unexpected data streams, blocked content, security breaches, security violating applications, malware attacks and Denial of Service (DoS)/Distributed DoS (DDoS) attacks). (See Nantel ¶ [0035]). As to claim 12, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the node according to claim 8 above. Sinha et al. further teaches wherein the instructions cause the processor to produce a plurality of reports, and wherein the plurality of reports are produced for any of a particular user, a particular Internet Protocol (IP) address, or group of IP addresses (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like). As to claim 15, Sinha et al. teaches A method implemented in a node of a multi-tenant cloud- based security system, the method comprising steps of: receiving one or more packets associated with a plurality of tenants of the cloud- based security system, the one or more packets being received from a network device external to the node (See Col 16 Ln 14, Col 3 Ln 53, Teaches that Referring to FIG. 6, in an exemplary embodiment, a network 600 illustrates the client 504 connected to an enforcement node 602 via a VPN tunnel 604. In an exemplary embodiment, the present invention may include the enforcement node 602 which is the VPN gateway 510 and provides data inspection, policy enforcement, malware detection, and the like through an inspection block 606. The enforcement node 602 serves as a gateway to a third party network/Internet 608. Further, in an exemplary embodiment, the enforcement node 602 may include one of the processing nodes 110 in the system 100. In operation, the enforcement node 602 is configured to terminate VPN tunnels from different mobile devices 504, such as through the third party network/Internet 608. Since the VPN brings all traffic to the enforcement node 602, not just HTTP(s)-based web traffic, the enforcement node 602 may be configured to separate out the protocols for further processing with the inspection block 606 (e.g., web, email) from others that are bypassed. Once processed or bypassed from the enforcement node 602, data may be communicated to the Internet 608. Traffic from various mobile user devices are securely brought to various distributed enforcement nodes using a multi-tenant VPN.); processing the one or more packets utilizing firewall policies of one or more firewall sessions based on a tenant associated with each of the one or more packets to determine whether or not to block the one or more packets from transmission over a network (See Col 2 Ln 28, Col 3 Ln 57, Teaches that By inspecting traffic from that known location, malware could be filtered out and user based policy could be enforced. This means all network content is scanned, both browser and application generated web traffic, to ensure that malicious content is blocked in the cloud—long before it reaches the mobile device, or the corporate network.); logging information associated with the one or more firewall sessions (See Col 5 Ln 50, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system.); and producing one or more tenant-specific reports based on the logging of the one or more firewall sessions (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like.), the tenant-specific reports including a plurality of fields associated with the one or more firewall sessions comprising at least a session duration, a time stamp, a user, a location, source and destination Internet Protocol (IP) addresses, ports, matched firewall rules, firewall services, firewall applications, and actions (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like), wherein the logging is performed by the node in-line in a firewall engine data path for the one or more packets and the tenant-specific reports are generated from the logging without reliance on host-based capture agents or external audit proxy log annotation (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like). However, it does not expressly teach the details of a session duration, a time stamp, source and destination Internet Protocol (IP) addresses, ports, matched firewall rules, firewall services, firewall applications, and actions. Purusothaman et al., from analogous art, teaches source and destination Internet Protocol (IP) addresses, matched firewall rules, firewall services, firewall applications, and actions (See ¶ [0030], Teaches that The ADC support module 210 may be configured to back up and restore the ADC device. The firewall support module 212 is configured to search and retrieve at least one of (i) one or more rules, and (ii) one or more policies of firewall devices based on the search query. In one embodiment, the firewall support module 212 is configured to provide details of the one or more rules inside a policy of the firewall devices as follows: (i) a rule name, (ii) source/destination network objects (e.g., IP, Netmask, Range, fully qualified domain name, Dynamic, single network object, multiple network objects, or group of network objects) of a rule, (iii) an application ID of a rule, (iv) an application/services (e.g., single service, multiple services, or group of services), (v) action taken on a rule, (vi) log settings of a rule, (vii) details of installation of a rule/policy in a firewall device, and (viii) a policy name of the rule. In another embodiment, the firewall support module 212 is configured to provide details of the one or more rules inside a policy of the firewall devices such as source zone of the rule, source user of the rule, destination zone of the rule, profile information of the rule, profile type of the rule, context name of the rule, description of the rule, schedule profile information of the rule, vendor of the rule, target device of the rule. In yet another embodiment, the firewall support module 212 is further configured to tag the one or more rules, and the one or more policies that match the search query to an application ID to manage the one or more rules, and the one or more policies.