Firewall System With Application Identifier Based Rules

§103 §112 §DP

Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. DETAILED ACTION Remarks This action is in response to communications filed on 01/21/2026, claims 2, 5, 7 and 9 are amended per Applicant's request. Therefore, claims 1-20 are presently pending in the application and have been considered as follows. Election/Restrictions Applicant's election with traverse of Group 1 in the reply filed on 01/21/2026 is acknowledged. The traversal is on the ground(s) why there would be a serious search and/or examination burden on the examiner if restriction is not required and the applicant further argues that a search for claims of either group would be relevant to the other group and the search is unlikely to be in different fields. This is not found persuasive because at least for the reasons that the applicant does not admit the inventions are obvious variants and there is nothing on the record to indicate that they are. Furthermore, Group I requires firewall rules specifically associated with an application's source and destination identifiers and Group II focuses on processing rules based on a token. The specification discloses that the token provides a second-level verification involving expiration features such that the token is valid during a time period and/or may be a repeatable hash value generated from the IP address or network location identifier provided by the application. Searching for application identifiers would require a clearly distinct search and consideration as opposed to a search for secondary verifications tokens derived from network addresses. Therefore, examining both in a single application would impose a serious search and examination burden in addition to failure to admit that the inventions are obvious variants. The requirement is still deemed proper and is therefore made FINAL. Information Disclosure Statement The information disclosure statement (IDS) submitted on 01/14/2025 is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner. Double Patenting The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA as explained in MPEP § 2159. See MPEP §§ 706.02(l)(1) - 706.02(l)(3) for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp. Claims 1-14 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-23 of U.S. Patent No. 12,052,220 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the instant application is a broader variation of the patent application as indicated in the table below. Instant Application 18743481 U.S. Patent No. 12,052,220 B2 1.A method comprising: receiving, by a firewall device from a first computing device, a packet comprising: a source application identifier of a first application being executed on the first computing device, and a destination application identifier of a second application; and sending, by the firewall device based on a firewall rule, the packet to a second computing device, wherein the firewall rule is associated with the source application identifier and the destination application identifier. 1. A non-transitory computer-readable medium storing instructions that, when executed, configure a computing device to: receive, from a first firewall service, a data packet comprising a source application identifier and a destination application identifier; verify that the data packet originates from a source application indicated by the source application identifier; after verifying that the data packet originates from the source application, determine a firewall rule for processing the data packet; configure the first firewall service to execute the firewall rule to process, based on the source application identifier, the data packet; and send the firewall rule to a second firewall service that is associated with a destination application identified by the destination application identifier. Claims 1-14 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-19 of U.S. Patent No. 11,546,300 B2. Although the claims at issue are not identical, they are not patentably distinct from each other because the instant application is a broader variation of the patent application as indicated in the table below. Instant Application 18743481 U.S. Patent No. 11,546,300 B2 1.A method comprising: receiving, by a firewall device from a first computing device, a packet comprising: a source application identifier of a first application being executed on the first computing device, and a destination application identifier of a second application; and sending, by the firewall device based on a firewall rule, the packet to a second computing device, wherein the firewall rule is associated with the source application identifier and the destination application identifier. 1.A method comprising: receiving, by a computing device and from a first firewall service, a data packet comprising a source application identifier and a destination application identifier; verifying that the data packet originates from a source application indicated by the source application identifier; after verifying that the data packet originates from the source application, determining a firewall rule for processing the data packet; configuring the first firewall service to execute the firewall rule to process the data packet from the source application based on the source application identifier; and sending, by the computing device, the firewall rule to a second firewall service that is associated with a destination application identified by the destination application identifier. