Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Unified Policies

Starting in Junos OS Release 18.2R1, unified policies are supported on SRX Series devices, allowing granular control and enforcement of dynamic Layer 7 applications within the traditional security policy. See the Junos 18.2R1 documentation for more details on Unified Policies.

Overview

Note:

This overview is taken from the SRX Series documentation. The commands listed here are specific to Juniper ATP Cloud, but for a detailed explanation of unified policies and how they work, you should refer to the Junos documentation.

Unified policies are security policies where you can use dynamic applications as match conditions, along with existing 5-tuple or 6-tuple matching conditions, to detect application changes over time, and allow you to enforce a set of rules for the transit traffic. Unified policies allow you to use dynamic applications as one of the policy match criteria in each application.

By adding dynamic application to the matching conditions, the data traffic is classified based on the Layer 7 application inspection results. AppID identifies dynamic or real-time Layer 4-Layer 7 applications, and after a particular application is identified, actions are performed as per the security policy. (Before identifying the final application, if the policy cannot be matched precisely, a potential policy list is made available, and the traffic is permitted using the potential policy from the list.) After the application is identified, the final policy is applied to the session. Policy actions such as permit, deny, reject, or redirect is applied on the traffic as per the policy rules.

Juniper ATP Cloud is supported for unified policies. The set services security-intelligence default-policy and set services advanced-anti-malware default-policy commands are introduced to create default policies for each. During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list, which contain different security intelligence or anti-malware policies, the SRX Series device applies the default policy until a more explicit match has occurred.

Here are the possible completions for the security intelligence default-policy:

Here are the possible completions for the anti malware default-policy: