DCT
3:20-cv-03343
Fortinet Inc v. Forescout Tech Inc
I. Executive Summary and Procedural Information
- Parties & Counsel:
- Plaintiff: Fortinet, Inc. (Delaware)
- Defendant: Forescout Technologies, Inc. (Delaware)
- Plaintiff’s Counsel: Skadden, Arps, Slate, Meagher & Flom LLP
- Case Identification: 3:20-cv-03343, N.D. Cal., 12/02/2020
- Venue Allegations: Plaintiff alleges venue is proper in the Northern District of California because Defendant resides there, maintains its headquarters, regularly conducts business, and committed the alleged acts of patent infringement in the district.
- Core Dispute: Plaintiff alleges that Defendant’s network access control products infringe five patents related to cybersecurity, network management, and security automation.
- Technical Context: The patents address various aspects of network access control (NAC) and security information and event management (SIEM), technologies critical for managing and securing corporate networks against threats from a growing number of diverse devices, including employee-owned and guest devices.
- Key Procedural History: The complaint states that Plaintiff attempted to initiate licensing discussions with Defendant on February 27, 2020, and subsequently identified specific patents-in-suit to Defendant's counsel during an April 24, 2020 phone call, several months before the filing of the amended complaint. These pre-suit communications are cited as a basis for willfulness allegations.
Case Timeline
| Date | Event |
|---|---|
| 2008-06-10 | U.S. Patent No. 9,369,299 Priority Date |
| 2009-10-30 | U.S. Patent No. 8,458,314 Priority Date |
| 2013-06-04 | U.S. Patent No. 8,458,314 Issue Date |
| 2014-03-17 | U.S. Patent No. 9,503,421 Priority Date |
| 2014-05-21 | U.S. Patent No. 9,894,034 Priority Date |
| 2015-07-31 | U.S. Patent No. 9,948,662 Priority Date |
| 2016-06-14 | U.S. Patent No. 9,369,299 Issue Date |
| 2016-11-22 | U.S. Patent No. 9,503,421 Issue Date |
| 2018-02-13 | U.S. Patent No. 9,894,034 Issue Date |
| 2018-04-17 | U.S. Patent No. 9,948,662 Issue Date |
| 2020-02-27 | Fortinet initiates licensing discussions with Forescout |
| 2020-12-02 | Complaint Filing Date |
II. Technology and Patent(s)-in-Suit Analysis
U.S. Patent No. 8,458,314 - "System and method for offloading IT network tasks," issued June 4, 2013
The Invention Explained
- Problem Addressed: The patent's background describes the significantly increased workload on IT administrators resulting from the proliferation of mobile devices and a more mobile user population, making it difficult to configure, add, and permission each new network item individually (’314 Patent, col. 1:19-24). It notes that as organizational silos fade, static security policies become less effective and harder to maintain (’314 Patent, col. 1:51-57).
- The Patented Solution: The invention proposes a system to offload or delegate network management tasks from a central IT administrator to non-IT personnel, termed "Sponsors" (e.g., department heads) (’314 Patent, col. 1:11-15). This is achieved by creating "Templates" that define an IT task (like allowing guest access) and "Profiles" that define the scope of a Sponsor's control. By associating specific Templates and Profiles with a Sponsor, the system grants that Sponsor limited, constrained administrative privileges to manage certain users and devices, thereby distributing the workload (’314 Patent, col. 1:65-2:10; Fig. 1).
- Technical Importance: The technology provides a structured framework for securely delegating administrative tasks, which addresses the scalability challenges faced by centralized IT departments in the "Bring Your Own Device" (BYOD) era (’314 Patent, col. 1:36-41).
Key Claims at a Glance
- The complaint asserts at least independent claim 1 (Compl. ¶44, ¶51).
- Claim 1 is a method for delegating control of computer network resources from a network administrator to a sponsor, with the essential elements comprising:
- creating templates for users and devices
- creating profiles used to control network resources
- associating the templates with the profiles
- creating at least one sponsor
- associating at least one of the profiles with the sponsor
- delegating network management administrative privileges to the sponsor
- transferring responsibility for users and devices to the sponsor when a template is associated with the sponsor's profile
- controlling network resources by the sponsor using the assigned templates, where the sponsor's control is constrained by the associated profile and the sponsor does not have full administrative privileges
- The complaint reserves the right to assert additional claims (Compl. ¶7).