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Purusothaman et al. into Sinha et al. in order to search and manage one or more objects (e.g., a rule/policy of a firewall device, a certificate, a domain name system (DNS) record, an application delivery controller (ADC) device, and objects of the ADC device) across data centers (See Purusothaman et al. ¶ [0006]). However, it does not expressly teach the details of a session duration, a time stamp, ports. Nantel, from analogous art, teaches source and destination Internet Protocol (IP) addresses, matched firewall rules, firewall services, firewall applications, and actions (See ¶ [0039], Teaches that generate customized/generic reports that can include different attributes of threats, including, but not limited to timestamp/timeframe of threat, duration of threat, source-destination details of threat, severity, action taken, ports involved, volume, and impact on system, among other such parameters.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Nantel into the combination of Sinha et al. and Purusothaman et al. in order to protect end-points 102 from security threats (e.g., viruses, intrusions, trojans, exploits, spyware, unexpected data streams, blocked content, security breaches, security violating applications, malware attacks and Denial of Service (DoS)/Distributed DoS (DDoS) attacks). (See Nantel ¶ [0035]). As to claim 19, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the method according to claim 15 above. Sinha et al. further teaches wherein the steps include producing a plurality of reports, and wherein the plurality of reports are produced for any of a particular user, a particular Internet Protocol (IP) address, or group of IP addresses (See Col 5 Ln 50, Col 4 Ln 3, Teaches that Another application capability that may be provided through the user interface front-end 130 is security analysis and log reporting. The underlying data on which the security analysis and log reporting functions operate are stored in logging nodes (LN) 140, which serve as a data logging layer 160. Each of the logging nodes 140 may store data related to security operations and network traffic processed by the processing nodes 110 for each external system. the present invention provides real-time logs and reports for any user, from any location, on any device, at any time; and the like). Claims 2 ,4, 6, 9, 11, 13, 16, 18 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Sinha et al. (US 8464335 B1) and further in view of Purusothaman et al. (US 20170017720 A1) and Nantel (US 20160173446 A1) and further in view of Bejarano Ardila et al. (US 20170126740 A1). As to claim 2, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the non-transitory computer-readable storage medium according to claim 1. However, it does not expressly teach the details of wherein the one or more tenant-specific reports include information identifying top destinations traversing the network and top firewall threats detected by the one or more firewall sessions. Bejarano Ardila et al., from analogous art, teaches wherein the one or more tenant-specific reports include information identifying top destinations traversing the network and top firewall threats detected by the one or more firewall sessions (See ¶ [0056], [0061], Teaches that For example, visualization module 18 may generate a graphical representation of a map 400 (here, a world map) associated with a security domain (e.g., an enterprise or service provider network) and display statistics such as a total threat count 401, total intrusion prevention system (IPS)events 402, total anti-virus (AV) events 403, total anti-spam events 404, total device authorizations 405 (e.g., successful and/or unsuccessful logins), top destination devices 406, top destination countries 407, top source devices 408,top source countries (not shown), and other information related to aggregated threats. In one embodiment, visualization module 18 may generate a live threat aggregated representation to include one or more variable graphical indicators (e.g., color-code, variations in line thickness, size variations) associated with threats to represent varying magnitude or categories of threats. The threat name 501 may include the name of the potential malicious activity, such as the virus name or malware name. The count 502 may include a counter signifying the number of threats that repeatedly occur within security devices 5. The start time 503 may include time and date information of the threat. The severity 504 may include information on the level of severity of the threat and may be displayed as a graphical or numerical representation.