Fortinet, Inc. v. Palo Alto Networks, Inc.

Summarize Case

Related Cases

753 F. Supp. 2d 1024 (2010)

FORTINET, INC., Plaintiff,
v.
PALO ALTO NETWORKS, INC., Defendants.

No. C-09-00036 RMW.

United States District Court, N.D. California, San Jose Division.

November 8, 2010.

*1026 Ariana M. Chung-Han, Wilson Sonsini Goodrich & Rosati, San Francisco, CA, James Chung-Yul Yoon, Michael A. Ladra, Robin Lynn Brewer, Stefani Elise Shanberg, Wilson Sonsini Goodrich & Rosati, Palo Alto, CA, for Plaintiff.

Daralyn J. Durie, Ragesh K. Tangri, Joseph Charles Gratz, Ryan Marshall Kent, Durie Tangri LLP, San Francisco, CA, for Defendants.

ORDER CONSTRUING CLAIMS OF THE '125 AND '311 PATENTS AND GRANTING IN PART AND DENYING IN PART PAN'S MOTION FOR SUMMARY JUDGMENT OF NONINFRINGEMENT

RONALD M. WHYTE, District Judge.

Fortinet, Inc. ("Fortinet") alleges that Palo Alto Networks, Inc. ("PAN")'s PA-4000 Series, PA-2000 Series, and PA-500 Series Firewalls infringe claims 1 through 4 of United States Patent No. 7,376,125 ("'125 Patent") and claims 1 through 16 of United States Patent No. 7,177,311 ("'311 Patent"). The parties seek construction of claim language in the '125 and '311 Patents. PAN moves for summary judgment that the accused products do not infringe the asserted claims of the '125 and '311 Patents. The court held a tutorial and claim construction hearing on July 20, 2010. After consideration of the claims, specification, prosecution history, and other relevant evidence, and after hearing the argument of the parties, the court construes the disputed claim language in the '125 and '311 Patents as set forth below. In addition, for the reasons set forth below, the court grants in part and denies in part the motion for summary judgment of non-infringement.

I. BACKGROUND

This case deals with firewall technology. Firewalls control network traffic traveling between networks or zones of different trust levels, such as between the Internet and a local area network ("LAN"). Dkt. No. 146 ¶ 12. In order to protect a LAN from undesirable content, such as viruses and spam, firewalls analyze incoming and outgoing network traffic. Id. ¶ 15. Network traffic consists of packets of data. Because analyzing each individual packet can be expensive, some firewalls will analyze a flow. Id. ¶ 30. A flow consists of all packets having the same source and the same endpoint. Id. A session consists of two flows, one including all packets having source A and endpoint B, and the other including all packets having source B and endpoint A. Id.

The '125 Patent teaches a system and method that involves: (1) establishing a *1027 flow cache for storing information learned from previous packets about how packets in a flow should be treated, (2) receiving a packet, (3) forwarding the packet to a virtual routing engine, and (4) using the flow cache to determine whether the packet requires processing by a virtual service engine. Similarly, the '311 Patent teaches a system and method that involves: (1) establishing a flow cache for storing information learned from previous packets about how packets in a flow should be treated, (2) receiving a packet, and (3) using the flow cache to determine whether to software forward or hardware forward the packet. For illustrative purposes, the language in claim 1 of the '125 Patent is set forth below:

A method comprising:

establishing a flow cache having a plurality of entries each identifying one of a plurality of virtual router (VR) flows through a VR-based network device and corresponding forwarding state information;
receiving a packet at an input port of a line interface module of the VR-based network device;
the line interface module forwarding the packet to a virtual routing engine (VRE);
the VRE determining one or more appropriate packet transformations for application to the packet by performing flow-based packet classification on the packet;
using a result of the flow-based packet classification to retrieve an entry of a plurality of entries of the flow cache; on a flow cache hit, determining, based on the corresponding forwarding state information of the retrieved flow cache entry, whether to process the packet with a virtual service engine (VSE) of the VR-based network device;
on a packet flow cache miss, identifying the existence of a new VR flow and upon successful allocation of a new entry of the packet flow cache for the new VR flow, forwarding the packet to software on the processor for flow learning.

