Unified Policy Overview

By adding dynamic applications to the match criteria, the data traffic is classified based on the Layer 7 application inspection results. Application ID (AppID) identifies dynamic or real-time Layer 4 through Layer 7 applications. After an application is identified and the matching policy is found, then the actions such as permit, deny, reject, or deny and redirect are applied according to the policy.

A unified policy leverages the information from AppID to match the application and take action as specified in the firewall policy. In an unified policy configuration, you can use a predefined dynamic application or a user-defined custom application from the application identification signature package as match condition.

You can configure an unified policy with dynamic application options such as none, include any service, and include specific. When you configure a value for dynamic application other than none, the default value of service is junos-defaults.

The junos-defaults group contains preconfigured statements that include predefined values for common applications. As the default protocols and ports are inherited from junos-defaults, there is no requirement to explicitly configure the ports and protocols, thus simplifying the security policy configuration. If the application does not include default ports and protocols, then the application uses the default ports and protocols of the dependent application. The junos-defaults option must be configured along with a dynamic application. If you configure the junos-defaults option without specifying any dynamic application, then an error message is displayed.

A redirect profile can be configured within an unified policy. When a policy blocks HTTP or HTTPS traffic with a deny and reject action, you can define a response in an unified policy to notify the connected clients. When you configure the redirect option, you can specify the custom message or the URL to which the client is redirected.

Starting in Junos Space Security Director Release 19.3R1, you can assign IPS policy to the unified firewall policy rule. The CLI is generated for the IPS policy along with the unified firewall policy (to which the IPS policy is assigned) for devices with Junos OS Release 18.2 onward. The IPS policy name is directly used in the firewall policy rule, therefore the [edit security idp active-policy policy-name] statement is deprecated in Junos OS Release 18.2 onward. You can import and convert the deprecated active policy CLI into a new CLI from Security Director. You can import the IPS policy for the deprecated active-policy for Junos OS version 18.2 and later. After the IPS policy is imported, the rules associated with the firewall policy for the device is updated with IPS policy details. On subsequent update from Security Director, you can see the new firewall policy CLIs, in preview, to attach IDP and the same can be updated to device.