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). As to claim 4, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the non-transitory computer-readable storage medium according to claim 1 above. However, it does not expressly teach the details of wherein the one or more tenant-specific reports are produced as one of a real-time report generated by compressed stats and an analyze report generated by full session log analysis. Bejarano Ardila et al., from analogous art, teaches wherein the one or more tenant-specific reports are produced as one of a real-time report generated by compressed stats and an analyze report generated by full session log analysis (See ¶¶ [0056], [0097], Teaches that For example, visualization module 18 may generate a graphical representation of a map 400 (here, a world map) associated with a security domain (e.g., an enterprise or service provider network) and display statistics such as a total threat count 401, total intrusion prevention system (IPS) events 402, total anti-virus (AV) events 403, total anti-spam events 404, total device authorizations 405 (e.g., successful and/or unsuccessful logins), top destination devices 406, top destination countries 407, top source devices 408, top source countries (not shown), and other information related to aggregated threats. In one embodiment, visualization module 18 may generate a live threat aggregated representation to include one or more variable graphical indicators (e.g., color-code, variations in line thickness, size variations) associated with threats to represent varying magnitude or categories of threats. Administrator 12 may configure policies directly from the display of real-time or near real-time threats and/or through various graphical representations of filtered event data associated with threats. Upon receiving the configuration input from administrator 12, security management system 10 may automatically generate newly configured or updated security policies including ordered rules using policy/rule module 20 (110).). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bejarano Ardila et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). As to claim 6, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the non-transitory computer-readable storage medium according to claim 1 above. However, it does not expressly teach the details of wherein the steps further include: providing an interactive display of firewall insights, the display including graphs of usage trends through the one or more firewall sessions. Bejarano Ardila et al., from analogous art, teaches wherein the steps further include: providing an interactive display of firewall insights, the display including graphs of usage trends through the one or more firewall sessions (See ¶ [0057], Teaches that FIG. 4B illustrates another example user interface generated by security management system 10 by which administrator 12 may view aggregate threat data of application usage, in one aspect of the disclosure. In one example, threat data aggregator 14 may aggregate threat data for packet flows that have been identified as particular software applications by security devices 5, where the user interface provides a graphical indicator representative of usage associated with the different types of applications such as number of user sessions with an application and/or bandwidth consumed by an application. Visualization module 18 may generate a graphical representation of the aggregate threat data associated with application usage, such as the example chart view in FIG. 4B. In another approach, visualization module 18 may generate a graphical representation of the aggregated threat data with graphical indicators 421 (e.g., variable sizing and/or color) that may represent the magnitude of application usage and/or severity of threat (e.g., bandwidth consumed from application usage, number of sessions, etc.). Threat control module 17 may then present the graphical representation of aggregated threat data that displays top sessions or bandwidth usage by application based on category (e.g., web 411, multimedia 412, messaging 413, social 414, and/or infrastructure 415). Threat control module 17 may further present an interface displaying top sessions or bandwidth usage by applications based on characteristic (e.g., loss of productivity 416, prone to misuse 417, can leak information 418, supports file transfer 419, and/or bandwidth consumed 420) and for configuration of security devices 5 in response to detecting a threat.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bejarano Ardila et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). As to claim 9, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the node according to claim 1. However, it does not expressly teach the details of wherein the one or more tenant- specific reports include information identifying top destinations traversing the network and top firewall threats detected by the one or more firewall sessions. Bejarano Ardila et al., from analogous art, teaches wherein the one or more tenant- specific reports include information identifying top destinations traversing the network and top firewall threats detected by the one or more firewall sessions (See ¶ [0056], [0061], Teaches that For example, visualization module 18 may generate a graphical representation of a map 400 (here, a world map) associated with a security domain (e.g., an enterprise or service provider network) and display statistics such as a total threat count 401, total intrusion prevention system (IPS)events 402, total anti-virus (AV) events 403, total anti-spam events 404, total device authorizations 405 (e.g., successful and/or unsuccessful logins), top destination devices 406, top destination countries 407, top source devices 408,top source countries (not shown), and other information related to aggregated threats. In one embodiment, visualization module 18 may generate a live threat aggregated representation to include one or more variable graphical indicators (e.g., color-code, variations in line thickness, size variations) associated with threats to represent varying magnitude or categories of threats. The threat name 501 may include the name of the potential malicious activity, such as the virus name or malware name. The count 502 may include a counter signifying the number of threats that repeatedly occur within security devices 5. The start time 503 may include time and date information of the threat. The severity 504 may include information on the level of severity of the threat and may be displayed as a graphical or numerical representation.