Anyone with good understanding of Unified Security Policies (SRX)
Been looking for awhile at wanting to use the unified security policies as they keep releasing compelling features based on it. Not to mention, newer versions of Junos will be defaulted to this and it is required for use in Security Director based on your Junos version. Just wanted to see if anyone had any good experience using these new Unified Security Policies (USP)
Applications can be matched as part of your security policy (traditional application firewall applied as a service to a rule is going away )
URL categories as part of your security policy match
Multiple IPS policies can be used
However there seems to be some caveats to using unified policies (USP):
If a USP is present in a zone based policy table; there will be no lookup performed in the global policy table if there is no match. If you utilize the global policy table this forces you to create all USPs in the global policy table
a mix of traditional and USP changes your policy lookup order. If you have a traditional security policy after a USP, the traditional policy will be matched first
It seems all deny rules must be as a USP or you get into the policy lookup order issue above.
Possible potential match policies where the APP hasn't been ID'd yet
Re: Anyone with good understanding of Unified Security Policies (SRX)
Some more thoughts/questions on using USP
I am not sure how I would utilize having a restrictive default-allow rule while also maintaining a Deny-All rule beneath
Currently in testing I have had to use a Default Permit Rule that matches any-any to any dynamic-application
This then makes me never use my Default-Deny rule
Some Application Groups contain apps that have no Default Ports in the signature, therefore you get a nasty commit message.
Below is an example of how I would expect USP to work but I can't get this working, one due to the Junos application group "web"
deny specific web application categories
permit the general web application group
default deny everything else
If I try to utilize the Junos web application group as below it gives me commit errors stating that there are applications within the group that do not contain any configured default ports. It asks to configure a more restrictive application or services with dynamic-application set to none.