Centripetal Networks LLC v. Palo Alto Networks Inc

I. Executive Summary and Procedural Information

• Parties & Counsel:
  • Plaintiff: Centripetal Networks, Inc. (Delaware)
  • Defendant: Palo Alto Networks, Inc. (Delaware)
  • Plaintiff’s Counsel: Kaufman & Canoles, P.C.; Henry & O’Donnell P.C.; Kramer Levin Naftalis & Frankel LLP
• Case Identification: 2:21-cv-00137, E.D. Va., 07/09/2021
• Venue Allegations: Plaintiff alleges venue is proper in the Eastern District of Virginia because Defendant transacts business, maintains a regular and established place of business, and has committed the alleged acts of patent infringement within the district.
• Core Dispute: Plaintiff alleges that Defendant’s cybersecurity products, including its Next-Generation Firewall, Panorama, and Cortex platforms, infringe a portfolio of thirteen patents related to dynamic, rule-based network threat detection and packet filtering.
• Technical Context: The technology concerns advanced cybersecurity systems that use dynamically updated threat intelligence to filter malicious network traffic at high speed and scale.
• Key Procedural History: The complaint alleges a history of pre-suit interactions, including partnership discussions between the parties in 2016 and 2017 under a Non-Disclosure Agreement, during which Plaintiff allegedly disclosed details of its patented technology. The complaint also references Plaintiff’s prior successful litigation on related patent families against competitors, including a significant damages award against Cisco Systems, Inc., to support its allegations of pre-suit knowledge and willful infringement.

Case Timeline

Date	Event
2012-10-22	Earliest Priority Date for U.S. Patent No. 10,091,246
2014-04-29	Earliest Priority Date for U.S. Patent Nos. 10,542,028 & 10,757,126
2016-06-21	Plaintiff and Defendant execute a mutual Non-Disclosure Agreement
2017-08-07	Plaintiff and Defendant hold a technical discussion regarding technology integration
2018-03-01	Approx. launch of Defendant's Cortex Data Lake
2018-10-02	U.S. Patent No. 10,091,246 Issues
2019-08-01	Approx. launch of Defendant's Cortex XDR
2019-11-01	Approx. integration of AutoFocus 2.0 with Cortex
2019-12-01	Approx. launch of Defendant's PAN-OS 9.1 with SD-WAN
2019-12-10	U.S. Patent No. 10,503,899 Issues
2020-01-07	U.S. Patent No. 10,530,903 Issues
2020-01-21	U.S. Patent No. 10,542,028 Issues
2020-02-18	U.S. Patent Nos. 10,567,437, 10,567,343, & 10,567,413 Issue
2020-03-01	Approx. launch of Defendant's Cortex XSOAR
2020-05-19	U.S. Patent No. 10,659,573 Issues
2020-08-01	Approx. launch of Defendant's DNS Security Service
2020-08-04	U.S. Patent No. 10,735,380 Issues
2020-08-18	U.S. Patent No. 10,749,906 Issues
2020-08-25	U.S. Patent No. 10,757,126 Issues
2020-09-01	Approx. integration of Defendant's MineMeld
2020-09-22	U.S. Patent No. 10,785,266 Issues
2020-11-01	Approx. launch of Defendant's Enterprise DLP Service
2021-02-23	U.S. Patent No. 10,931,797 Issues
2021-03-12	Initial Complaint Filed
2021-07-09	Amended Complaint Filed

II. Technology and Patent(s)-in-Suit Analysis

U.S. Patent No. 10,542,028 - "Rule-based Network-Threat Detection"

The Invention Explained

• Problem Addressed: The patent family addresses the problem that conventional network security solutions, which often involved static filtering or manual analysis of data logs, were "tedious, time consuming, and exacerbated by the continuously evolving nature of potential threats" (Compl. ¶¶ 41, 46).
• The Patented Solution: The invention provides a system for dynamically filtering network data packets based on rules that correspond to network-threat indicators sourced from intelligence providers (Compl. ¶ 14). A packet filtering device receives rules, identifies a first packet that satisfies a rule, and allows it to pass (Compl. ¶ 83). The system then receives an update to a filtering rule, modifies an operator specified by that rule to reconfigure the device, and subsequently prevents a second packet that satisfies the now-modified rule from continuing to its destination (Compl. ¶ 83; ’028 Patent, col. 27:54-col. 28:28).
• Technical Importance: This approach is alleged to provide an unconventional means for network security by utilizing information from independent threat intelligence providers to dynamically update rule sets, permitting filtering to be "applied at scale to larger and more complex modern networks" (Compl. ¶ 48).