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). As to claim 11, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the node according to claim 8 above. However, it does not expressly teach the details of wherein the one or more tenant-specific reports are produced as one of a real-time report generated by compressed stats and an analyze report generated by full session log analysis. Bejarano Ardila et al., from analogous art, teaches wherein the one or more tenant-specific reports are produced as one of a real-time report generated by compressed stats and an analyze report generated by full session log analysis (See ¶¶ [0056], [0097], Teaches that For example, visualization module 18 may generate a graphical representation of a map 400 (here, a world map) associated with a security domain (e.g., an enterprise or service provider network) and display statistics such as a total threat count 401, total intrusion prevention system (IPS) events 402, total anti-virus (AV) events 403, total anti-spam events 404, total device authorizations 405 (e.g., successful and/or unsuccessful logins), top destination devices 406, top destination countries 407, top source devices 408, top source countries (not shown), and other information related to aggregated threats. In one embodiment, visualization module 18 may generate a live threat aggregated representation to include one or more variable graphical indicators (e.g., color-code, variations in line thickness, size variations) associated with threats to represent varying magnitude or categories of threats. Administrator 12 may configure policies directly from the display of real-time or near real-time threats and/or through various graphical representations of filtered event data associated with threats. Upon receiving the configuration input from administrator 12, security management system 10 may automatically generate newly configured or updated security policies including ordered rules using policy/rule module 20 (110).). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bejarano Ardila et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). As to claim 13, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the node according to claim 8 above. However, it does not expressly teach the details of wherein the instructions further cause the processor to: provide an interactive display of firewall insights, the display including graphs of usage trends through the one or more firewall sessions. Bejarano Ardila et al., from analogous art, teaches wherein the instructions further cause the processor to: provide an interactive display of firewall insights, the display including graphs of usage trends through the one or more firewall sessions (See ¶ [0057], Teaches that FIG. 4B illustrates another example user interface generated by security management system 10 by which administrator 12 may view aggregate threat data of application usage, in one aspect of the disclosure. In one example, threat data aggregator 14 may aggregate threat data for packet flows that have been identified as particular software applications by security devices 5, where the user interface provides a graphical indicator representative of usage associated with the different types of applications such as number of user sessions with an application and/or bandwidth consumed by an application. Visualization module 18 may generate a graphical representation of the aggregate threat data associated with application usage, such as the example chart view in FIG. 4B. In another approach, visualization module 18 may generate a graphical representation of the aggregated threat data with graphical indicators 421 (e.g., variable sizing and/or color) that may represent the magnitude of application usage and/or severity of threat (e.g., bandwidth consumed from application usage, number of sessions, etc.). Threat control module 17 may then present the graphical representation of aggregated threat data that displays top sessions or bandwidth usage by application based on category (e.g., web 411, multimedia 412, messaging 413, social 414, and/or infrastructure 415). Threat control module 17 may further present an interface displaying top sessions or bandwidth usage by applications based on characteristic (e.g., loss of productivity 416, prone to misuse 417, can leak information 418, supports file transfer 419, and/or bandwidth consumed 420) and for configuration of security devices 5 in response to detecting a threat.