Nicira, Inc.Download PDFPatent Trials and Appeals BoardOct 20, 20212020003749 (P.T.A.B. Oct. 20, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/388,151 12/22/2016 Sameer Kurkure N423 3038 152691 7590 10/20/2021 Setter Roche LLP 1860 Blake Street Suite 100 Denver, CO 80202 EXAMINER TRAN, ELLEN C ART UNIT PAPER NUMBER 2433 NOTIFICATION DATE DELIVERY MODE 10/20/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): ipadmin@vmware.com uspto@setterroche.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte SAMEER KURKURE, SUBRAHMANYAM MANUGURI, ANIRBAN SENGUPTA, AMAN RAJ, KAUSHAL BANSAL, and SHADAB SHAH ___________ Appeal 2020-003749 Application 15/388,151 Technology Center 2400 ____________ Before ERIC B. CHEN, NABEEL U. KHAN, and DAVID J. CUTITTA II, Administrative Patent Judges. CHEN, Administrative Patent Judge. DECISION ON APPEAL Appeal 2020-003749 Application 15/388,151 2 STATEMENT OF THE CASE Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject claims 1–20, all the claims pending in the application. We have jurisdiction under 35 U.S.C. § 6(b). We REVERSE. CLAIMED SUBJECT MATTER The claims are directed to network firewalls that operate based on rules that define how a firewall should handle traffic passing through the firewall. (Abstract.) Claim 1, reproduced below, is illustrative of the claimed subject matter, with disputed limitations in italics: 1. A method of reducing the number of rules employed by a network firewall, the method comprising: identifying related rules of a plurality of rules used by the network firewall, wherein at least one of the plurality of rules comprise criteria of one or more compound groups that each identify a source or destination virtual machine based on at least a security group or a service group for the virtual machine and wherein two rules are related rules when there exists at least one network traffic pattern that can satisfy criteria for both of the rules, including criteria of one or more compound groups of at least one of the two rules; identifying one or more ineffective rules of the related rules based on the relationships between the rules; adjusting, in the network firewall, the one or more ineffective rules in the plurality of rules to reduce the number of ineffective rules in the plurality of rules used by the network 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42(a). Appellant identifies the real party in interest as VMware, Inc. and Nicira, Inc. (Appeal Br. 2.) Appeal 2020-003749 Application 15/388,151 3 firewall when handling network traffic exchanged with a plurality of virtual machines based on the plurality of rules; and in the network firewall, after adjusting the one or more ineffective rules in the plurality of rules, applying the plurality of rules to the network traffic. REFERENCES Name Reference Date Litvin et al. US 2009/0249472 A1 Oct. 1, 2009 Pernicha US 2016/0191466 A1 June 30, 2016 REJECTIONS Claims 1–20 stand rejected under 35 U.S.C. §103 as being unpatentable over Pernicha and Litvin. OPINION We are persuaded by Appellant’s arguments (Appeal Br. 7; see also Reply Br. 2) that the combination of Pernicha and Litvin would not have rendered obvious independent claim 1, which includes the limitation “one or more compound groups that each identify a source or destination virtual machine based on at least a security group or a service group for the virtual machine.” The Examiner found that the firewall policies of Litvin for virtual machines correspond to the limitation “one or more compound groups that each identify a source or destination virtual machine based on at least a security group or a service group for the virtual machine.” (Final Act. 6; see also Ans. 8.) Alternatively, the Examiner found that firewall policy rules of Pernicha, based upon the source IP address and the destination IP address, Appeal 2020-003749 Application 15/388,151 4 correspond to the limitation “one or more compound groups that each identify a source or destination virtual machine based on at least a security group or a service group for the virtual machine.” (Ans. 8.) We do not agree with the Examiners’ findings. Litvin relates to “firewalls for hosting systems with virtual machines.” (¶ 2.) Litvin explains that “[w]hen a virtual machine is moved to a new host node, the firewall policies and connection data pertaining to that virtual machine are moved to the firewall of the new host node.” (¶ 12.) Litvin further explains that “[t]he firewalls of some embodiments store connection data for allowed packets,” in which connection data includes “information about the source address, destination address, source port, destination port, and the protocol of a packet.” (¶ 14.) Pernicha relates to “firewall and/or access control policy management and optimization of policy rules to enhance performance of policy rule processing.” (¶ 3.) Pernicha explains “[m]ost firewalls enforce the policy according to ‘first-match’ semantics, wherein for each new IP connection, the firewall checks the rules one by one, according to their order in the rule- base, until it finds a rule that matches the new connection.” (¶ 6.) Moreover, Pernicha explains “when two or more [firewall] rules are identified as being capable of being merged with each other by virtue of having the same source IP addresses, destination IP addresses, a common intended destination/department and/or any other relevant commonality.” (¶ 43.) Although the Examined cited to either the firewall policies of Litvin or the firewall policy rules of Pernicha, the Examiner has provided insufficient evidence that the references teach the limitation “one or more Appeal 2020-003749 Application 15/388,151 5 compound groups that each identify a source or destination virtual machine based on at least a security group or a service group for the virtual machine.” In particular, Litvin explains that firewall polices pertain to the “new host node” when a virtual machine is moved, with such firewall storing connection data (e.g., source address, destination address, source port, destination port), rather than firewall policies “based on at least a security group or a service group for the virtual machine,” as recited in claim 1. Moreover, Pernicha explains that firewalls enforce a policy according to source and destination IP addresses, rather than firewall policies “based on at least a security group or a service group for the virtual machine,” as recited in claim 1. On this record, neither Litvin nor Pernicha teach the limitation “one or more compound groups that each identify a source or destination virtual machine based on at least a security group or a service group for the virtual machine.” Accordingly, we are persuaded of Appellant’s arguments, as follows: However, Litvin merely discloses firewall rules defined in a manner similar to those for the physical network elements . . . None of the firewall rules in Litvin identify a source or destination virtual machine based on at least a security group or a service group for the virtual machine, as required by claim 1. Nothing in the connection data identifies the source and/or destination virtual machines based on anything analogous to a security group or a service group for those virtual machines. In fact, the connection data does not identify a source or destination based on a group of any kind. (Appeal Br. 7.) Pernicha and Litvin disclose firewall rules that identify a source or destination virtual machine based on the IP address of that virtual machine rather than based on a security or service group for the virtual machine, as is required by claim 1. Appeal 2020-003749 Application 15/388,151 6 (Reply Br. 2.) Thus, we do not sustain the rejection of independent claim 1 under 35 U.S.C. § 103. Claims 2–10 depend from claim 1. We do not sustain the rejection of claims 2–10 under 35 U.S.C. § 103 for the same reasons discussed with respect to claim 1. Independent claim 11 recite limitations similar to those discussed with respect to claim 1. We do not sustain the rejection of claim 11, as well as dependent claims 12–20, for the same reasons discussed with respect to claim 1. CONCLUSION The Examiner’s decision rejecting claims 1–20 under 35 U.S.C. § 103 is reversed. DECISION In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–20 103 Pernicha, Litvin 1–20 Overall Outcome 1–20 REVERSED Copy with citationCopy as parenthetical citation