Key Claims at a Glance

• The complaint asserts independent claims 1, 8, 15, and 19 (Compl. ¶ 79).
• Independent Claim 1, a system claim, includes the following essential elements:
  • A packet filtering device with a processor and memory.
  • Receiving a plurality of packet filtering rules configured to identify packets corresponding to network-threat indicators from independent intelligence providers.
  • Receiving a plurality of packets including a first and second packet.
  • Responsive to the first packet satisfying a first rule: applying an operator to allow the first packet to continue, and communicating information about the allowance.
  • Receiving an update to at least one packet filtering rule.
  • Modifying, based on the update, at least one operator of the first rule to reconfigure the device to prevent packets corresponding to the threat indicators.
  • Responsive to the second packet satisfying the first rule: preventing the second packet from continuing based on the modified operator, and communicating data about the prevention.
• The complaint reserves the right to assert dependent claims (Compl. ¶ 79).

U.S. Patent No. 10,757,126 - "Rule-Based Network-Threat Detection"

The Invention Explained

• Problem Addressed: This patent, sharing a common specification with the ’028 patent, addresses the same deficiencies of prior static network filtering systems in the face of continuously evolving cyber threats (Compl. ¶ 46).
• The Patented Solution: The solution is similar to that of the ’028 patent but adds architectural specificity. The invention requires receiving filtering rules from a rule provider device, where the rules were generated by that device based on reports from independent intelligence providers (Compl. ¶ 113). The threat indicators are specified as comprising "unique Internet host addresses or names" (Compl. ¶ 48, 113). The system applies a rule, communicates the result to the rule provider device, receives an update from the rule provider device, modifies the rule to reconfigure the filtering device, and then prevents a subsequent packet (Compl. ¶ 113; ’126 Patent, col. 27:32-col. 28:38).
• Technical Importance: The invention adds the architectural concept of a "rule provider device," which improves the ability to manage and apply packet filtering rules at scale in complex networks (Compl. ¶ 48).

Key Claims at a Glance

• The complaint asserts independent claims 1, 8, and 15 (Compl. ¶ 109).

• Independent Claim 1, a system claim, includes the following essential elements:

  • A packet filtering device with one or more processors and memory.
  • Receiving, from a rule provider device, packet filtering rules based on network threat intelligent reports from independent providers, where threat indicators comprise unique Internet host addresses or names.
  • Responsive to a first packet satisfying a first rule: applying an operator to allow the first packet, and communicating data about the allowance to the rule provider device.
  • Receiving, from the rule provider device, an update to a packet filtering rule.
  • Modifying the first packet filtering rule to reconfigure the device to prevent packets.
  • Responsive to a second packet satisfying the modified first rule: preventing the second packet and communicating data about the prevention to the rule provider device.

• The complaint reserves the right to assert dependent claims (Compl. ¶ 109).

• Multi-Patent Capsule: U.S. Patent No. 10,530,903

  • Patent Identification: U.S. Patent No. 10,530,903, "Correlating Packets in Communications Networks," issued January 7, 2020 (Compl. ¶ 17).
  • Technology Synopsis: The patent addresses improving data packet flow between networks (Compl. ¶ 18). The patented solution involves generating log entries with timestamps for inbound and outbound packets, determining time differences, and correlating packets based on these differences and the data within the packets to identify the originating host (Compl. ¶¶ 18, 142).
  • Asserted Claims: Independent claims 1 and 10 (Compl. ¶ 138).
  • Accused Features: The NGFW and Cortex products are accused of infringement. The complaint alleges the NGFW generates logs that are stored in the Cortex Data Lake, where an analytics engine correlates and compares data from different sensors to identify threats (Compl. ¶¶ 145-148).