'125 Patent 15:61-16:17.

The accused products are PAN's PA-4000 Series, PA-2000 Series, and PA-500 Series Firewalls. [Redacted]

II. CLAIM CONSTRUCTION

The '125 and '311 Patent applications were filed concurrently, and their specifications are incorporated into one another by reference. See '125 Patent 1:24-30; '311 Patent 1:14-35. Hence, the parties agree that claim terms should be construed as having the same meaning in both patents. The parties seek construction of the following claim terms in bold: "upon successful allocation of a new entry of the packet flow cache for the new VR flow, forwarding the packet to software on the processor for flow learning." '125 Patent 16:14-17 (claim 1), 16:45-48 (claim 3), 17:7-18:3 (claim 5); '311 Patent 15:25-28 (claim 1), 16:32-35 (claim 9), 17:43-46 (claim 17).

Initially, the parties disputed the proper construction of both "upon successful allocation of a new entry . . . for the new VR flow" and "flow learning." However, the parties have since reached agreement regarding the meaning of these terms. At the claim construction hearing on July 20, 2010, the parties agreed that "upon successful allocation of a new entry. . . for the new VR flow" should be construed as meaning: after successful assignment of a new entry identifying the new VR flow. The parties also agreed that "flow learning" means determining *1028 how packets in the flow should be treated. The court thus adopts these constructions.

The parties' proposed constructions for the remaining terms in dispute are set forth below:

------------------------------------------------------------------------------------------------
                              FORTINET'S                             PAN'S
CLAIM LANGUAGE           PROPOSED CONSTRUCTION                 PROPOSED CONSTRUCTION
------------------------------------------------------------------------------------------------
"packet flow cache"   Memory for temporarily storing      An intermediate memory location
                      information about packet flows.     temporarily storing information
                                                          about a subset of packet
                                                          flows for rapid access.
------------------------------------------------------------------------------------------------
"forwarding"          Passing by value or by reference.   Physically moving from one location
                                                          to another.
------------------------------------------------------------------------------------------------
"the processor"       Plain meaning.                      A separate processor.
------------------------------------------------------------------------------------------------

A. "Packet Flow Cache"

In its supplemental briefing, Fortinet asserts for the first time that "flow cache" is a term of art in virtual routing but fails to point to any evidence suggesting that a "flow cache," as understood by one of ordinary skill in the art of virtual routing, refers to something other than a cache used for flows. See Dkt. No. 213 n. 11; Dkt. No. 214 ¶ 17. In the absence of any evidence suggesting that the inventor sought to use the term "cache" in a manner different from its ordinary and customary meaning, the court concludes that a "packet flow cache," as used in the '125 and '311 Patents, refers to a cache used for packet flows.

The parties agree that "cache" refers to memory for temporary storage of information. PAN argues that, in addition, "cache" necessarily refers to an intermediate memory location, separate from main memory, that permits faster access than would be possible from main memory. "Cache" is used in the '311 Patent in a manner consistent with PAN's construction requiring it to be separate from main memory. See '311 Patent 4:29-5:6, Figs. 1, 2 (depicting memory 114 separate from the Packet Forwarding Engine 110 which contains cache 212). However, based on intrinsic evidence alone, it remains unclear whether a "cache" necessarily must be separate from main memory.

Although extrinsic evidence is generally less reliable than intrinsic evidence, "because extrinsic evidence can help educate the court regarding the field of the invention and can help the court determine what a person of ordinary skill in the art would understand claim terms to mean, it is permissible for the district court in its sound discretion to admit and use such evidence." Phillips v. AWH Corp., 415 F.3d 1303, 1319 (Fed.Cir.2005). In particular, technical dictionaries "have been properly recognized as among the many tools that can assist the court in determining the meaning of particular terminology to those of skill in the art of the invention." Id. at 1318. The court therefore considers the dictionary definitions offered by the parties.

The Comprehensive Dictionary of Electrical Engineering defines "cache" as:

an intermediate memory store having storage capacity and access times somewhere in between the general register set and main memory. The cache is usually invisible to the programmer, and its effectiveness comes from being able to exploit program locality to anticipate memory-access patterns and to hold closer to the CPU: most accesses to main memory can be satisfied by the cache, thus making main memory appear faster than it actually is.