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bejarano Ardila et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). As to claim 16, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the method according to claim 15. However, it does not expressly teach the details of wherein the one or more tenant- specific reports include information identifying top destinations traversing the network and top firewall threats detected by the one or more firewall sessions. Bejarano Ardila et al., from analogous art, teaches wherein the one or more tenant- specific reports include information identifying top destinations traversing the network and top firewall threats detected by the one or more firewall sessions (See ¶ [0056], [0061], Teaches that For example, visualization module 18 may generate a graphical representation of a map 400 (here, a world map) associated with a security domain (e.g., an enterprise or service provider network) and display statistics such as a total threat count 401, total intrusion prevention system (IPS)events 402, total anti-virus (AV) events 403, total anti-spam events 404, total device authorizations 405 (e.g., successful and/or unsuccessful logins), top destination devices 406, top destination countries 407, top source devices 408,top source countries (not shown), and other information related to aggregated threats. In one embodiment, visualization module 18 may generate a live threat aggregated representation to include one or more variable graphical indicators (e.g., color-code, variations in line thickness, size variations) associated with threats to represent varying magnitude or categories of threats. The threat name 501 may include the name of the potential malicious activity, such as the virus name or malware name. The count 502 may include a counter signifying the number of threats that repeatedly occur within security devices 5. The start time 503 may include time and date information of the threat. The severity 504 may include information on the level of severity of the threat and may be displayed as a graphical or numerical representation.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). As to claim 18, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the method according to claim 15 above. However, it does not expressly teach the details of wherein the one or more tenant- specific reports are produced as one of a real-time report generated by compressed stats and an analyze report generated by full session log analysis. Bejarano Ardila et al., from analogous art, teaches wherein the one or more tenant- specific reports are produced as one of a real-time report generated by compressed stats and an analyze report generated by full session log analysis (See ¶¶ [0056], [0097], Teaches that For example, visualization module 18 may generate a graphical representation of a map 400 (here, a world map) associated with a security domain (e.g., an enterprise or service provider network) and display statistics such as a total threat count 401, total intrusion prevention system (IPS) events 402, total anti-virus (AV) events 403, total anti-spam events 404, total device authorizations 405 (e.g., successful and/or unsuccessful logins), top destination devices 406, top destination countries 407, top source devices 408, top source countries (not shown), and other information related to aggregated threats. In one embodiment, visualization module 18 may generate a live threat aggregated representation to include one or more variable graphical indicators (e.g., color-code, variations in line thickness, size variations) associated with threats to represent varying magnitude or categories of threats. Administrator 12 may configure policies directly from the display of real-time or near real-time threats and/or through various graphical representations of filtered event data associated with threats. Upon receiving the configuration input from administrator 12, security management system 10 may automatically generate newly configured or updated security policies including ordered rules using policy/rule module 20 (110).). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bejarano Ardila et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). As to claim 20, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the method according to claim 15 above. However, it does not expressly teach the details of wherein the steps further include: providing an interactive display of firewall insights, the display including graphs of usage trends through the one or more firewall sessions. Bejarano Ardila et al., from analogous art, teaches wherein the steps further include: providing an interactive display of firewall insights, the display including graphs of usage trends through the one or more firewall sessions (See ¶ [0057], Teaches that FIG. 4B illustrates another example user interface generated by security management system 10 by which administrator 12 may view aggregate threat data of application usage, in one aspect of the disclosure. In one example, threat data aggregator 14 may aggregate threat data for packet flows that have been identified as particular software applications by security devices 5, where the user interface provides a graphical indicator representative of usage associated with the different types of applications such as number of user sessions with an application and/or bandwidth consumed by an application. Visualization module 18 may generate a graphical representation of the aggregate threat data associated with application usage, such as the example chart view in FIG. 4B. In another approach, visualization module 18 may generate a graphical representation of the aggregated threat data with graphical indicators 421 (e.g., variable sizing and/or color) that may represent the magnitude of application usage and/or severity of threat (e.g., bandwidth consumed from application usage, number of sessions, etc.). Threat control module 17 may then present the graphical representation of aggregated threat data that displays top sessions or bandwidth usage by application based on category (e.g., web 411, multimedia 412, messaging 413, social 414, and/or infrastructure 415). Threat control module 17 may further present an interface displaying top sessions or bandwidth usage by applications based on characteristic (e.g., loss of productivity 416, prone to misuse 417, can leak information 418, supports file transfer 419, and/or bandwidth consumed 420) and for configuration of security devices 5 in response to detecting a threat.