• Multi-Patent Capsule: U.S. Patent No. 10,659,573

  • Patent Identification: U.S. Patent No. 10,659,573, "Correlating Packets in Communications Networks," issued May 19, 2020 (Compl. ¶ 19).
  • Technology Synopsis: This patent is directed to improving the flow of data packets between networks (Compl. ¶ 20). The technology involves identifying received packets and transmitted encrypted packets, generating log entries for both, and correlating them to generate new rules that are then provisioned to a packet-filtering device (Compl. ¶¶ 20, 174).
  • Asserted Claims: Independent claims 1, 11, and 19 (Compl. ¶ 170).
  • Accused Features: The NGFW, Cortex, AutoFocus, and MineMeld products are accused. The complaint alleges NGFWs generate log data for received and transmitted packets (including encrypted packets), which are stored in the Cortex Data Lake. The Cortex XDR platform then allegedly correlates these log entries to generate new rules that are provisioned to the NGFW to block suspicious hosts (Compl. ¶¶ 177-182).

• Multi-Patent Capsule: U.S. Patent No. 10,567,437

  • Patent Identification: U.S. Patent No. 10,567,437, "Methods and Systems for Protecting a Secured Network," issued February 18, 2020 (Compl. ¶ 21).
  • Technology Synopsis: The patent describes a system for protecting a network from attacks by filtering traffic based on dynamic security policies (Compl. ¶ 22). The solution involves provisioning a packet security gateway with filtering rules, receiving traffic via an interface without a network-layer address, and dropping packets that match a rule's criterion (Compl. ¶ 208).
  • Asserted Claims: Independent claims 1, 10, and 17 (Compl. ¶ 204).
  • Accused Features: The NGFW, Cortex, AutoFocus, and MineMeld products are accused. The complaint alleges that Panorama provisions the NGFW gateway with filtering rules based on threat feeds. The NGFW allegedly receives traffic via a Layer 2 interface and drops packets based on these rules (Compl. ¶¶ 210-213).

• Multi-Patent Capsule: U.S. Patent No. 10,785,266

  • Patent Identification: U.S. Patent No. 10,785,266, "Methods and Systems for Protecting a Secured Network," issued September 22, 2020 (Compl. ¶ 23).
  • Technology Synopsis: The patent covers protecting networks from attacks by filtering traffic based on dynamic security policies (Compl. ¶ 24). The system receives a first set of rules from a security policy management server, filters packets, then receives an updated second set of rules based on new malicious traffic information, and filters subsequent packets with the updated rules (Compl. ¶ 237).
  • Asserted Claims: Independent claims 1, 14, and 20 (Compl. ¶ 233).
  • Accused Features: The NGFW, Cortex, AutoFocus, and MineMeld products are accused. The complaint alleges that Panorama, as a security policy management server, provides the NGFW with a first set of rules based on threat feeds, and later provides an updated second set of rules based on new threat information, which the NGFW then applies to subsequent packets (Compl. ¶¶ 239-243).

• Multi-Patent Capsule: U.S. Patent No. 10,567,343

  • Patent Identification: U.S. Patent No. 10,567,343, "Filtering Network Data Transfers," issued February 18, 2020 (Compl. ¶ 25).
  • Technology Synopsis: The patent provides a system for protecting networks by filtering data transfers based on one or more rules (Compl. ¶ 26). The apparatus determines if packets match a first criterion based on packet header fields and a second criterion based on application header fields, and then applies a packet transformation function to prevent data exfiltration (Compl. ¶ 267).
  • Asserted Claims: Independent claims 1, 8, and 15 (Compl. ¶ 263).
  • Accused Features: The NGFW, Panorama, Enterprise DLP, and DNS Security Service products are accused. The complaint alleges these products use security policies and packet filtering rules to identify packets bound for untrusted zones based on both packet header and application header information to prevent data exfiltration (Compl. ¶¶ 269-271).