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(b): (b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention. The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph: The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. Claims 12 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA the applicant regards as the invention. Regarding claim 12, the limitation directed to “wherein the packet further comprises a first destination address associated with second computing device” lacks antecedent basis. Specifically, this element, second computing device, has been previously introduced in base claim 8. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1-3, 5-10 and 12-14 are rejected under 35 U.S.C. 103 as being unpatentable over US 20192096978 to SESHADRI et al. (hereinafter “Seshardi”) in view of US 20190253388 to Verma et al. (hereinafter “Verma”) Claim 1 Seshardi teaches a method [e.g. Seshardi; Claim 13, Para. 0013, 0095 – Seshardi discloses a method] comprising: receiving, by a firewall device from a first computing device, a packet [e.g. Seshardi; Claim 13, Para. 0013, 0019-0022, 0055, 0056, 0063, 0095 – Seshardi discloses receiving communication (e.g. packet) from a source application executing on a computing resource (e.g. computing device) by a security device (e.g. firewall).] comprising: a source application identifier of a first application being executed on the first computing device, [e.g. Seshardi; Claim 13, Abstract, Para. 0015-0018, 0023, 0027 – Seshardi discloses a source application identified by an application resource tag (e.g. source application identifier). ] and a destination application identifier of a second application; [e.g. Seshardi; Claim 13, Abstract, Para. 0015-0018, 0023, 0027 – Seshardi discloses a destination application identified by an application resource tag (e.g. destination application identifier). ] and sending, by the firewall device based on a firewall rule, the packet to a second computing device, wherein the firewall rule is associated with the source application identifier and the destination application identifier. [e.g. Seshardi; Claim 13, Abstract, Para. 0013, 0037-0040, 0042, 0047 – Seshardi routing communication between source and destination applications based on policy information (e.g. firewall rule) wherein the rule is associated with both source and destination application tags (e.g. identifiers). ] While Seshardi teaches the method of claim 1 and teaches using source and destination application identifiers as a basis for firewall rule implementation across cloud environments Seshardi fails to teach that the identifiers of the application are contained within the packet explicitly thus Seshardi fails to explicitly teach however, Verma teaches the utilization of Next Generation Firewalls (NGFW) monitor and extracting application identifiers from packets associated with communication traffic between a sender and destination [e.g. Verma; Abstract, Para. 0030, 0034, 0043, 0073, 0081, 0168 – Verma discloses performing stateful packet inspection by a NGFW device and extracting application IDs from the monitored packets directly. ] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the above limitations in the invention as disclosed by Seshardi with the advantage of utilizing identification technology by a NGFW to allow enterprises to securely enable application usage using business-relevant concepts, instead of following the traditional approach offered by traditional port-blocking firewalls as disclosed in paragraph 0034. Specifically, improving the ability to accurately and dynamically identify a large number of applications across the different cloud environments of Seshardi (e.g. 00049 the policy enforcer platform may handle hundreds, thousands, millions, etc. of different applications). Claim 2 Seshardi and Verma teaches the method of claim 1, wherein the firewall device and the first computing device belong to a network, and wherein the method further comprises: determining whether packets are permitted into or out of the network. [e.g. Seshardi; Claim 13, Abstract, Para. 0013, 0039, 0040, 0063 – Seshardi discloses a security device protecting communication (e.g. packet) entering and leaving cloud computing environment (e.g. network) based on policy information. ] [e.g. Verma; Abstract, Para. 0028-0030, 0034, 0043, 0056, 0059, 0073, 0081, 0168 – Verma discloses performing stateful packet inspection by a NGFW device and extracting application IDs from the monitored packets directly. ] Claim 3 Seshardi and Verma teaches the method of claim 1, wherein the firewall rule indicates that packets comprising the source application identifier and the destination application identifier are allowed, and wherein the sending the packet comprises: determining, based on the firewall rule, to allow the packet to be sent to the second computing device. [e.g. Seshardi; Claim 13, Abstract, Para. 0013, 0037-0040, 0042, 0047 – Seshardi discloses the policy information (e.g. firewall rule) indicate source and destination application tags (e.g. application identifiers) including actions (e.g. determining to allow) for sending packets to a destination (e.g. second computing device). ] [e.g. Verma; Abstract, Para. 0028-0030, 0034, 0043, 0056, 0059, 0073, 0081, 0168 – Verma discloses performing stateful packet