SRX Services Gateway
SRX Services Gateway

Unified policy not working

‎01-21-2019 01:44 PM

I got latest 18.4 vSRX 3.0.

Been playing with new unified policy.

So with config below the unified rules (Fake_News) is never hit.

Is there a higher priority with classic rules regardless of the order?

 

root@T> show configuration security policies 
from-zone trust to-zone untrust {
    policy Fake_News {
        match {
            source-address any;
            destination-address any;
            application junos-defaults;
            dynamic-application junos:CNN;
        }
        then {
            deny;
        }
    }
    policy LAN-to-WAN {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {  
                    ssl-proxy {
                        profile-name ssl-fp;
                    }
                    utm-policy UTM;
                    security-intelligence-policy SKY_policy;
                    advanced-anti-malware-policy SKY_policy;
                }
            }
            log {
                session-init;
                session-close;
            }
            count;
        }
    }
}
1 REPLY 1
SRX Services Gateway

Re: Unified policy not working

‎01-21-2019 03:15 PM

Hi, Lochlain

 

It looks to be the case. The documentation states:

 

"When the device examines the first packet of a flow, it determines the corresponding security policy, and performs a security policy lookup. During this process following cases are observed:

 

        1. If the traffic matches a legacy security policy or the final policy, the session is created."

 

In your case it looks that the first packet will match the legacy policy because with only one packet is not enought for AppID to determine the Dynamic Application. Besides the doc says:

 

"During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies in the potential policy list, the SRX Series device applies the default security policy until a more explicit match has occurred"

 

But in your case there is not a policy conflict and a more specific security policy exists (the legacy one) so it will be chosen. Can you share a "show security flow session session-identifier [session_ID]" in order to confirm if AppID is identifying the dynamic-application correctly or not.

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!