• Multi-Patent Capsule: U.S. Patent No. 10,735,380

  • Patent Identification: U.S. Patent No. 10,735,380, "Filtering Network Data Transfers," issued August 4, 2020 (Compl. ¶ 27).
  • Technology Synopsis: The patent describes a system to protect networks by filtering data based on rules (Compl. ¶ 28). The system identifies outbound packets destined for outside the protected network, determines if they are associated with a data transfer protocol, and identifies a data transfer request field to determine if it indicates a network exfiltration method, causing the packets to be dropped (Compl. ¶ 297).
  • Asserted Claims: Independent claims 1, 10, 16, and 21 (Compl. ¶ 293).
  • Accused Features: The NGFW, Panorama, Enterprise DLP, and DNS Security Service are accused. The complaint alleges these products use security policies and packet filtering rules to identify outbound packets, analyze data transfer request fields in application packet headers, and block traffic to prevent network exfiltration (Compl. ¶¶ 300-302).

• Multi-Patent Capsule: U.S. Patent No. 10,503,899

  • Patent Identification: U.S. Patent No. 10,503,899, "Cyberanalysis Workflow Acceleration," issued December 10, 2019 (Compl. ¶ 29).
  • Technology Synopsis: The patent is directed to a system for improving analysis related to computer network security (Compl. ¶ 30). The system receives event logs, determines a "reportability likelihood" for each log based on an algorithm, sorts the logs based on this likelihood, and stores them in a sorted event queue (Compl. ¶ 328).
  • Asserted Claims: Independent claims 1 and 15 (Compl. ¶ 324).
  • Accused Features: The Cortex platform is accused. The complaint alleges that Cortex ingests event logs into its data lake, uses machine learning algorithms to determine a reportability likelihood (e.g., risk), and sorts and stores the event logs in a queue that prioritizes the highest-risk events (Compl. ¶¶ 329-330).

• Multi-Patent Capsule: U.S. Patent No. 10,749,906

  • Patent Identification: U.S. Patent No. 10,749,906, "Methods and Systems for Protecting a Secured Network," issued August 18, 2020 (Compl. ¶ 31).
  • Technology Synopsis: The patent describes a system for protecting computer networks using a dynamic security policy (Compl. ¶ 32). The system receives a first set of rules from a security policy management server based on information from a malicious host tracker, performs packet filtering, and then receives and applies an updated second set of rules (Compl. ¶ 354).
  • Asserted Claims: Independent claims 1 and 11 (Compl. ¶ 350).
  • Accused Features: The NGFW and DNS Security Service are accused. The DNS Security Service is alleged to act as the security policy management server, providing the NGFW with dynamic rules based on real-time lookups of malicious domains from various "malicious host trackers" (Compl. ¶¶ 355-356).

• Multi-Patent Capsule: U.S. Patent No. 10,091,246

  • Patent Identification: U.S. Patent No. 10,091,246, "Methods and Systems for Protecting a Secured Network," issued October 2, 2018 (Compl. ¶ 33).
  • Technology Synopsis: The patent describes a system for protecting networks using a dynamic security policy with packet filtering rules created by a security policy management server (Compl. ¶ 34). The invention involves executing multiple, growing rule sets in a specific order, from smaller to larger, to prioritize network traffic and improve performance (Compl. ¶¶ 51-53).
  • Asserted Claims: Independent claims 1, 8, and 15 (Compl. ¶ 379).
  • Accused Features: The NGFW, Cortex, AutoFocus, and MineMeld products are accused. The complaint alleges that the products apply rule sets that are prioritized based on location and evaluated in order, with later rule sets having more addresses than previous ones, thereby processing higher priority traffic first (Compl. ¶ 389).

