Unified Policy Overview
Unified policies are security policies that enable you to use the dynamic applications as match conditions along with the existing 5-tuple or 6-tuple (with user firewall) match conditions to detect application changes over time. If the traffic matches the security policy rule, one or more actions defined in the policy are applied to the traffic.
By adding dynamic applications to the match criteria, the data traffic is classified based on the Layer 7 application inspection results. Application ID (AppID) identifies dynamic or real-time Layer 4 through Layer 7 applications. After an application is identified and the matching policy is found, then the actions such as permit, deny, reject, or deny and redirect are applied according to the policy.
A unified policy leverages the information from AppID to match the application and take action as specified in the firewall policy. In an unified policy configuration, you can use a predefined dynamic application or a user-defined custom application from the application identification signature package as match condition.
Configuring dynamic applications as match criteria in a security policy is not mandatory.
You can configure an unified policy with dynamic application options such as none, include any service, and include specific. When you configure a value for dynamic application other than none, the default value of service is junos-defaults.
The junos-defaults group contains preconfigured statements that include predefined values for common applications. As the default protocols and ports are inherited from junos-defaults, there is no requirement to explicitly configure the ports and protocols, thus simplifying the security policy configuration. If the application does not include default ports and protocols, then the application uses the default ports and protocols of the dependent application. The junos-defaults option must be configured along with a dynamic application. If you configure the junos-defaults option without specifying any dynamic application, then an error message is displayed.
A redirect profile can be configured within an unified policy. When a policy blocks HTTP or HTTPS traffic with a deny and reject action, you can define a response in an unified policy to notify the connected clients. When you configure the redirect option, you can specify the custom message or the URL to which the client is redirected.
Starting in Junos Space Security Director Release 19.3R1, you can assign IPS policy to the unified firewall policy rule. The CLI is generated for the IPS policy along with the unified firewall policy (to which the IPS policy is assigned) for devices with Junos OS Release 18.2 onward. The IPS policy name is directly used in the firewall policy rule, therefore the [edit security idp active-policy policy-name] statement is deprecated in Junos OS Release 18.2 onward. You can import and convert the deprecated active policy CLI into a new CLI from Security Director. You can import the IPS policy for the deprecated active-policy for Junos OS version 18.2 and later. After the IPS policy is imported, the rules associated with the firewall policy for the device is updated with IPS policy details. On subsequent update from Security Director, you can see the new firewall policy CLIs, in preview, to attach IDP and the same can be updated to device.
In a device with Junos OS Release 18.2, you must assign same IPS policy to all the rules in the firewall policy, otherwise commit fails.
In a device with Junos OS Release 18.3 onward, you can assign different IPS policy to the rules in the firewall policy. You must set a default IDP policy, otherwise commit fails.