U.S. Patent No. 9,369,299 - "Network access control system and method for devices connecting to network using remote access control methods," issued June 14, 2016
The Invention Explained
- Problem Addressed: The patent's background explains that as computer communications involve more remote access methods like VPNs, the need for complex access control increases (’299 Patent, col. 1:23-27). It notes that existing solutions relying "solely on user authentication" are insufficient to protect an internal network, as they fail to ensure that the connecting devices meet the company's policy requirements (’299 Patent, col. 1:34-42).
- The Patented Solution: The invention describes a system for "out-of-band" control of network access, meaning it is not in the direct data path of network traffic (’299 Patent, col. 1:55-57, col. 3:38-40). The system is "RAD-agnostic," meaning it is vendor-independent and can work with various remote access devices (RADs) like VPNs or dial-up servers (’299 Patent, col. 10:9-13). A central Network Access Control Server (NACS) communicates with the RAD to make real-time configuration changes, such as applying a network access filter (NAF) to restrict a device's access until an agent on the device can verify its compliance with security policies (’299 Patent, Abstract).
- Technical Importance: This approach provides a more versatile and secure NAC system by decoupling control from the data path and enabling vendor-agnostic policy enforcement on the device itself, not just the user account (’299 Patent, col. 1:38-46).
Key Claims at a Glance
- The complaint asserts at least independent claim 1 (Compl. ¶59, ¶66).
- Claim 1 is a system for out-of-band control of network access, with the essential elements comprising:
- a network with a server device and terminal device
- at least one remote access device (RAD)
- a Network Access Control Server (NACS) that controls network access "out of band"
- the enforcement is accomplished on the RAD via real-time configuration changes, making it "RAD-agnostic"
- the NACS receives a connect attempt, the RAD authenticates the user to the NACS, and the NACS captures RAD information
- access is restricted with a network access filter (NAF) configured on the RAD
- the RAD directs the client device to an agent, which runs on the device and identifies the client to the NACS
- the NAF is modified based on compliance
- post-connection monitoring occurs
- The complaint reserves the right to assert additional claims (Compl. ¶7).
Multi-Patent Capsule
U.S. Patent No. 9,948,662 - "Providing security in a communication network," issued April 17, 2018
- Technology Synopsis: The patent addresses the system performance degradation caused by applying all security features to all network traffic indiscriminately (Compl. ¶35). The solution is a method to selectively disable a subset of security features for traffic streams directed to an external network that is determined to be trusted, thereby optimizing resource utilization and improving performance (’662 Patent, col. 1:55-58; Compl. ¶35).
- Asserted Claims: At least independent claim 1 (Compl. ¶74).
- Accused Features: The complaint alleges that Forescout's products, which can define "Legitimate Traffic" based on parameters like source/destination address and then disable features such as "Threat Protection" based on traffic type, practice the claimed invention (Compl. ¶82).
U.S. Patent No. 9,894,034 - "Automated Configuration of Endpoint Security Management," issued February 13, 2018
- Technology Synopsis: The patent addresses the inconvenience of requiring users to manually change the configuration of their device's security application when moving between different network environments (e.g., corporate office vs. public Wi-Fi) (Compl. ¶37). The solution is a client security application that automatically determines its network connection state (e.g., "on-net" vs. "off-net") with respect to a private network, selects a configuration based on that state, and launches appropriate security functions (’034 Patent, Abstract; Compl. ¶37).
- Asserted Claims: At least independent claim 1 (Compl. ¶89).
- Accused Features: The complaint alleges that Forescout's SecureConnector agent, running on a client device, infringes by determining its connection state relative to a network managed by a Forescout/CounterACT appliance and automatically selecting and launching a configuration with functions like web filtering and anti-virus scanning (Compl. ¶97).
U.S. Patent No. 9,503,421 - "Security Information and Event Management," issued November 22, 2016
- Technology Synopsis: The patent addresses the challenge of coordinating security tasks across multiple, independent security devices from different manufacturers, where tasks and results are not easily transferable (Compl. ¶39). The invention is a Security Information and Event Management (SIEM) device that allows a user to create a "work flow" defining a plurality of security tasks to be performed by one or more security devices, which the SIEM then schedules and uses to collect results (’421 Patent, Abstract; Compl. ¶39).
- Asserted Claims: At least independent claim 1 (Compl. ¶104).
- Accused Features: The complaint alleges that the Forescout/CounterACT platform, particularly with its eyeExtend, eyeControl, and eyeManage components, functions as an infringing SIEM device by allowing the creation, scheduling, and management of security task workflows across Forescout and third-party security devices (Compl. ¶112).
