InfoExpress Inc v. Fortinet Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: InfoExpress Inc. (California)
  • Defendant: Fortinet, Inc. (Delaware)
  • Plaintiff’s Counsel: Saul Ewing LLP; Bunsow De Mory LLP
• Case Identification: 4:23-cv-04389, N.D. Cal., 08/25/2023
• Venue Allegations: Venue is alleged based on Defendant’s headquarters and established place of business within the Northern District of California.
• Core Dispute: Plaintiff alleges that Defendant’s network access control products, primarily the FortiNAC platform, infringe six patents related to systems and methods for dynamically managing device access to a protected network.
• Technical Context: The dispute centers on Network Access Control (NAC) technology, a security domain focused on enforcing policies for devices connecting to a corporate or private network, a critical component of modern enterprise cybersecurity.
• Key Procedural History: The complaint alleges that Defendant cited U.S. Patent No. 8,117,645, a member of the asserted patent family, during the prosecution of its own U.S. patents as early as March 2017, which may be relevant to questions of pre-suit knowledge and willfulness.

Case Timeline

Date	Event
2003-09-24	Earliest Priority Date for all Patents-in-Suit
2009-04-21	U.S. Patent No. 7,523,484 Issues
2011-11-01	U.S. Patent No. 8,051,460 Issues
2012-02-14	U.S. Patent No. 8,117,645 Issues
2013-01-01	U.S. Patent No. 8,347,350 Issues
2013-11-05	U.S. Patent No. 8,578,444 Issues
2014-03-18	U.S. Patent No. 8,677,450 Issues
2017-03-17	Defendant allegedly submits an Information Disclosure Statement citing the ’645 Patent
2017-04-03	Defendant allegedly submits a second Information Disclosure Statement citing the ’645 Patent
2023-08-25	Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 7,523,484 - "Systems and Methods of Controlling Network Access"

The Invention Explained

• Problem Addressed: The patent describes prior art network security "gatekeepers" as creating a performance bottleneck because all communications from an external device must pass through the gatekeeper, limiting bandwidth. Additionally, prior art systems lacked a mechanism to isolate non-compliant devices connected to the same physical access point (e.g., a network switch) from compliant ones. (’484 Patent, col. 2:26-44).
• The Patented Solution: The invention proposes an "out-of-band" approach where an access point is manipulated to manage network access. An external device initially connects to a "restricted subset" of the network (e.g., a quarantine VLAN), allowing communication only with a "gatekeeper." The gatekeeper audits the device against a security policy. If the device complies, the gatekeeper sends commands to reconfigure the access point port, moving the device to a "less-restricted subset" (e.g., the main corporate network). After this reconfiguration, network traffic from the device can flow directly to the less-restricted network without passing through the gatekeeper, thus avoiding the bottleneck. (’484 Patent, Abstract; col. 4:28-42).
• Technical Importance: This architecture allows for scalable network access control by using the gatekeeper for policy decisions but not for routing the main data traffic, thereby preserving network performance. (’484 Patent, col. 4:32-42).

Key Claims at a Glance

• The complaint asserts at least one claim of the ’484 Patent (Compl. ¶61). Independent claim 1 is representative of the system claimed:
  • A network gatekeeper comprising:
  • at least one security policy including requirements that must be satisfied before an access device is granted access to a less-restricted subset of a protected network;
  • a policy auditor configured to audit the access device using the security policy, in response to a request from the device; and
  • an access control configured to reconfigure the communication device such that data from the access device is received by the less-restricted subset, if the audit determines the device meets the policy requirements.
• The complaint does not explicitly reserve the right to assert dependent claims for this patent.

U.S. Patent No. 8,051,460 - "Systems and Methods of Controlling Network Access"

The Invention Explained

• Problem Addressed: As a continuation of the application leading to the ’484 Patent, the ’460 Patent addresses the same technical problem of performance bottlenecks and lack of device isolation in prior art network access control systems. (’460 Patent, col. 2:30-45).
• The Patented Solution: The ’460 Patent claims the method corresponding to the system described in the ’484 Patent. The method involves receiving an access request from a device at a communication port configured to communicate only with a restricted network subset containing a gatekeeper. A security policy is then applied to the device, and if the policy requirements are met, the communication port is reconfigured to allow communication with a less-restricted network subset without passing subsequent data through the gatekeeper. (’460 Patent, Abstract; col. 4:15-32).
• Technical Importance: This patent protects the novel process of out-of-band NAC, complementing the system claims of the parent ’484 Patent and providing a different dimension of intellectual property coverage for the core invention. (’460 Patent, col. 4:33-43).

Key Claims at a Glance

• The complaint asserts at least one claim of the ’460 Patent (Compl. ¶72). Independent claim 1 is representative of the method claimed:
  • A method of granting access to a protected network, comprising:
  • receiving a request for access to a less-restricted subset from an access device via a communication port configured for communication with a restricted subset including a gatekeeper;
  • applying a security policy to the access device;
  • using the gatekeeper to determine if policy requirements are satisfied; and
  • reconfiguring the communication port for communication with the less-restricted subset without passing data through the gatekeeper, when requirements are satisfied.
• The complaint does not explicitly reserve the right to assert dependent claims for this patent.