inspection by a NGFW device and extracting application IDs from the monitored packets directly.] Claim 5 Seshardi and Verma teaches the method of claim 1, wherein the packet further comprises a first source address associated with the first computing device, and wherein the method further comprises: receiving, by the firewall device from a third computing device, a second packet, wherein the second packet comprises: the source application identifier, the destination application identifier, and a second source address associated with the third computing device, wherein the second source address is different from the first source address; and sending, by the firewall device based on the firewall rule, the second packet to the second computing device. [e.g. Seshardi; Claim 13, Abstract, Fig. 1F, 1G Para. 0015, 0041 – Seshardi discloses a dynamic address group for a specific application (e.g. source application with source identifier) that comprises a list of IP addresses (e.g. computing devices with different source address (e.g. first, second, etc.) and communication (e.g. sending packets) to destination application (e.g. application hosted on second computing device.) ] [e.g. Verma; Abstract, Para. 0028-0030, 0034, 0043, 0056, 0059, 0073, 0081, 0168 – Verma discloses performing stateful packet inspection by a NGFW device and extracting application IDs from the monitored packets directly. ] Claim 6 Seshardi teaches the method of claim 1, wherein the second application is being executed on the second computing device. [e.g. Seshardi; Claim 13, Abstract, Para. 0015-0017, 0057 – Seshardi discloses applications are executed on computing resources in cloud domains. ] Claim 7 While Seshardi teaches the method of claim 1 Seshardi fails to explicitly teach however, Verma teaches: sending, to a firewall controller based on the firewall rule not being stored in the firewall device, a rule verification request, wherein the rule verification request comprises at least one of: the source application identifier, the destination application identifier, an address associated with the first application, or a token associated with the first application; and receiving, from the firewall controller, the firewall rule. [e.g. Verma; Abstract, Para. 0002, 0040, 0041, 0045, 0049, 0076, 0082 – Verma discloses querying for policy information, previously referred to as rules for a firewall, for new subscribers (e.g. rules not stored) IP flow (e.g. address associated with the first application). ] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the above limitations in the invention as disclosed by Seshardi with the advantage of ensuring real-time enforcement of security policies through an active querying for rules associated with new instances of applications run in the system of Seshadri in addition to pushing policies from the policy enforcer platform. EXAMINER NOTE: It is noted the limitation “based on the firewall rule not being stored in the firewall device” is a conditional step that does not need to be performed. While the examiner has mapped the feature explicitly to the prior art, any prior art, such as Seshardi, that stores the firewall rules will read on the claim as the condition does not need to be met as drafted by the claim Regarding claims 8-10 and 12-14 they are method claims (directed to the destination) essentially corresponding to the above recitations, and they are rejected, at least, for the same reasons as the combination fully discloses processing at the destination location using the same techniques. Claims 4 and 11 is rejected under 35 U.S.C. 103 as being unpatentable over US 20192096978 to SESHADRI et al. (hereinafter “Seshardi”) in view of US 20190253388 to Verma et al. (hereinafter “Verma”) in view of NPL “A Universally Unique IDentifier (UUID) URN Namespace” to Leach et al (hereinafter “Leach”) Claim 4 While the combination teaches the method of claim 1 the combination fails to explicitly teach however, Leach teaches: wherein the source application identifier is generated, based on a universally unique identifier of the first application, and assigned to the first application.[e.g. Leach; Abstract, Entire Document - Leach discloses it being old and well-known to provide UUIDs for namespaces ] Therefore, it would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to include, the above limitations in the invention as disclosed by the combination with the advantage that no centralized authority is required to administer them and since UUIDs are unique and persistent, they make excellent Uniform Resource Names. The unique ability to generate a new UUID without a registration process allows for UUIDs to be one of the URNs with the lowest minting cost as disclosed on page 3 section 2 “Motivation” of Leach. Regarding claims 11 they are method claims (directed to the destination) essentially corresponding to the above recitations, and they are rejected, at least, for the same reasons as the combination fully discloses processing at the destination location using the same techniques. Conclusion Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHRISTOPHER C HARRIS whose telephone number is (571)270-7841. The examiner can normally be reached Monday through Friday between 8:00 AM to 4:00 PM CST. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey L Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /CHRISTOPHER C HARRIS/Primary Examiner, Art Unit 2432