• Multi-Patent Capsule: U.S. Patent No. 10,567,413

  • Patent Identification: U.S. Patent No. 10,567,413, "Rule-Based Network-Threat Detection," issued February 18, 2020 (Compl. ¶ 35).
  • Technology Synopsis: The patent describes filtering network data based on rules corresponding to threat indicators from intelligence providers (Compl. ¶ 36). The system receives threat identifiers, receives packets, generates a packet log entry, determines a score for the threat based on the number of providers reporting it, generates a sorted listing of threats, and reconfigures a rule based on user input via an interface showing the list (Compl. ¶ 412).
  • Asserted Claims: Independent claims 1, 8, and 15 (Compl. ¶ 408).
  • Accused Features: The NGFW, Panorama, Cortex, AutoFocus, MineMeld, and DNS Security Service are accused. The complaint alleges the products receive threat feeds from multiple providers, score threats based on this information, generate an ordered list of threats, and allow for reconfiguration of filtering rules based on the list (Compl. ¶¶ 413, 418).

• Multi-Patent Capsule: U.S. Patent No. 10,931,797

  • Patent Identification: U.S. Patent No. 10,931,797, "Correlating Packets in Communications Networks," issued February 23, 2021 (Compl. ¶ 37).
  • Technology Synopsis: The patent describes a system to improve data packet flow by generating log entries for received and transmitted packets and correlating them (Compl. ¶ 38). Based on the correlation, the system generates one or more rules and provisions a packet-filtering device with them (Compl. ¶ 442).
  • Asserted Claims: Independent claims 1 and 11 (Compl. ¶ 438).
  • Accused Features: The NGFW and Cortex products are accused. The complaint alleges the NGFW generates logs that are collected in the Cortex Data Lake, where an analytics engine correlates the data to generate rules that are then used to provision packet filtering devices (Compl. ¶¶ 445-449).

III. The Accused Instrumentality

Product Identification

• The accused products are Defendant’s Next-Generation Firewall (“NGFW”), Panorama, Cortex, MineMeld, and DNS Security Services, operating alone or in combination (Compl. ¶ 64).

Functionality and Market Context

• The complaint presents the accused products as an integrated cybersecurity ecosystem. The NGFW serves as a hardware or virtual appliance that inspects all network traffic, running Defendant's PAN-OS software (Compl. ¶ 56). The Panorama platform provides centralized management, provisioning the NGFW with security rules and leveraging dynamic security updates (Compl. ¶ 57). The "PA-Series ML-Powered Next-Generation Firewalls" diagram illustrates the relationship between the hardware NGFW appliances and the Panorama network security management platform (Compl. ¶ 85).
• The Cortex platform is an artificial intelligence security operations system that extends security into the cloud (Compl. ¶ 58). It uses a central repository called the Cortex Data Lake to store and analyze network logs from other products like the NGFW (Compl. ¶ 58). An architectural diagram shows log data from various sources, including branch offices and data centers, flowing into the Cortex Data Lake for analysis by Cortex Apps (Compl. ¶ 86).
• Services like AutoFocus, MineMeld, and the DNS Security Service are alleged to aggregate and correlate threat intelligence from various independent providers, which is then used by Panorama and Cortex to create and provision the NGFW with dynamic, updated packet filtering rules (Compl. ¶¶ 59, 61, 62, 85).