U.S. Patent No. 8,677,450 - "Systems and Methods of Controlling Network Access"

• Technology Synopsis: This patent relates to methods of network access control. It describes scanning a network device for information (e.g., operating system, antivirus software), applying a security policy to that information, and then configuring the access point based on the policy result. (Compl. ¶85).
• Asserted Claims: At least one claim is asserted (Compl. ¶83).
• Accused Features: The complaint alleges that FortiNAC’s ability to configure network scans to check hosts for compliance and apply security policies infringes the ’450 Patent. (Compl. ¶85).

U.S. Patent No. 8,578,444 - "Systems and Methods of Controlling Network Access"

• Technology Synopsis: This patent describes a NAC system that uses an Extensible Authentication Protocol (EAP), sends audit data requests to an agent on a device, receives audit data back, and applies a security policy based on both the authentication and the audit data. (Compl. ¶96).
• Asserted Claims: At least one claim is asserted (Compl. ¶94).
• Accused Features: The complaint alleges that FortiNAC’s use of RADIUS for EAP authentication, its use of agents for collecting device data, and its application of security policies infringe the ’444 Patent. (Compl. ¶96).

U.S. Patent No. 8,347,350 - "Systems and Methods of Controlling Network Access"

• Technology Synopsis: This patent focuses on post-admission control. It describes receiving initial audit data, auditing the device, reconfiguring an access point to grant access, and then continuing to monitor the device’s compliance using updated audit data. (Compl. ¶107).
• Asserted Claims: At least one claim is asserted (Compl. ¶105).
• Accused Features: The complaint alleges that FortiNAC’s use of client-side agents, its endpoint compliance policies, and its ability to schedule recurring scans for continued compliance infringe the ’350 Patent. (Compl. ¶107).

U.S. Patent No. 8,117,645 - "Systems and Methods of Controlling Network Access"

• Technology Synopsis: This patent claims a NAC system that formulates and sends audit requests to user devices, receives device information and EAP authentication information, evaluates that information, and configures an access point in response to approval by a gatekeeper. (Compl. ¶118).
• Asserted Claims: At least one claim is asserted (Compl. ¶116).
• Accused Features: The complaint alleges that FortiNAC’s features for endpoint compliance scanning, use of EAP, and configuration of access points based on policy evaluation infringe the ’645 Patent. (Compl. ¶118).

III. The Accused Instrumentality

Product Identification

• The accused instrumentalities are Defendant’s FortiNAC products, including associated hardware (virtual and physical) and software, alone and in combination with other products such as FortiAPs (wireless access points), FortiSwitch devices, routers, and servers. (Compl. ¶¶34, 37).

Functionality and Market Context

• FortiNAC is identified as a Network Access Control (NAC) and Zero Trust Network Access solution that enables organizations to manage network access policies and ensure device compliance. (Compl. ¶¶12, 35).
• The complaint highlights that FortiNAC is an "out of band" solution, meaning it does not sit in-line of user traffic," which allows it to be deployed centrally to manage many locations. (Compl. ¶36).
• Its functionality is alleged to include automated onboarding of new devices, continuous monitoring for non-compliance, and integration with third-party security solutions. (Compl. ¶37). The complaint references a product guide screenshot which details how FortiNAC logs "Port changes" for reasons such as "Registration," "Remediation," and "Authentication," where a port is moved into a specific VLAN. (Compl. p. 11). Another visual from a training video shows how NAC policies are used to move a device to a specific VLAN. (Compl. p. 13).

IV. Analysis of Infringement Allegations

’484 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
at least one security policy including requirements that must be satisfied before an access device is granted access to a less-restricted subset...	FortiNAC allows administrators to create "network access policies" which map a user/host profile to a network access configuration, defining parameters for security.	¶¶21, 63	col. 6:35-51
a policy auditor configured to audit the access device using the at least one security policy, in response to a request to access the less-restricted subset...	FortiNAC uses "Endpoint compliance policies" and configures "network scans or sets of rules that are used to scan hosts for compliance," such as checking for required antivirus software.	¶¶26, 63	col. 10:30-44
an access control configured to reconfigure the communication device such that data sent from the access device is received by the less-restricted subset... if the audit results in a determination that the access device meets the requirements...	When a device meets policy requirements (e.g., for registration or authentication), FortiNAC changes the configuration of the switch port to move the device from a restricted VLAN (e.g., registration VLAN) to a less-restricted one (e.g., production network VLAN).	¶¶21, 63	col. 4:55-64