*1029 Dkt. No. 84 Ex. 10. Similarly, the glossary of the "Official (ISC)2 Guide to the CISSP Exam" defines "cache" as:

a special high-speed storage mechanism. It can be either a reserved section of main memory or an independent high-speed storage device. Two types of caching are commonly used in personal computers: memory caching and disk caching. A memory cache, sometimes called a cache store or RAM cache, is a portion of memory made of high-speed static RAM (SRAM) instead of the slower and cheaper dynamic RAM (DRAM) used for main memory. Memory caching is effective because most programs access the same data or instructions over and over. Disk caching works under the same principle as memory caching, but instead of using high-speed SRAM, a disk cache uses conventional main memory. When data is found in the cache, it is called a cache hit, and the effectiveness of a cache is judged by its hit rate.

Dkt. No. 192 Ex. K. This latter definition elaborates that a "cache" can be either: (1) entirely separate from main memory (as an independent high-speed storage device) or (2) in a special reserved section of main memory (for example, using high-speed static RAM instead of the slower dynamic RAM generally used for main memory). However, both sources agree that a "cache" allows faster access than would be available with a cache-less main memory. These dictionary definitions thus provide strong evidence that one of ordinary skill in the art would understand the ordinary and customary meaning of "cache" to be a memory location for temporarily storing information that allows faster access than would be available from main memory generally.

According to PAN, the information stored in a "packet flow cache" is limited to information about a subset of packet flows. However, PAN has not provided any basis for such a limitation. The court therefore declines to impose this limitation and construes "packet flow cache" to mean a memory location for temporary storage of information about packet flows, either separate from main memory or in a reserved section of main memory, allowing faster access than would be available from main memory generally.

B. "Forwarding"

There are two ways to pass a data structure, such as a packet, to software for analysis: passing by value and passing by reference. Dkt. No. 214 ¶ 7. Passing by value refers to copying the entire data structure to a new location, while passing by reference means sending only the address of the data structure. Id. Both methods of passing a data structure to software are basic concepts in computer programming and would be known to a person having ordinary skill in the art. Id.

Fortinet contends that "forwarding the packet to software on the processor" means passing the packet either by value or by reference to software on the processor. PAN states that "forwarding" requires physical movement of the packet from one location to another. However, technically, neither passing by value nor passing by reference involves physical movement of the original packet. Dkt. No. 214 ¶ 7. Based on PAN's papers, it appears that PAN's position is that "forwarding" requires passing by value and does not include passing by reference. See Dkt. No. 2107 n. 5. The court thus considers whether "forwarding" requires copying the entire packet to a new location as opposed to merely sending the address of the packet.

*1030 Fortinet's expert explains in his declaration that a person having ordinary skill in the art would understand that packets may be passed to software either by reference or by value. See Dkt., No. 214 ¶¶ 6, 7, 14. This fact is undisputed. However, the question before the court is whether "forwarding," as used in the '125 and '311 Patents, requires passing by value as opposed to passing by reference. Based on the specification, the "single best guide to the meaning of the disputed term," Phillips, 415 F.3d at 1315, the court finds that it does.

It is undisputed that "forwarding" is used in various parts of the '125 and '311 Patents to describe passing by value and not passing by reference. See Dkt. No. 213 at 4 n. 6 (Fortinet concedes that "forwarding" is used at times throughout the '125 and '311 Patents to describe sending packets from a source to a destination). For example, Figure 12 of the '125 Patent, which contains a flow diagram illustrating an embodiment of the claimed packet forwarding process, uses the words "forwarding" and "forward" when referring to copying the packet to its final destination. See '125 Patent Fig. 12. The '125 Patent specification also discusses how to address the problems involved in copying entire packets to a new location, such as bottle-necks based on inefficient use of memory bandwidth and the need to build in reliability checks that prevent bad packets from being propagated more than once. See 125 Patent 9:45-63, 10:21-25. Similarly, the '311 Patent specification addresses how to deal with problems that occur when passing packets by value, such as maintaining packet order. See '311 Patent 10:5-20.