IV. Analysis of Infringement Allegations

U.S. Patent No. 10,542,028 Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a packet filtering device comprising at least one processor; and memory...	The Accused Products are, or run on, computers with processors and memory (Compl. ¶ 84).	¶84	col. 27:35-37
receive a plurality of packet filtering rules configured to... identify packets corresponding to... network-threat indicators... associated with network-threat-intelligence reports supplied by one or more independent network-threat-intelligence providers	The NGFW receives packet filtering rules from Panorama and Cortex, which act as rule provider devices. These rules are formed from threat intelligence from independent providers via services like AutoFocus and MineMeld (Compl. ¶ 85, 86).	¶85, ¶86	col. 27:40-47
receive a plurality of packets that comprises a first packet and a second packet	The NGFW is a security gateway that processes inbound and outbound packets traversing the network boundary (Compl. ¶ 88).	¶88	col. 27:48-49
responsive to a determination that the first packet satisfies a first packet filtering rule...: apply, to the first packet, an operator specified by the first packet filtering rule... to allow the first packet to continue...; and communicate information...	The NGFW uses security policy rules to process packets, with an operator performing a policy lookup to allow or deny packets. Information about whether packets were allowed or blocked is communicated to Panorama (Compl. ¶ 88, 89).	¶88, ¶89	col. 27:50-62
receive an update to at least one packet filtering rule	Panorama receives updated threat feeds from AutoFocus containing the most recent threat information (Compl. ¶ 89).	¶89	col. 28:13-14
modify, based on the received update... at least one operator specified by the first packet filtering rule to reconfigure the packet filtering device to prevent packets...	Panorama updates network threat indicators based on the latest threat information, which in turn updates the Accused Product to operate on subsequent packets with the reconfigured packet filtering rule (Compl. ¶ 89).	¶89	col. 28:15-21
responsive to a determination that the second packet satisfies the first packet filtering rule: based on the modified at least one operator... prevent the second packet from continuing...; and communicate data indicative that the second packet was prevented...	After an update occurs, the NGFW operates on subsequent packets with the modified rule to allow or deny them, and communicates this information to Panorama (Compl. ¶ 89).	¶89	col. 28:22-28

Identified Points of Contention

• Scope Questions: The analysis may raise the question of whether the continuous, automated provisioning of new rules based on streaming threat intelligence, as allegedly performed by the Accused Products, constitutes "receiving an update to at least one packet filtering rule" and then "modifying... at least one operator" of that same rule, as specified by the claim.
• Technical Questions: A key factual question may be what evidence shows that a single, pre-existing rule (the "first packet filtering rule") has its operator changed from "allow" to "prevent" based on an update, as opposed to the system simply deleting an old "allow" rule and creating a new, separate "prevent" rule.

U.S. Patent No. 10,757,126 Infringement Allegations

Claim Element (from Independent Claim 1)	Alleged Infringing Functionality	Complaint Citation	Patent Citation
a packet filtering device with one or more processors; and memory storing instructions...	The Accused Products are, or run on, computers with processors and memory (Compl. ¶ 84).	¶84	col. 27:14-16
receive, from a rule provider device, a plurality of packet filtering rules... generated by the rule provider device based on network threat intelligent reports... wherein the plurality of network-threat indicators comprise unique Internet host addresses or names	The NGFW receives packet filtering rules from Panorama, which acts as a rule provider device. These rules are formed from AutoFocus threat feeds, which include IP addresses, domains, and URLs (Compl. ¶ 114).	¶114	col. 27:17-29
responsive to a determination that a first packet satisfies a first packet filtering rule...: apply, to the first packet, an operator... to allow the first packet...; and communicate, to the rule provider device, data indicative that the first packet was allowed...	The NGFW applies security policy rules to allow or deny packets and communicates information about whether packets were allowed or blocked to Panorama (Compl. ¶¶ 117, 118).	¶117, ¶118	col. 27:30-41
receive, from the rule provider device, an update to at least one packet filtering rule	Panorama receives updated threat feeds from AutoFocus based on the most recent threat information, which constitutes an update (Compl. ¶ 118).	¶118	col. 28:28-30
modify, based on the received update... the first packet filtering rule to reconfigure the packet filtering device to prevent packets...	The operators within the packet filtering rules can be updated based on rule updates, which reconfigures the NGFW to prevent or allow subsequent packets (Compl. ¶ 114).	¶114	col. 28:31-37
responsive to a determination that a second packet satisfies the modified first packet filtering rule: prevent... the second packet from continuing...; and communicate, to the rule provider device, data indicative that the second packet was prevented...	After an update occurs, the Accused Products operate on subsequent packets with the modified rule, and information on whether packets were allowed or blocked is communicated to Panorama (Compl. ¶ 118).	¶118	col. 28:38-46

Identified Points of Contention

• Scope Questions: The dispute may center on whether the role of Panorama and Cortex, as centralized management and intelligence platforms, fits the claim definition of a "rule provider device" that both "generates" and "updates" the rules used by the filtering device.
• Technical Questions: What evidence does the complaint provide that the filtering rules are specifically "generated by the rule provider device based on network threat intelligent reports" in the manner required by the claim, versus simply being passed through the system from another source?

