Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Start Using Unified Policies Post Upgrade

SUMMARY Read this topic to understand how to get started using unified policies post upgrade to Junos OS Releases (19.4R3 or 20.2R3).

Starting in Junos OS Release 18.2R1, you can configure unified policies. When you configure a unified policy with a dynamic application as one of the matching conditions, the resulting configuration eliminates some of the additional steps required to configure application firewall (AppFW), IDP, and UTM configuration. See An Introduction to Unified Policies for SRX-Series video to learn about unified policies.

With introduction of unified policies in Junos OS Release 18.2, some of the commands are deprecated— rather than immediately removed—to provide backward compatibility. This enables you to bring your old configuration into compliance with the new configuration.

When you upgrade to Junos OS Releases 19.4R3 or 20.2R3, the security device displays the following warning when you try to commit the configuration that includes the deprecated commands:

We recommend that you migrate to unified policies to bring your configuration up to date with supported features.

Unified Policies on SRX Series Devices Managed by Security Director

Security Director offers an easy migration tool which converts a traditional firewall policy to a unified policy. We recommend using Security Director Release 20.3 or later to convert a traditional security policy to a unified policy.

Figure 1 shows the option available in Security Director that you can use to convert a security policy to a unified policy.

Figure 1: Security Director: Convert to Unified Policies Security Director: Convert to Unified Policies

Example:

For more information about using the Security Director to aid with policy migration, see [Security Director] Managing IDP, AppFW and UTM on SRX 18.2 and above with Security Director and In Focus Security Director.

You can use Security Director to quickly and accurately create policies as shown in the following examples:

To configure a unified policy, navigate to Configure>Firewall Policy>Unified Policies page.

To configure an IPS policy, navigate to Configure>IPS Policy>Policies page.

To configure a UTM policy, navigate to Configure>UTM Policy page.

Unified Policies on SRX Series Devices

The following sections provide details about unsupported configurations in the older release and how you can enable them with the new release.

Application Security

Junos OS Release 15.1X49 Unified Policies (Post Junos OS Release 18.2)

Configure individual application firewall rules to allow or reject traffic based on applications.

  • Configure rules and rule sets at the set security application-firewall hierarchy level.
  • Apply application firewall functionality

    set security policies from-zone <zone> to-zone <zone> policy <policy> then permit application-services application-firewall rule-set.

Create security policies with dynamic applications as match criteria to get the same functionality as application firewall.

set security policies from-zone <zone> to-zone <zone> policy <policy> match dynamic-application <application-name>

Example: The following samples show the difference in application firewall configuration with 15.1X49 and configuration in 19.4R3-S1 in unified policies. We're using an example of setting up application firewall rules to block Facebook applications.

Before Upgrade

After Upgrade

IDP Policies

Junos OS Release 15.1X49 Unified Policies (Post Junos OS Release 18.2)

Assign an IDP policy as the active IDP policy and use it as match criteria in a security policy to perform intrusion detection and prevention.

Configure multiple IDP policies and apply them to the security policy. You can even define one of the IDP policies as the default policy.

  • Specify an active IDP policy:

    set security idp active-policy <IDP policy name>

  • Apply IDP policy in the security policy:

    set security policies from-zone <zone> to-zone <zone> policy <policy> then permit application-services idp

Specify multiple IDP policies per firewall rule:

set security policies from-zone <zone> to-zone <zone> policy <policy-1> then permit application-services <IDP-policy-name-1>

set security policies from-zone <zone> to-zone <zone> policy <policy-2> then permit application-services <IDP-policy-name-2>

set security idp default-policy <IDP-policy name>

Example: The following samples show the difference in IDP configuration with 15.1X49 and configuration in 19.4R3 in unified policies. Note that, in unified policies, you have the flexibility to configure multiple IDP policies.

Before Upgrade

After Upgrade

UTM

Junos OS Release 15.1X49 Unified Policies (Post Junos OS Release 18.2)

Configure unified threat management (UTM) feature parameters under each feature profile.

  • set security utm feature-profile anti-virus

  • set security utm feature-profile anti-spam
  • set security utm feature-profile web-filtering
  • set security utm feature-profile content-filtering

Configure UTM features under the default configuration. UTM default configuration applies parameters that you might have missed configuring for a specific UTM feature.

  • set security utm default-configuration anti-virus

  • set security utm default-configuration anti-spam
  • set security utm default-configuration web-filtering
  • set security utm default-configuration content-filtering

Example: The following samples show the difference in UTM configuration with 15.1X49 and configuration in 19.4R3-S1 in unified policies. We're using an example of configuration of Sophos antivirus on your security device.

Before Upgrade

After Upgrade

For more information on configuring security features on your device, see Product Documentation and Day One+.

What's Next

Now you are all set to explore new features and enhancements available with latest Junos OS Releases. See Explore New Features Post Upgrade.