III. The Accused Instrumentality
Product Identification
The accused instrumentalities are collectively the ForeScout/CounterACT platform and its associated hardware and software components, including the CounterACT Appliance, CounterACT Virtual Appliance, Forescout 5100 Series, SecureConnector, Network Module, HPS Inspection Engine, Windows Applications Plugin, and the eyeExtend, eyeControl, and eyeManage components (Compl. ¶41, ¶59, ¶74, ¶89, ¶104).
Functionality and Market Context
The complaint characterizes the accused products as a Network Access Control (NAC) platform that provides visibility and control over devices connecting to a network (Compl. ¶26, ¶52). Functionally, the platform is alleged to delegate guest user management to "sponsors" (Compl. ¶52); provide remote access control via a VPN Concentrator plugin (Compl. ¶67); run a "SecureConnector" agent on client devices to determine their security posture and connection state (Compl. ¶97); selectively disable security features for trusted traffic (Compl. ¶82); and orchestrate security tasks across multiple devices using a "work flow" system (Compl. ¶112). The complaint positions the Accused Products as direct competitors to Plaintiff's FortiNAC and broader "security fabric" offerings (Compl. ¶6, ¶54).
IV. Analysis of Infringement Allegations
No probative visual evidence provided in complaint.
U.S. Patent No. 8,458,314 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| creating templates for users and devices of said computer network by said network administrator... | The Accused Products are Network Access Control products that create templates for devices and users, including for guest users. | ¶52 | col. 1:14-18 |
| creating profiles used to control said resources of said computer network; | The network administrator creates profiles that associate network users with a sponsor and control the use of network resources. | ¶52 | col. 1:18-22 |
| associating said templates with said profiles; | The Accused Products associate created templates and profiles. | ¶52 | col. 1:22-24 |
| creating at least one said sponsor by said network administrator; | The Accused Products create sponsors for guest users. | ¶52 | col. 1:24-25 |
| delegating, by said network administrator, network management administrative privileges to said sponsor... | Using the Accused Products, a network administrator delegates network management administrative privileges to a sponsor. | ¶52 | col. 1:60-63 |
| controlling of said computer network resources by said sponsor, using said templates assigned to said sponsor... wherein said sponsor is constrained by said network administrator by said at least one associated profile... | The sponsor controls network resources for particular users, with this control constrained by the profiles and templates created by the administrator. | ¶52 | col. 2:6-10 |
- Identified Points of Contention:
- Scope Questions: A central question may be whether Forescout's system for managing "guest users" via a "Guest Management Portal for Sponsors" (Compl. ¶48) falls within the scope of the patent's specific framework of "delegating... administrative privileges." The analysis may turn on whether the functionality provided to Forescout's "sponsors" constitutes the type of "network management administrative privileges" contemplated by the patent, or if it is a more limited form of guest account creation.
- Technical Questions: The complaint alleges that Forescout's system transfers "responsibility for said users and devices from said network administrator to said sponsor." What evidence does the complaint provide that legal or operational responsibility is transferred, as opposed to merely delegating the task of account creation? The distinction may be significant during claim construction.
U.S. Patent No. 9,369,299 Infringement Allegations
| Claim Element (from Independent Claim 1) | Alleged Infringing Functionality | Complaint Citation | Patent Citation |
|---|---|---|---|
| A system for out-of-band control of network access... | The Accused Products are used as a system for out-of-band control of network access. | ¶67 | col. 1:55-57 |
| a Network Access Control Server (NACS) comprising memory, controlling said network access, wherein said network access control is out of band... | The Accused Products include a Network Access Control Server (NACS) that controls network access out of band. | ¶67, ¶20 | col. 1:22-24 |
| wherein said enforcement is out of band and is accomplished on said RAD... whereby said enforcement is vendor-independent and said system is RAD-agnostic; | Enforcement is accomplished on the RAD with real-time changes to its running configuration, and the system is vendor-independent, supporting packages from Cisco, Juniper, and Nortel. | ¶67, ¶21 | col. 10:9-13 |
| restricting access to said network by said user device with a network access filter (NAF) configured on said RAD; | The Accused Products restrict access to the network using a network access filter (NAF) configured on the RAD. | ¶67, ¶21 | col. 1:65-67 |
| said RAD directing said client device to an agent; on said user device, running said agent; said agent identifying client to said NACS; | The RAD directs the client device to an agent (SecureConnector), which runs on the device and sends a unique ID to the NACS to identify the endpoint. | ¶67, ¶21 | col. 2:1-3 |
| modifying said NAF based on compliance; and monitoring post-connection of successful connections. | The NAF is modified based on compliance, and successful connections are monitored post-connection. | ¶67, ¶21 | col. 3:1-2 |
- Identified Points of Contention:
- Scope Questions: The case may focus on the definition of "out of band." While the complaint alleges this feature, the specific technical implementation of how the Forescout NACS communicates with and controls the RAD will be scrutinized to determine if it meets the patent's description of being outside the "network data path" (’299 Patent, col. 3:39-40).