Despite the various instances in the patents where it is clear that "forwarding" is used to describe copying an entire packet to a new location, Fortinet asserts that "forwarding," when used in the context of "forwarding the packet to software on the processor for flow learning," includes passing by reference. See Dkt. No. 213 at 4 n. 6. When the same word or phrase is used in the same patent, it should be interpreted consistently, unless there is reason to believe the word or phrase was intended to have a different meaning in different contexts. See Epcon Gas Sys. Inc. v. Bauer Compressors, Inc., 279 F.3d 1022, 1031 (Fed.Cir.2002) ("a word or phrase used consistently throughout a claim should be interpreted consistently"). In this case, Fortinet has not established any reason to believe that "forwarding" was used in a different manner in different parts of the patents. The court therefore interprets "forwarding" consistently throughout the '125 and '311 Patents to mean passing by value (i.e. copying a packet in its entirety to another location).

C. "The Processor"

The term "the processor" is used in the following context: "upon successful allocation of a new entry of the packet flow cache for the new VR flow, forwarding the packet to software on the processor for flow learning." '125 Patent 16:14-17 (claim 1), 16:45-48 (claim 3), 17:7-18:3 (claim 5); '311 Patent 15:25-28 (claim 1), 16:32-35 (claim 9), 17:43-46 (claim 17). Fortinet takes the position that "the processor" needs no construction. PAN argues that "the processor" should be construed as "a separate processor" because in order for a packet to be forwarded, it must be sent from one location to a separate location. As discussed above, the court agrees that forwarding entails copying a packet from one place to another place. However, PAN's proposed construction goes further and requires that the packet be sent from one processor to a second processor, rather than from one *1031 part of the processor that allocates entries in the flow cache to another part of the same processor that has software for flow learning. PAN has not provided sufficient evidence to support such an interpretation of the claims.

The language of the claims does not support a construction that requires two separate processors. To the contrary, the language in claim 3 of the '125 Patent and claim 9 of the '311 Patent establish that the claims may be met with a single processor. The '125 Patent claims "[a]n article of manufacture comprising a computer-readable medium encoded with one or more computer programs, which when executed by one or more processors of a virtual router (VR)-based network device cause the one or more processors to perform [the claimed] method." '125 Patent 16:20-24 (emphasis added). Similarly, the '311 Patent claims "[a] computer-readable medium having stored thereon instructions, which when executed by one or more processors cause the one or more processors to perform [the claimed] method." '311 Patent 16:6-9 (emphasis added). The claimed method includes the step of "forwarding the packet to software on the processor for flow learning." '125 Patent 16:47-48; '311 Patent 16:34-35 (emphasis added). PAN takes the position that this claim language does not preclude requiring the packet to be forwarded to a separate processor because the claimed method—which the claims expressly state may be performed by "one or more processors"—only encompasses the forwarding step, not the flow learning step, which it contends must occur on a separate processor. However, the term "the processor" has an antecedent basis in these claims. When read in the context of the claims as a whole, "the processor" clearly refers to the "one or more processors" described earlier in the same claim. Accordingly, the claim language makes clear that the claims do not require forwarding of packets to a second processor that is separate from the processor that allocates entries in the packet flow cache.

PAN points to the fact that the '125 and '311 Patent specifications contain embodiments of the invention that use multiple processors, with one processor (or set of processors) classifying packets and allocating new entries in the packet flow cache before forwarding packets to software on a separate processor. See '311 Patent 4:41-5:26, Figs. 1, 2 (packet processors 206 in the Process Forwarding Engine classifies packets and allocates new entries in the packet flow cache before forwarding packets to software on a separate processor 112); '125 Patent 11:22-58, Fig. 4 (Virtual Routing Processor 30 classifies packets before forwarding packets to software on the CPU 34). While these embodiments demonstrate that the invention may be practiced using separate processors for these different steps, they do not establish that the invention is limited in this manner. Although claim language should be read in light of the specification, it is a basic tenet of claim construction that the court may not import limitations from the specification into the claims. Phillips, 415 F.3d at 1323. In particular, the Federal Circuit has repeatedly warned against confining the claims to specific embodiments of the invention in the specification. Id.

