Unified Policy Overview
Unified policies are security policies that enable you to use the dynamic applications as match conditions along with the existing 5-tuple or 6-tuple (with user firewall) match conditions to detect application changes over time. If the traffic matches the security policy rule, one or more actions defined in the policy are applied to the traffic.
By adding dynamic applications to the match criteria, the data traffic is classified based on the Layer 7 application inspection results. Application ID (AppID) identifies dynamic or real-time Layer 4 through Layer 7 applications. After an application is identified and the matching policy is found, then the actions such as permit, deny, reject, or deny and redirect are applied according to the policy.
A unified policy leverages the information from AppID to match the application and take action as specified in the firewall policy. In an unified policy configuration, you can use a predefined dynamic application or a user-defined custom application from the application identification signature package as match condition.
Configuring dynamic applications as match criteria in a security policy is not mandatory.
You can configure an unified policy with dynamic application options such as none, include any service, and include specific. When you configure a value for dynamic application other than none, the default value of service is junos-defaults.
The junos-defaults group contains preconfigured statements that include predefined values for common applications. As the default protocols and ports are inherited from junos-defaults, there is no requirement to explicitly configure the ports and protocols, thus simplifying the security policy configuration. If the application does not include default ports and protocols, then the application uses the default ports and protocols of the dependent application. The junos-defaults option must be configured along with a dynamic application. If you configure the junos-defaults option without specifying any dynamic application, then an error message is displayed.
A redirect profile can be configured within an unified policy. When a policy blocks HTTP or HTTPS traffic with a deny and reject action, you can define a response in an unified policy to notify the connected clients. When you configure the redirect option, you can specify the custom message or the URL to which the client is redirected.