Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Commit error when policy without dynamic-applications is under one that has dynamic-applications

0

0
Article ID: KB35531 KB Last Updated: 23 Apr 2020Version: 2.0 Summary:

Commit warning about policy order placement is encountered when attempting to use Unified and Legacy security policies.

Symptoms:

If you attempt to place a policy without a dynamic application after policies using dynamic applications, you will see the warning below when committing changes:

warning: Policy *policy name* does not contain any dynamic-applications or url-categories but is placed below policies that use them. Please insert policy *policy name* before your Unified policies.

Cause:

The reason for this warning message requires a little understanding of how policies are handled when using unified and legacy policies together.

Definition of Policy types

  • Legacy policies : This is your typical setup where policies that are processed top - down with action result based on the first matching policy based on SRC/DST IP, SRC/DST port and source-identity.  

  • Unified policies :  Policies that contain a match condition including dynamic-application and/or url-category.   Policies are processed top – down locating all potential match policies that based on legacy match conditions.  If a dynamic application is not in the Application System Cache (ASC), a session will setup against a pre-ID-default-policy settings combined with all applicable actions from matched policy list and then final policy match will be made upon dynamic-application match.  L7 services on potential match policies will use the configured ‘default’ setting of that L7 service.

  • Mixed policies : Combination of both legacy and unified policies in same zone-to-zone context.  If dynamic-application is not known in ASC on first packet processing, Junos will locate all potential match policies based on legacy match conditions.  If a legacy policy is located the first legacy policy match policy is terminal and used for session setup and no further processing of Unified or Legacy polices will occur. 

Processing Behavior

  • When using mixed policies, if unified policies are placed above legacy policies, Junos will locate all the policies that match prior to dynamic application identification including legacy policy below the unified policies.  Since a legacy policy under a matching unified policy may cause confusion based on processing expectations, the warning has added to recommend placing legacy policies above unified policies given that legacy policies are terminal rules resulting in match before unified policies resulting in a clearer match expectation when viewing configurations.
Solution:
The commit warning was introduced in the following versions:
  • 18.2R2, 18.3R3, 18.4R2, 19.1R2, 19.2R1+
To avoid warning messages on commit the following options may be used:
  • Place Legacy policies before Unified policies
  • Add 'match dynamic-application any' to any legacy policy allowing legacy policies to become unified policies and part of initial potential policy match list
Modification History:
4/23/2020  Corrected associated hyperlink 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search