DETAILED ACTION
This Office Action is in response to the application 18/773972, filed on 07/16/2024.
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-20 have been examined and are pending in this application. Claims 1, 12, and 20 are independent.
Priority/Continuity
No priority claimed.
Information Disclosure Statement
The information disclosure statement (IDS), submitted on 10/23/2024, 12/05/2013, 02/06/2025, 08/22/2025, 10/21/25, 10/23/2025, and 11/19/25 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the Examiner.
Claim Objections
Claims 8 and 7 are objected to because of the following informalities:
As to claim 8, the cites acronym ‘API’ without spelling out in full at its first occurrence.
As to claim 7, the cites acronyms ‘JSON’ and “DNS,” without spelling out in full at its first occurrence.
Appropriate correction(s) is required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
This application currently names joint inventors. In considering patentability of the claims the Examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the Examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1-7 and 11-20 are rejected under 35 U.S.C. 103 as being unpatentable over Chanak et al (“Chanak,” US 2023/0247003, published on 08/03/2023), in view of Gummaraju et al (“Gummaraju,” US 2018/0034858, published on 02/01/2018).
As to claim 1, Chanak teaches a method for triggering provisioning of cloud-based security through a network firewall (Chanak: pars 0006-007, 0046-0048, system and method for zero trust private application access applying an access control that includes a cloud-based firewall, cloud-based intrusion detection, filtering, etc.), the method comprising:
receiving, by an access control service, a request by an end-user device to access a private network via a firewall connector coupled with the network firewall (Chanak: pars 0006-0007, 0045, 0090, the user creates a secure connection through a firewall, to a VPN device located in the cloud-based system, for accessing zero trust private application access, where the system receives a request from a user to access a private application in the government/enterprise network);
verifying, by the access control service, authorization of the end-user device to access the private network (Chanak: pars 0006-0007, 0045, users can only see the specific applications allowed by policy. Determining if the user meets one or more requirements, evaluating one or more access policies for the user);
evaluating, by the access control service, device characteristics of the end-user device; applying, by the access control service, application control policies based on the device characteristics (Chanak: pars 0006-0007, 0061, 0055, 0085, a Zero Trust Network Access (ZTNA) application utilizing the cloud-based system. Zero trust policies verify access requests and rights based on various information, including user identity, device, location, security posture of the endpoint device [i.e., device characteristics]);
evaluating, by the access control service, Zero Trust Network Access (ZTNA) policies based on the device characteristics and application configured application control policies (Chanak: pars 0006-0007, 0061, 0055, 0085, a Zero Trust Network Access (ZTNA) application utilizing the cloud-based system. Zero trust policies verify access requests and rights based on various information, including user identity, device, location, security posture of the endpoint device [i.e., device characteristics]);
generating, by the access control service, a unique session token when the request is approved; providing, by the access control service, the unique session token to the firewall connector (Chanak: pars 0006-007, 0085, 0110, 0163, a Zero Trust Network Access (ZTNA) application utilizing the cloud-based system 100. For ZTNA, the cloud-based system can dynamically create a connection. Once authorization is determined, the central authority uses a session ID or token/unique-token [i.e., unique session token] binding the authentication for the connector to stich the connection using the token); and
forming, by the access control service, a connector tunnel that establishes a secure connection between the end-user device and the private network (Chanak: pars 0006-007, 0085, initiating a connection between the user and the application based on the one or more access policies. The connection between the user and the application being via an application connector. Using Zero Trust Network Access (ZTNA), the cloud-based system dynamically creates a connection through a secure tunnel between an endpoint that is remote and an on-premises connect).
While Chanak teaches of applying policy, but Chanak does not teach that the policies are configured, thus, Chanak does not explicitly teach the limitation, configured application control policies.
However, in an analogous art, Gummaraju teaches configured application control policies (Gummaraju: pars 0044-0045, relevant authorization policies are used [i.e., configuration of polices]to recognize resource-level privileges and enforce resource-level rules at the destination resource. The security policies may be obtained from one or more security systems and/or identified based on one or more type groups in which the client resource is classified used [i.e., another example of configuration of polices]).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Gummaraju with the method/system of Chanak to include the limitation(s), configured application control policies, where one would have been motivated for the benefit of configure the one or more policy that is relevant/required based on the specific access request for specific access (Gummaraju: par 0044-0045).
As to claim 2, the combination of Chanak and Gummaraju teaches the method for triggering provisioning of claim 1,
Chanak further teaches wherein the access control service is a cloud-based service of a centralized management platform, and further comprising managing, by the centralized management platform, the access control service to provide administrators to manage and monitor end-user devices from a single interface, configure firewall policies, and view real-time reporting and analytics on network activity (Chanak: pars 0007, 0045-0046, 0071, 0085, the centralization control perform as license management reducing configuration complexity, as applying policies/firewalls in the private network. The connection between the user and the application being via an application connector).
As to claim 3, the combination of Chanak and Gummaraju teaches the method for triggering provisioning of claim 1,
Chanak further teaches further comprising: receiving, from the firewall connector, periodic requests to get updates on connector configuration; and sending, to the firewall connector, updates about connector tunnel performance and availability (Chanak: pars 0007, 0085, the connection between the user and the application being via an application connector; dynamically creates a connection through a secure tunnel between an endpoint. The connection between the cloud-based system and on-premises connector is dynamic, on-demand, and orchestrated by the cloud-based system).