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Bejarano Ardila et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to optimize the placement of automatically generated rules within security policies (See Bejarano Ardila et al. ¶ [0007]). Claims 3, 10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Sinha et al. (US 8464335 B1) and further in view of Purusothaman et al. (US 20170017720 A1) and Nantel (US 20160173446 A1) and further in view of Ginter et al. (US 20050015624 A1). As to claim 3, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the non-transitory computer-readable storage medium according to claim 1 above. However, it does not expressly teach the details of wherein the logging is configured for one of aggregate logging and full logging. Ginter et al., from analogous art, teaches wherein the logging is configured for one of aggregate logging and full logging (See ¶ [0218], Teaches that Once the metric aggregator and analyzer 358 has determined that a message is to be reported to the Watch server 50, such as for immediate reporting or periodic reporting of aggregated data over a predetermined time period, the metric aggregator and analyzer 358 may send data to the XML data rendering module 362 to form the message.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Ginter et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to take into account a wide variety of conditions relating to performance, health and security information about the industrial network, such as may be obtained using the monitoring data, as well as other factors reflecting conditions external to the industrial network (See Ginter et al. ¶ [0006]). As to claim 10, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the node according to claim 8 above. However, it does not expressly teach the details of wherein the logging is configured for one of aggregate logging and full logging. Ginter et al., from analogous art, teaches wherein the logging is configured for one of aggregate logging and full logging (See ¶ [0218], Teaches that Once the metric aggregator and analyzer 358 has determined that a message is to be reported to the Watch server 50, such as for immediate reporting or periodic reporting of aggregated data over a predetermined time period, the metric aggregator and analyzer 358 may send data to the XML data rendering module 362 to form the message.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Ginter et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to take into account a wide variety of conditions relating to performance, health and security information about the industrial network, such as may be obtained using the monitoring data, as well as other factors reflecting conditions external to the industrial network (See Ginter et al. ¶ [0006]). As to claim 17, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the method according to claim 15 above. However, it does not expressly teach the details of wherein the logging is configured for one of aggregate logging and full logging. Ginter et al., from analogous art, teaches wherein the logging is configured for one of aggregate logging and full logging (See ¶ [0218], Teaches that Once the metric aggregator and analyzer 358 has determined that a message is to be reported to the Watch server 50, such as for immediate reporting or periodic reporting of aggregated data over a predetermined time period, the metric aggregator and analyzer 358 may send data to the XML data rendering module 362 to form the message.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of Ginter et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to take into account a wide variety of conditions relating to performance, health and security information about the industrial network, such as may be obtained using the monitoring data, as well as other factors reflecting conditions external to the industrial network (See Ginter et al. ¶ [0006]). Claims 7, 14 are rejected under 35 U.S.C. 103 as being unpatentable over Sinha et al. (US 8464335 B1) and further in view of Purusothaman et al. (US 20170017720 A1) and Nantel (US 20160173446 A1) and further in view of NATARAJAN et al. (US 20140208426 A1). As to claim 7, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the non-transitory computer-readable storage medium according to claim 1 above. However, it does not expressly teach the details of wherein the steps further include: detecting a zero-day/zero-hour threat based on a tenant-specific report; and updating the one or more firewall sessions of each of the plurality of tenants based thereon, thereby providing a defense for the zero-day/zero-hour threat across the multi-tenant cloud-based security system. NATARAJAN et al., from analogous art, teaches wherein the steps further include: detecting a