Fortinet Inc v. Netskope Inc

1. Case Identification

• Case #: IPR2026-0040
• Patent #: 8,356,336
• Filed: October 10, 2025
• Petitioner(s): Fortinet, Inc.
• Patent Owner(s): Netskope, Inc.
• Challenged Claims: 1-20

2. Patent Overview

• Title: Method for Automatic Pre-Authentication Redirection of Network Traffic
• Brief Description: The ’336 patent relates to a method for controlling network access for clients within a shared public/private network, often called a "walled garden." The disclosed invention redirects network traffic from unauthenticated users attempting to access external resources to a "Pre-Authentication Capture Destination" located on a server within the local, shared network.

3. Grounds for Unpatentability

Ground 1: Claims 1-4, 9-11, and 16-18 are anticipated by, or obvious over, Subbiah

• Prior Art Relied Upon: Subbiah (UK Application # GB2389010A).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Subbiah discloses every limitation of the independent claims. Subbiah teaches a system for providing network access in a public area (e.g., a mall or airport) that includes a "local domain" (the claimed "shared network") and an "external domain" (e.g., the Internet). Petitioner asserted Subbiah’s "wireless access point" is the claimed "network access controller," which intercepts user requests. This access point determines if a request is for the local or external domain. If an unauthenticated user requests an external resource, Subbiah’s system automatically redirects the user’s browser to a predefined "main Web page" or "splash page" on a local web server. Petitioner contended this splash page is the claimed "pre-authentication capture destination," from which the user is free to access other local network resources.
  • Key Aspects: This ground asserted that the core inventive concept of the ’336 patent—redirecting unauthenticated external requests to a captive portal within a local network—was entirely disclosed in a single prior art reference.

Ground 2: Claims 5-8, 12-15, and 19-20 are obvious over Subbiah in view of Hinton

• Prior Art Relied Upon: Subbiah (UK Application # GB2389010A) and Hinton (WO 2002/039237).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that these dependent claims add the concept of using an "authentication token" to determine how to redirect a user. Subbiah’s system already distinguishes between a "first time request" and subsequent requests to determine redirection. Hinton was cited for its teaching of a cross-domain authentication system that uses an "authentication token" appended to a URI during an HTTP redirect. The presence or absence of this token in a request is used to determine whether a user needs to undergo an authentication process. Petitioner contended that implementing Subbiah's "first time request" check using Hinton's token-based method met the claim limitations. If the token is present (not a first-time request), the user is redirected to an authentication server (Subbiah's "BURP server"); if absent, the user is redirected to the splash page.
  • Motivation to Combine: A POSITA would combine Hinton's well-known token-based authentication tracking with Subbiah's walled garden system as a straightforward way to implement the session-aware redirection already taught by Subbiah. Using a token or cookie to distinguish between a first and subsequent request was a known and advantageous technique for managing user state, which would have been an obvious design choice to improve Subbiah's system.
  • Expectation of Success: The combination involved applying a standard web technology (tokens in HTTP redirects) to a known network access control system. This integration was technically straightforward and would have yielded the predictable result of more robust session management.
  • Key Aspects: Petitioner also identified Crandell (a 2003 publication) as an alternative reference to Hinton, arguing it taught the use of cookies (as authentication tokens) to track authenticated web sessions and control redirection in a firewall proxy system.

4. Key Claim Construction Positions

• "pre-authentication capture destination": Petitioner proposed this term means a pre-defined destination, such as a locally hosted web page or "splash page," within a closed network ("walled garden") to which unauthenticated users are confined and redirected.
• "shared network": Construed as a local network to which an unauthenticated user has access, consistent with the patent's examples of a wireless network in a shopping mall.
• "anonymous user": Proposed to mean a user who is unknown to the system because they are unauthenticated, consistent with the patent's distinction between "anonymous" and "authenticated" users.
• "authentication token": Construed as a "unique sequence of characters...within the query portion of a URL" used to trigger redirection to an authentication screen. Petitioner argued that under the patent's disclosure, only the presence or absence of the token is material, not its specific content.

5. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-20 of the ’336 patent as unpatentable.