As to claim 4, the combination of Chanak and Gummaraju teaches the method for triggering provisioning of claim 1,
Chanak further teaches further comprising: provisioning a child tenant associated with the end-user device for a managed service provider; assigning customer access rights to the child tenant; and managing product licenses for the child tenant (Chanak: pars 0048, 50, 51, The cloud-based system is multi-tenant and can service with each tenant having its own users and configuration, policy, rules, etc., and a tenant is a group of users who share a common access with specific privilege).
As to claim 5, the combination of Chanak and Gummaraju teaches the method for triggering provisioning of claim 4,
Chanak further teaches further comprising: requesting to register, through a browser, the managed service provider and the child tenant through the access control service; requesting to provision the managed service provider with a centralized management platform; after the managed service provider is successfully provisioned, provisioning the child tenant with the centralized management platform; creating administrators for the managed service provider; assigning one or more of the administrators to the child tenant; and sending provisioning status to the browser (Chanak: pars 0045-0046, 0050, 0071, 0085, the centralization control perform as license management reducing configuration complexity, as applying policies/firewalls in the private network of the enterprise system, The cloud-based system is multi-tenant and can service, and a tenant is a group of users who share a common access with specific privileges).
As to claim 6, the combination of Chanak and Gummaraju teaches the method for triggering provisioning of claim 1,
Chanak further teaches further comprising: after the end-user device is successfully provisioned with a centralized management platform, activating the firewall connector; and receiving, by a license manager, a request from the firewall connector to initiate connector provisioning (Chanak: pars 0007, 0045-0046, 0071, 0085, the centralization control perform as license management reducing configuration complexity, as applying policies/firewalls in the private network. The connection between the user and the application being via an application connector).
As to claim 7, the combination of Chanak and Gummaraju teaches the method for triggering provisioning of claim 6,
Chanak and Gummaraju further teaches further comprising: requesting, by the firewall connector, a license through the license manager; sending to the license manager a list of local network routes and private DNS domains; and provision JSON specifications in the centralized management platform for the firewall connector (Chanak: pars 0045-0046, 0071, 0085, the centralization control perform as license management reducing configuration complexity, as applying policies/firewalls in the private network of the enterprise system, involving Domain Name System (DNS) filtering and security. Gummaraju: par 0079, the security policies and the tokens involving JavaScript Object Notation (JSON) mechanisim).
As to claim 11, the combination of Chanak and Gummaraju teaches the method for triggering provisioning of claim 1,
Chanak and Gummaraju further teaches wherein the connector tunnel uses WireGuard peering (Chanak: pars 0062, 0065, private networks (enterprise networks) with direct user-to-app and app-to-app connections. Gummaraju: par 0079, the network environment is created using peer device connection).
As to claim 12, the claim is directed to a system, and the scope of the claim limitations is similar to the claim 1, and therefore, rejected for the same reason set forth above for claim 1.
As to claim 13-19, the claims are similar to the claims 2-7, and 11, respectively, and are rejected for the same reasons set forth above for claims 2-7, and 11.
As to claim 20, the claim is directed to a computer readable storage medium, and the scope of the claim limitations is similar to the claim 1, and therefore, rejected for the same reason set forth above for claim 1.
Allowable Subject Matter
Claims 8-10 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The present invention is directed to method and system for triggering provisioning of cloud-based security through a network firewall. Triggering provisioning includes an access control service verifying authorization of the end-user device to access the private network and evaluating device characteristics of the end-user device, applying configured application control policies based on the device characteristics, evaluating Zero Trust Network Access (ZTNA) policies based on the device characteristics and application configured application control policies, generating a unique session token when the request is approved, providing the unique session token to the firewall connector, and forming a connector tunnel that establishes a secure connection between the end-user device and the private network.
The Examiner concludes that, none of Chanak and Gummaraju, nor any other art teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the dependent claim 8, as a whole including with the limitations of the presiding claims independent claim 1. Therefore, the claim 8 is considered allowable over the cited prior art.
The dependent claims 9 and 10, are also considered allowable over the cited prior art, as the depend from the allowable claim 8. The allowable dependent claims 8-10 are objected as they depend on the associated rejected claim(s), which are rejected above, and would be considered to be allowable if claim 8 is rewritten in independent form including all of the limitations of the associated presiding claims 1, 6 and 7.
Conclusion
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to Jahangir Kabir whose telephone number is (571) 270-3355. The Examiner can normally be reached on 9:00- 5:00 Mon-Thu.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Luu Pham can be reached on (571) 270-5002. The fax number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from Patent Center and the Private Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from Patent Center or Private PAIR. Status information for unpublished applications is available through Patent Center and Private PAIR for authorized users only. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicant is encouraged to use the USPTO Automated Interview Request (AIR) Form at https://www.uspto.gov/patents/uspto-automated- interview-request-air-form.
/JAHANGIR KABIR/ Primary Examiner, Art Unit 2439