V. Key Claim Terms for Construction

• The Term: "modify... at least one operator"

• Context and Importance: This term, appearing in the independent claims of both the ’028 and ’126 patents, is central to the dynamic and reconfigurable nature of the invention. The infringement analysis may turn on whether the accused system's process of receiving new threat intelligence results in the "modification" of an existing rule's operator (e.g., from "allow" to "prevent") or the replacement of an old rule with a new one. Practitioners may focus on this term because the distinction between modifying an existing rule and creating a new one could be dispositive.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specifications of the ’028 and ’126 patents are common and may describe the reconfiguration of the packet filtering device in general terms, potentially supporting a view that any update to the rule set that changes the handling of a particular threat constitutes a "modification."
  • Evidence for a Narrower Interpretation: The specifications may contain embodiments or figures that depict a specific "operator" field within a rule data structure being explicitly altered, which could support a narrower construction requiring a direct change to a specific part of an existing rule, rather than its wholesale replacement.

• The Term: "rule provider device"

• Context and Importance: This term is recited in independent claim 1 of the ’126 Patent and defines a key architectural element. The complaint alleges that Panorama and/or Cortex function as this device. The dispute will likely involve whether these platforms perform the specific functions of both generating and updating rules based on intelligence reports, as claimed. Practitioners may focus on this term because if Panorama is merely a conduit for rules generated elsewhere, it may not meet the claim limitation.

• Intrinsic Evidence for Interpretation:

  • Evidence for a Broader Interpretation: The specification may describe the rule provider in functional terms, such as any component that supplies rules to the filtering device, which could encompass a management platform like Panorama that orchestrates rule delivery.
  • Evidence for a Narrower Interpretation: The specification may describe the "rule provider device" as the component that itself performs the analysis of threat intelligence reports and creates the rules from scratch, potentially narrowing the term to exclude systems that merely manage or pass along rules created by another entity.

VI. Other Allegations

• Indirect Infringement: The complaint alleges inducement of infringement based on Defendant’s technical documentation, "TECHDOCS" website, training materials, and advertising, which allegedly instruct and encourage customers to configure and use the Accused Products in an infringing manner (Compl. ¶¶ 101, 102, 130, 131). Contributory infringement is alleged on the basis that the Accused Products are highly specialized security products not suitable for substantial non-infringing use (Compl. ¶¶ 103, 132).
• Willful Infringement: The complaint alleges willful infringement based on Defendant's alleged pre-suit knowledge of the patents-in-suit and Plaintiff's technology. This knowledge is alleged to have been acquired through multiple channels, including partnership discussions under an NDA in 2016-2017, Defendant's numerous visits to Plaintiff's website, and public information regarding Plaintiff's successful litigation against competitors (Keysight and Cisco) on related patent families (Compl. ¶¶ 67-73, 91).

VII. Analyst’s Conclusion: Key Questions for the Case

• A central issue will be one of technical operation: does the accused system's method of continuously pushing updated threat intelligence and policies from a central manager (Panorama/Cortex) to a firewall perform the specific, multi-step process of receiving an "update," "modifying" a pre-existing rule's "operator," and then applying that modified rule to a subsequent packet, as claimed? Or does the system operate by simply adding new rules and deleting old ones, creating a potential mismatch with the claim language?
• A key question of claim construction will be the scope of "modify... an operator." The case may turn on whether this requires altering a specific data field within an existing rule structure or whether it can be broadly construed to cover any system update that changes the ultimate outcome for a given type of traffic.
• A significant question for the fact-finder will be one of intent: given the detailed allegations of pre-suit interactions, disclosures under NDA, and Defendant's alleged awareness of Plaintiff's litigation against direct competitors on related patents, did Defendant's alleged infringement rise to the level of willfulness, which could expose it to enhanced damages?