Understanding Unified Policies [Unified Threat Management (UTM)]

 

Unified policies are now supported on SRX Series devices, allowing granular control and enforcement of dynamic Layer 7 applications within the traditional security policy.

Unified policies are security policies in which you can use dynamic applications as match conditions along with existing 5-tuple or 6-tuple matching conditions (with user firewall) to detect application changes over time. The use of unified policies enable you to enforce a set of rules for the transit traffic. It uses the match criteria, namely, source zone, destination zone, source addresses, destination addresses, and application names. This results in potential match policies.

The unified policy configuration handles all Application Firewall (AppFW) functionalities and simplifies the task of configuring firewall policy to permit or block application traffic from the network. As part of the unified policy, a new dynamic application policy match condition is added to SRX Series devices, allowing an administrator to more effectively control the behavior of Layer 7 applications.

To accommodate Layer 7 application-based policies in UTM, the [edit security utm default-configuration] command is introduced. If any parameter in a specific UTM feature profile configuration is not configured, then the corresponding parameter from the UTM default configuration is applied.

Additionally, during the initial policy lookup phase which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different UTM profiles, the SRX Series device applies the default UTM profile until a more explicit match has occurred.

Understanding Default UTM Policy

A new predefined default UTM policy is available with the factory default configuration to provide a default UTM configuration. This predefined global UTM policy inherits the configuration from the default UTM configuration profile.

If there is an existing UTM policy defined, it will continue to be used to evaluate traffic based on the existing security policy configuration.

When a policy lookup is performed, existing UTM policies are evaluated prior to global policies. The predefined UTM default policy is leveraged if multiple UTM policies exist in the potential policy list during the UTM session creation process.

The predefined UTM default policy parameters are included under [edit security utm default-configuration] hierarchy level. These parameters are available for Web filtering, content filtering, antivirus, and antispam profile. If no UTM feature profile is configured (Web filtering, content filtering, antivirus, and antispam), the parameters in the predefined global UTM configuration are applied.

The predefined UTM default policy is available in [edit groups junos-defaults security utm]. You can modify certain parameters for Web filtering, content filtering, antivirus, and antispam. You can also modify default UTM profile parameters for Web filtering, content filtering, antivirus, and antispam features profiles at [edit security utm default-configuration].

Related Documentation