Commit warning about policy order placement is encountered when attempting to use Unified and Legacy security policies.
If you attempt to place a policy without a dynamic application after policies using dynamic applications, you will see the warning below when committing changes:
warning: Policy *policy name* does not contain any dynamic-applications or url-categories but is placed below policies that use them. Please insert policy *policy name* before your Unified policies.
The reason for this warning message requires a little understanding of how policies are handled when using unified and legacy policies together.
Definition of Policy types
- Legacy policies : This is your typical setup where policies that are processed top - down with action result based on the first matching policy based on SRC/DST IP, SRC/DST port and source-identity.
- Unified policies : Policies that contain a match condition including dynamic-application and/or url-category. Policies are processed top – down locating all potential match policies that based on legacy match conditions. If a dynamic application is not in the Application System Cache (ASC), a session will setup against a pre-ID-default-policy settings combined with all applicable actions from matched policy list and then final policy match will be made upon dynamic-application match. L7 services on potential match policies will use the configured ‘default’ setting of that L7 service.
- Mixed policies : Combination of both legacy and unified policies in same zone-to-zone context. If dynamic-application is not known in ASC on first packet processing, Junos will locate all potential match policies based on legacy match conditions. If a legacy policy is located the first legacy policy match policy is terminal and used for session setup and no further processing of Unified or Legacy polices will occur.
Processing Behavior
- When using mixed policies, if unified policies are placed above legacy policies, Junos will locate all the policies that match prior to dynamic application identification including legacy policy below the unified policies. Since a legacy policy under a matching unified policy may cause confusion based on processing expectations, the warning has added to recommend placing legacy policies above unified policies given that legacy policies are terminal rules resulting in match before unified policies resulting in a clearer match expectation when viewing configurations.
The commit warning was introduced in the following versions:
- 18.2R2, 18.3R3, 18.4R2, 19.1R2, 19.2R1+
To avoid warning messages on commit the following options may be used:
- Place Legacy policies before Unified policies
- Add
'match dynamic-application any'
to any legacy policy allowing legacy policies to become unified policies and part of initial potential policy match list