- Technical Questions: Does the "SecureConnector" agent (Compl. ¶21) perform all the functions required of the "agent" in claim 1, including "identifying client to said NACS" and providing the basis for modifying the NAF? The evidence showing the flow of information from the SecureConnector back to the NACS and the subsequent modification of the NAF on the RAD will be critical.
V. Key Claim Terms for Construction
For U.S. Patent No. 8,458,314:
- The Term: "sponsor"
- Context and Importance: This term is the central actor to whom control is delegated and is foundational to the patent's concept of offloading IT tasks. The definition will determine whether Forescout's system, which is described in its own materials as having "Sponsors" for a "Guest Management Portal" (Compl. ¶48), practices the claim.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The claims themselves do not restrict a "sponsor" to being an employee or department head, referring only to delegating control "to at least one sponsor" (’314 Patent, col. 8:1-2). This may support an argument that any non-administrator user granted limited privileges to create accounts could be a "sponsor."
- Evidence for a Narrower Interpretation: The specification repeatedly frames the invention in the context of offloading tasks to "business/department heads" (’314 Patent, col. 1:13-14) and "non-IT personnel" (Compl. ¶31). The Summary of the Invention describes delegating control to "Sponsors, leveraging their particular skills" (’314 Patent, col. 2:61-62), which could imply a user with a specific organizational role beyond simple guest management.
For U.S. Patent No. 9,369,299:
- The Term: "out of band"
- Context and Importance: This term defines the core architecture of the claimed system and distinguishes it from inline network appliances. Whether Forescout's system operates "out of band" is a dispositive technical question for infringement.
- Intrinsic Evidence for Interpretation:
- Evidence for a Broader Interpretation: The patent states that out-of-band access control means it is "not in the network data path" (’299 Patent, col. 3:39-40) and "not involved in the normal network traffic flow for that host" (’299 Patent, col. 9:11-13). This could be read broadly to include any system where the NACS is not directly filtering user data packets.
- Evidence for a Narrower Interpretation: The detailed description emphasizes that because the system is out of band, "data throughput and remote access scalability are unimpeded" (’299 Patent, col. 3:31-33). A defendant may argue that if its NACS architecture introduces any latency or throughput limitations on user data, it cannot be considered truly "out of band" as envisioned by the patent.
VI. Other Allegations
- Indirect Infringement: The complaint alleges both induced and contributory infringement for all five patents-in-suit. For inducement, it asserts that Forescout instructs and encourages its customers to infringe through technical documentation, administration guides, and how-to guides available on its website (e.g., Compl. ¶46-48, ¶61-63). For contributory infringement, it identifies specific software components (e.g., the "Guest Management Portal" for the ’314 Patent; the "VPN Concentrator Plugin" for the ’299 Patent) as being especially made for an infringing use and not being staple articles of commerce suitable for substantial noninfringing use (e.g., Compl. ¶50, ¶65).
- Willful Infringement: The complaint alleges willful infringement based on both pre-suit and post-suit knowledge. It provides specific dates for pre-suit notice, stating Fortinet initiated licensing discussions on February 27, 2020, and identified the specific patents-in-suit to Forescout's counsel on April 24, 2020 (Compl. ¶10-12). The complaint alleges that Forescout's continued infringement despite this notice constitutes "egregious conduct" and "willful blindness" justifying enhanced damages under 35 U.S.C. § 284 (e.g., Compl. ¶57, ¶72).
VII. Analyst’s Conclusion: Key Questions for the Case
- A core issue will be one of definitional scope: can the term "sponsor," as described in the ’314 Patent's context of offloading core IT tasks to department heads, be construed to cover the role of a user authorized to create guest network accounts through Forescout’s "Guest Management Portal for Sponsors"? The outcome may depend on whether the delegated tasks are deemed true "network management administrative privileges."
- A key evidentiary question will be one of technical implementation: does the architecture of the Forescout CounterACT platform meet the ’299 Patent's requirement of "out-of-band" control? This will require a detailed factual analysis of how Forescout's NACS communicates with and modifies the configuration of remote access devices, and whether that control mechanism operates separately from the user data path as defined by the patent.
- A central question for damages will be one of knowledge and intent: given the complaint's specific allegations of pre-suit notice, the case will likely examine what Forescout knew about the patents prior to the lawsuit, when it knew it, and what, if any, good-faith efforts it undertook to assess infringement or design around the patents after being notified.