Help Center User GuideWhat's New
 
X
User Guide
What's New
Contents  

Unified Policies

Starting in Junos OS Release 18.2R1, unified policies are supported on SRX Series devices, allowing granular control and enforcement of dynamic Layer 7 applications within the traditional security policy. See the Junos 18.2R1 documentation for more details on Unified Policies.

Overview

Note This overview is taken from the SRX Series documentation. The commands listed here are specific to Juniper ATP Cloud, but for a detailed explanation of unified policies and how they work, you should refer to the Junos documentation.

Unified policies are security policies where you can use dynamic applications as match conditions, along with existing 5-tuple or 6-tuple matching conditions, to detect application changes over time, and allow you to enforce a set of rules for the transit traffic. Unified policies allow you to use dynamic applications as one of the policy match criteria in each application.

By adding dynamic application to the matching conditions, the data traffic is classified based on the Layer 7 application inspection results. AppID identifies dynamic or real-time Layer 4-Layer 7 applications, and after a particular application is identified, actions are performed as per the security policy. (Before identifying the final application, if the policy cannot be matched precisely, a potential policy list is made available, and the traffic is permitted using the potential policy from the list.) After the application is identified, the final policy is applied to the session. Policy actions such as permit, deny, reject, or redirect is applied on the traffic as per the policy rules.

Juniper ATP Cloud is supported for unified policies. The set services security-intelligence default-policy and set services advanced-anti-malware default-policy commands are introduced to create default policies for each. During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list, which contain different security intelligence or anti-malware policies, the SRX Series device applies the default policy until a more explicit match has occurred.

Here are the possible completions for the security intelligence default-policy:

root@host# set services security-intelligence default-policy ?  
Possible completions:
<category>             Name of security intelligence category
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  description          Text description of policy

Here are the possible completions for the anti malware default-policy:

root@host# set services advanced-anti-malware default-policy ?
Possible completions:
  <[Enter]>            Execute this command
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> blacklist-notification  Blacklist notification logging option
> default-notification  Notification action taken for action
> fallback-options     Fallback options for abnormal conditions
> http                 Configure HTTP options
> imap                 Configure IMAP options
> smtp                 Configure SMTP options
  verdict-threshold    Verdict threshold
> whitelist-notification  Whitelist notification logging option
  |                    Pipe through a command

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit