Unified Policies for Juniper ATP Cloud
Starting in Junos OS Release 18.2R1, unified policies are supported on SRX Series Firewalls, allowing granular control and enforcement of dynamic Layer 7 applications within the traditional security policy. See the Junos 18.2R1 documentation for more details on Unified Policies.
Overview
This overview is taken from the SRX Series documentation. The commands listed here are specific to Juniper ATP Cloud, but for a detailed explanation of unified policies and how they work, you should refer to the Junos documentation.
Unified policies are security policies where you can use dynamic applications as match conditions, along with existing 5-tuple or 6-tuple matching conditions, to detect application changes over time, and allow you to enforce a set of rules for the transit traffic. Unified policies allow you to use dynamic applications as one of the policy match criteria in each application.
By adding dynamic application to the matching conditions, the data traffic is classified based on the Layer 7 application inspection results. AppID identifies dynamic or real-time Layer 4-Layer 7 applications, and after a particular application is identified, actions are performed as per the security policy. (Before identifying the final application, if the policy cannot be matched precisely, a potential policy list is made available, and the traffic is permitted using the potential policy from the list.) After the application is identified, the final policy is applied to the session. Policy actions such as permit, deny, reject, or redirect is applied on the traffic as per the policy rules.
Juniper ATP Cloud is supported for unified policies. The set services
security-intelligence default-policy
and set services advanced-anti-malware
default-policy
commands are introduced to create default policies for each. During
the initial policy lookup phase, which occurs prior to a dynamic application being identified,
if there are multiple policies present in the potential policy list, which contain different
security intelligence or anti-malware policies, the SRX Series Firewall applies the default
policy until a more explicit match has occurred.
Here are the possible completions for the security intelligence default-policy:
root@host# set services security-intelligence default-policy ? Possible completions: <category> Name of security intelligence category + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups description Text description of policy
Here are the possible completions for the anti malware default-policy:
root@host# set services advanced-anti-malware default-policy ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups > blacklist-notification Blacklist notification logging option > default-notification Notification action taken for action > fallback-options Fallback options for abnormal conditions > http Configure HTTP options > imap Configure IMAP options > smtp Configure SMTP options verdict-threshold Verdict threshold > whitelist-notification Whitelist notification logging option | Pipe through a command