zero-day/zero-hour threat based on a tenant-specific report; and updating the one or more firewall sessions of each of the plurality of tenants based thereon, thereby providing a defense for the zero-day/zero-hour threat across the multi-tenant cloud-based security system (See ¶¶ [0058], [0068] Teaches that once the content item is classified, the processing node manager 118 generates a threat data update that includes data indicating the threat classification for the content item from the threat detection process, and transmits the threat data update to an authority node 120. The authority node manager 128 may then update the master threat data 124. Thereafter, any future requests for related to responsive threat data for the content item from other processing nodes 110 can be readily served with responsive threat data. The cloud system 500 may be configured to perform various functions such as spam filtering, uniform resource locator (URL) filtering, antivirus protection, bandwidth control, data loss prevention, zero day vulnerability protection, web 2.0 features, malware detection and blocking, and the like.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of NATARAJAN et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to quickly detect malware and pass this detection on to provide zero day/zero hour protection (See NATARAJAN et al. ¶ [0003]). As to claim 14, the combination of Sinha et al. and Purusothaman et al. and Nantel teaches the node according to claim 8 above. However, it does not expressly teach the details of wherein the instructions further cause the processor to: detect a zero-day/zero-hour threat based on a tenant-specific report; and update the one or more firewall sessions of each of the plurality of tenants based thereon, thereby providing a defense for the zero-day/zero-hour threat across the multi-tenant cloud-based security system. NATARAJAN et al., from analogous art, teaches wherein the instructions further cause the processor to: detect a zero-day/zero-hour threat based on a tenant-specific report; and update the one or more firewall sessions of each of the plurality of tenants based thereon, thereby providing a defense for the zero-day/zero-hour threat across the multi-tenant cloud-based security system (See ¶¶ [0058], [0068] Teaches that once the content item is classified, the processing node manager 118 generates a threat data update that includes data indicating the threat classification for the content item from the threat detection process, and transmits the threat data update to an authority node 120. The authority node manager 128 may then update the master threat data 124. Thereafter, any future requests for related to responsive threat data for the content item from other processing nodes 110 can be readily served with responsive threat data. The cloud system 500 may be configured to perform various functions such as spam filtering, uniform resource locator (URL) filtering, antivirus protection, bandwidth control, data loss prevention, zero day vulnerability protection, web 2.0 features, malware detection and blocking, and the like.). Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teaching of NATARAJAN et al. into the combination of Sinha et al. and Purusothaman et al. and Nantel in order to quickly detect malware and pass this detection on to provide zero day/zero hour protection (See NATARAJAN et al. ¶ [0003]). Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to James R Hollister whose telephone number is (571)270-3152. The examiner can normally be reached Mon - Fri 7:30 am - 4:00 pm. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached at (571) 272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. James Hollister /J.R.H./Examiner, Art Unit 2499 5/23/26 /PHILIP J CHEA/Supervisory Patent Examiner, Art Unit 2499
Read full office action

Prosecution Timeline

Show 2 earlier events
Apr 07, 2025
Response Filed
Jul 21, 2025
Final Rejection mailed — §103, §112
Sep 16, 2025
Response after Non-Final Action
Oct 15, 2025
Request for Continued Examination
Oct 19, 2025
Response after Non-Final Action
Nov 25, 2025
Non-Final Rejection mailed — §103, §112
Feb 18, 2026
Response Filed
Jun 02, 2026
Final Rejection mailed — §103, §112 (current)

Precedent Cases

Applications granted by this same examiner with similar technology

Patent 12664285
Asset Grouping Rules for Vulnerability Detection and Management in IT Systems
3y 8m to grant Granted Jun 23, 2026
Patent 12657282
INFERENCE WITH INLINE REAL-TIME ML MODELS IN APPLICATIONS
2y 9m to grant Granted Jun 16, 2026
Patent 12634688
HOME NETWORK INITIATED PRIMARY AUTHENTICATION/REAUTHENTICATION
4y 0m to grant Granted May 19, 2026
Patent 12632531
CREDENTIAL EXTENSION FOR DATA TRANSFER
3y 8m to grant Granted May 19, 2026
Patent 12632578
MULTI-NETWORK DATA MANAGEMENT USING CONTENT-BASED DATASETS AND DISTRIBUTED TAGGING
3y 6m to grant Granted May 19, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

Strategy Recommendation AI-generated — please review before filing

Get a prosecution strategy drawn from examiner precedents, rejection analysis, and claim mapping.
Typically takes 5-10 seconds — AI-generated, attorney review required before filing

Prosecution Projections

5-6
Expected OA Rounds
76%
Grant Probability
99%
With Interview (+24.9%)
2y 7m (~0m remaining)
Median Time to Grant
High
PTA Risk
Based on 220 resolved cases by this examiner. Grant probability derived from career allowance rate.

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month