’460 Patent Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
receiving a request for access to a less-restricted subset... from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset... including a gatekeeper	When a new device connects to a FortiSwitch port managed by FortiNAC, it is initially placed in a restricted VLAN (e.g., an "onboarding VLAN") where it communicates with the FortiNAC server (the alleged gatekeeper).	¶¶23-24, 74	col. 4:15-24
applying a security policy to the access device, responsive to the request	FortiNAC applies predefined network access policies and compliance policies to the connecting device to determine its security posture.	¶¶24, 74	col. 4:25-27
reconfiguring the communication port for communicating data between the access device and the less-restricted subset... without passing the data through the gatekeeper, if requirements of the security policy are satisfied	Upon successful authentication and/or compliance, FortiNAC reconfigures the switch port to move the device to a production VLAN, allowing direct access to network resources without routing traffic through the FortiNAC server.	¶¶23-24, 74	col. 4:28-32

Identified Points of Contention

• Scope Questions: A central question may be whether Defendant's software-based, distributed FortiNAC platform qualifies as the "network gatekeeper" recited in the claims. The patents' figures often depict the gatekeeper as a singular hardware component on the network, which may raise questions about the intended scope of the term.
• Technical Questions: The analysis may focus on whether the standard network management functions performed by FortiNAC—such as changing a port's VLAN assignment via CLI or SNMP—are coextensive with the specific act of "reconfiguring the communication device" as taught and claimed in the patents.

V. Key Claim Terms for Construction

The Term: "network gatekeeper"

• Context and Importance: This term is the central component of the system claimed in the ’484 Patent. Its definition is critical because the infringement theory depends on mapping the FortiNAC platform (a potentially distributed software solution) to this claimed element. Practitioners may focus on this term to dispute whether a software platform, operating in concert with separate network hardware, can constitute a single "gatekeeper" system.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification describes the gatekeeper functionally, as being "configured to receive requests for access... and to issue commands" (’484 Patent, col. 4:48-54). This functional language may support an interpretation that is not limited to a single physical box and could encompass a distributed system.
  • Evidence for a Narrower Interpretation: The patent figures consistently depict the "GateKeeper" (225) as a discrete component connected to the LAN, separate from the "Access Point" (215) it controls (’484 Patent, Fig. 2). The summary describes the gatekeeper as one of the "Elements... of the restricted subset," which may suggest it is a distinct entity. (’484 Patent, col. 2:56-58).

The Term: "reconfigure the communication device" / "reconfiguring the communication port"

• Context and Importance: This is the key action step in the asserted claims that enables the out-of-band architecture. The dispute will question whether FortiNAC's method of changing VLAN assignments or applying firewall rules falls within the scope of this term as understood in the context of the patent.
• Intrinsic Evidence for Interpretation:
  • Evidence for a Broader Interpretation: The specification states that reconfiguration "typically includes reassigning the communication port from the restricted VLAN to the less-restricted VLAN," which suggests that "reconfiguring" is not exclusively limited to this one action. (’484 Patent, col. 3:22-25).
  • Evidence for a Narrower Interpretation: The primary embodiment and detailed description focus heavily on changing a port's VLAN association as the mechanism for reconfiguration (’484 Patent, col. 8:19-25). An argument could be made that the term's meaning is limited to this specific, disclosed mechanism.

VI. Other Allegations

Indirect Infringement

• The complaint alleges inducement of infringement under 35 U.S.C. § 271(b), asserting that Defendant provides customers with user guides (e.g., "FortiNAC 9.4.0 Administration Guide"), training videos, webinars, software updates, and technical support that instruct them to configure and use the Accused Instrumentalities in a manner that infringes the patents-in-suit. (Compl. ¶¶50, 62). The complaint also alleges contributory infringement under 35 U.S.C. § 271(c), stating that the FortiNAC servers and software are material parts of the invention, are especially made or adapted for an infringing use, and are not staple articles of commerce suitable for substantial noninfringing use. (Compl. ¶¶53-56, 63).

Willful Infringement

• The complaint alleges willful infringement based on both pre- and post-suit knowledge. The claim of pre-suit knowledge is based on Defendant's alleged submission of Information Disclosure Statements during its own patent prosecution in March and April 2017, which cited the ’645 Patent from the asserted family. (Compl. ¶¶42-46, 57). Post-suit knowledge is alleged based on the filing of the complaint itself. (Compl. ¶47).

VII. Analyst’s Conclusion: Key Questions for the Case

The resolution of this dispute may turn on the following central questions:

• A core issue will be one of definitional scope: can the term "network gatekeeper," which the patents depict as a discrete network component, be construed to cover Defendant's FortiNAC platform, a software-based solution that operates in concert with separate network switches and access points?
• A second issue will be one of functional operation: does the functionality of the accused FortiNAC system—which uses industry-standard network management protocols to assign ports to different VLANs based on security policies—constitute the specific inventive act of "reconfiguring the communication device" as claimed in the patents, or is there a material difference in the technical means employed?
• A key evidentiary question for willfulness will be one of imputed knowledge: will Defendant's citation of one patent from the asserted family (the ’645 Patent) during its own patent prosecution be sufficient to establish pre-suit knowledge of the entire patent portfolio and its alleged infringement, thereby supporting a finding of willful infringement?