The court therefore rejects PAN's proposed construction of "a separate processor" and finds that "the processor" has its plain meaning.

III. NON-INFRINGEMENT

Each of the asserted claims in the '125 and '311 Patents contains the following claim language or is dependent upon a claim with the following claim language: *1032 "on a packet flow cache miss, identifying the existence of a new VR flow and upon successful allocation of a new entry of the packet flow cache for the new VR flow, forwarding the packet to software on the processor for flow learning." See, e.g., '125 Patent 16:13-17. For the purposes of non-infringement analysis, the parties focus on three limitations required by this claim language. First, the accused products must meet the requirements of a "packet flow cache." Second, since "upon successful allocation of a new entry" means after successful assignment of a new entry, flow learning must occur after successful assignment of a new entry. Third, since "forwarding" means passing by value, the entire packet must be copied to software on the processor for flow learning. PAN argues that its accused products do not meet these three limitations.

A. "Packet Flow Cache" Limitation

In Fortinet's most recently amended infringement contentions, Fortinet alleges that the [Redacted] However, the court has construed "packet flow cache" to mean a memory location for temporary storage of information about packet flows, either separate from main memory or in a reserved section of main memory, allowing faster access than would be available from main memory generally. [Redacted]

B. Sequential Limitation

The parties agree that "upon successful allocation of a new entry" means after successful assignment of a new entry. Consequently, the claims contain the following sequential limitation: flow learning must take place after successful assignment of a new entry in the packet flow cache. [Redacted][1] Consequently, the court finds that there remains a genuine issue of material fact regarding whether this sequential limitation is met in the accused products.

C. "Forwarding" Limitation

The asserted claims require "forwarding the packet to software on the processor for flow learning" after allocation of a new entry of the packet flow cache. See, e.g., '125 Patent 16:13-17. The court has construed "forwarding" to mean passing by value, which requires the entire packet to be copied to software on the processor for flow learning. Accordingly, in order for the accused products to meet the "forwarding" limitation, they must copy the entire packet to software on the processor. In addition, since the claims require forwarding to occur between allocation of a new entry and flow learning, the accused products must pass the packet by value after allocation of a new [Redacted]

[Redacted] Since the packet is not copied to software for flow learning, Fortinet has failed to show that the accused products meet the "forwarding" limitation.[2] The court therefore grants PAN's motion for summary adjudication that the accused products do not literally infringe the asserted claims of the '125 and '311 Patents.

Fortinet argues that even if the accused products do not literally infringe, they infringe under the doctrine of equivalents. PAN contends that Fortinet's equivalents argument would effectively eliminate the "forwarding" limitation in its *1033 entirety. Under the "all elements rule," the doctrine of equivalents cannot be invoked if it would vitiate an entire claim limitation. See Asyst Techs., Inc. v. Emtrak, Inc., 402 F.3d 1188, 1195 (Fed.Cir. 2005). However, this rule typically applies where the limitation is binary in nature, e.g. even and odd or "mounted" and "unmounted." See id. In this case, the "forwarding" limitation not binary in nature. [Redacted] The court finds that the asserted equivalent does not vitiate the "forwarding" limitation in its entirety.

PAN also argues that Fortinet is barred from asserting infringement under the doctrine of equivalents by prosecution history estoppel. Prosecution history estoppel bars a patentee from recovering, under the doctrine of equivalents, subject matter that was surrendered by narrowing amendment of the claims during patent prosecution if the amendment was made to secure the patent See Honeywell Int'l v. Hamilton Sundstrand Corp., 370 F.3d 1131, 1139 (Fed.Cir.2004). In the absence of an established explanation for amending the claim, courts are to presume that amendment was for the purpose of patentability. See Warner-Jenkinson Co. v. Hilton Davis Chem. Co., 520 U.S. 17, 33, 117 S. Ct. 1040, 137 L. Ed. 2d 146 (1997). When a patentee adds a new, narrower claim and cancels its original, broader claim, this has the same effect as a narrowing amendment—narrowing of claim scope—and thus is treated the same for the purposes of prosecution history estoppel. See Honeywell, 370 F.3d at 1144 (applying prosecution history estoppel where a claim was rewritten from dependent into independent form, and the original claim was cancelled).

