Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


dynamic-application (Security Policies)


Hierarchy Level


Specify the dynamic applications or dynamic application groups used as match criteria within a security policy.

By adding dynamic applications to the match criteria, the data traffic is classified based on the Layer 7 application inspection results. Application Identification (AppID) identifies dynamic or real-time Layer 4 through Layer 7 applications. After a particular application is identified and the matching policy is found, then the actions are applied according to the policy.


dynamic-application-name | dynamic-application-group-name

Specify dynamic applications or dynamic application groups.

Examples for dynamic applications or dynamic application groups are as follows:

  • junos:FTP (dynamic application).

  • Enter junos:UNKNOWN when no dynamic application can be determined.

  • junos:web:shopping (dynamic application group).

  • Enter junos:unassigned when no dynamic application group can be determined.

  • junos:all-new-apps (dynamic application group).

    This has newly added application signatures from the latest signature package released in Junos OS Release 21.1R1.


When you download the application signature package on your security device, the entire predefined applications and application groups are downloaded. For downloading and installing application signature package, see Predefined Application Signatures for Application Identification


Configuring the dynamic application as any installs the policy with the application as a wildcard (default). If an application cannot be specified, configure any as the default application. Data traffic that match the parameters in a unified policy matches the policy regardless of the application type.


Configuring the dynamic application as none ignores classification results from AppID and does not use the dynamic application in security policy lookups. Within the list of potential match policies, if there is any policy configured with dynamic application as none, irrespective of the policy match sequence, this policy is matched as the final policy and is terminal. If any Layer 7 services are configured in this policy, deep packet inspection for the traffic is performed.

When upgrading the Junos OS release from previous releases (where dynamic applications were not supported), all existing traditional policies are considered as policies with the dynamic application configured as none.


Ensure to match an application if dynamic-application is set to none in the match criteria

If dynamic application is not configured within a security policy, the policy is considered to be a traditional security policy. This policy is similar to a policy with the dynamic application configured as none.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 18.2R1.