In this case, in response to the examiner's rejection of its original claims, the patentee added new, narrower claims and cancelled its original, broader claims. See Dkt. No. 80 Ex. C at 4-7 (addition of new claims in '311 Patent application); id. Ex. J at 2 (cancellation of original claims in '311 Patent application); id. Ex. E at 1 (allowing new claims in '311 Patent application); id. Ex. G at 6-7 (addition of new claims in '125 Patent application); id. Ex. K at 2 (cancellation of original claims in '125 Patent application); id. Ex. F at 1 (allowing new claims in '125 Patent application). Fortinet has not rebutted the presumption that the narrowing of claim scope was done for purposes of patentability, and thus prosecution history estoppel may be applicable.

However, prosecution history estoppel is applied on a limitation-by-limitation basis. See Honeywell, 370 F.3d at 1144. The patentee is only presumed to have disclaimed the territory between the original, broader claim and the new, narrower claim. See id. ("the presumption of surrender applies only to the amended or newly added limitation; there is no surrender of territory as to unamended limitations that were present in the original claim"). Thus, in order to determine whether Fortinet is barred from using the doctrine of equivalents to meet the "forwarding" limitation, the court must first determine whether the "forwarding" limitation was present in the original claim. The original claims in the '125 and '311 Patent applications used the words "routing" and "steering" rather than "forwarding." See Dkt. No. 80 Ex. C at 4; id. Ex. G at 4-6. Whether "forwarding" is narrower in scope than "routing" or "steering" is not addressed in the parties' briefs. The court therefore denies without prejudice PAN's motion for summary adjudication that Fortinet is barred from asserting infringement under the doctrine of equivalents.

D. Further Discovery

Fortinet argues that summary judgment should be denied pursuant to *1034 Federal Rule of Civil Procedure 56(f). Rule 56(f) provides that the court may deny a motion for summary judgment or order a continuance to allow further discovery if a party opposing a summary judgment motion "shows by affidavit that, for specified reasons, it cannot present facts essential to justify its opposition." Fed.R.Civ.P. 56(f). Fortinet has not shown that, for specified reasons, it is unable to present facts essential to opposing PAN's summary judgment motion. The court thus declines to deny or postpone PAN's motion for summary judgment in order to allow further discovery.

IV. ORDER

For the foregoing reasons, the court construes the claim language and grants in part and denies in part PAN's motion for summary judgment of non-infringement as set forth below:

-------------------------------------------------------------------------------------------------
CLAIM LANGUAGE                                CONSTRUCTION
-------------------------------------------------------------------------------------------------
"upon successful allocation    After successful assignment of a new entry identifying the new
of a new entry . . .           VR flow.
for the new VR flow"
-------------------------------------------------------------------------------------------------
"packet flow cache"            A memory location for temporary storage of information about
                               packet flows, either separate from main memory or in a reserved
                               section of main memory, allowing faster access than would be
                               available from main memory generally,
-------------------------------------------------------------------------------------------------
"forwarding"                   Passing by value (i.e. copying a packet in its entirety to another
                               location).
-------------------------------------------------------------------------------------------------
"the processor"                Plain meaning (not limited to a separate processor).
-------------------------------------------------------------------------------------------------
"flow learning"                Determining how packets in the flow should be treated.
-------------------------------------------------------------------------------------------------
1. The court grants PAN's motion for summary adjudication that the accused products do not literally infringe the asserted claims of the '125 and '311 Patents.
2. The court denies without prejudice PAN's motion for summary adjudication that Fortinet is barred from asserting infringement of the '125 and '311 Patents under the doctrine of equivalents.

NOTES

[1] Fortinet later takes the position that flow learning does not begin until after line 1011, as discussed in the section on the "forwarding" limitation. Regardless, the pan_session_alloc function is performed first.

[2] As PAN points out, line 1011 does not even entail passing the packet by reference since the address of the fkey, rather than the address of the packet, is sent to software.