Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[CSO] Error 'please add a more restrictive application to the policy and remove \"junos-defaults\"!'

0

0

Article ID: KB36881 KB Last Updated: 11 May 2021Version: 1.0
Summary:

A firewall policy failure from CSO towards a SRX device occurs with the following error message:

Policy deploy report Dynamic-application junos:UDP does not contain any default ports, please add a more restrictive application to the policy and remove \"junos-defaults\"!
Symptoms:

Attempted to configure the following firewall policy:

This configuration was created by CSO for the above intent:

## Global address book configurations ##
set security address-book global address 10.4.0.0/16 10.4.0.0/16
 
## Security Firewall Policy : LAN-LAN - LAN-LAN ##
delete security policies from-zone LAN-LAN to-zone LAN-LAN
delete security policies from-zone LAN-LAN to-zone LAN-LAN policy ALLOW_LAN_1
 
## Security Firewall Policy: trust - trust ##
set security policies from-zone trust to-zone trust policy r023_1 match source-address 10.4.0.0/16
set security policies from-zone trust to-zone trust policy r023_1 match destination-address any
set security policies from-zone trust to-zone trust policy r023_1 match dynamic-application junos:UDP
set security policies from-zone trust to-zone trust policy r023_1 match application junos-defaults
set security policies from-zone trust to-zone trust policy r023_1 then permit
delete security policies from-zone trust to-zone trust policy ALLOW_LAN_1
 
## Security Firewall Policy: LAN-LAN - trust ##
delete security policies from-zone LAN-LAN to-zone trust
delete security policies from-zone LAN-LAN to-zone trust policy ALLOW_LAN_1
 
## Security Firewall Policy : trust - LAN-LAN ##
delete security policies from-zone trust to-zone LAN-LAN
delete security policies from-zone trust to-zone LAN-LAN policy ALLOW_LAN_1

This configuration failed on the device with the following error:

Policy deploy report Dynamic-application junos:UDP does not contain any default ports, please add a more restrictive application to the policy and remove \"junos-defaults\"!

This means dynamic-application should be more specific, and not just junos:UDP or junos:TCP

Cause:
The following text is from the technical documentation on Unified Security policies

Default Ports and Protocols as Application Matching Criteria

Starting in Junos OS Release 18.2R1, the junos-defaults option is introduced in the security policy configuration as application match criteria. The junos-defaults group contains preconfigured statements that include predefined values for common applications. As the default protocols and ports are inherited from junos-defaults, there is no requirement to explicitly configure the ports and protocols, thus simplifying the security policy configuration.

In the following example, the security policy L7-test-policy uses junos:HTTP as the dynamic application and inherits destination TCP ports: 80, 3128, 8000, and 8080 as the application match criteria.

set security policies from-zone trust to-zone untrust policy L7-test-policy match application junos-defaults dynamic-application junos:HTTP


This means that "junos-defaults" defines predefined values for common applications. APPS object in CSO UI is for Layer 7 applications and SRVS object in CSO UI is for Layer 4 services. 

Solution:

If the requirement and intention of a firewall policy is to allow any UDP application, then the correct intent definition would be:

The translated Junos configuration would be:

## Global address book configurations ##
set security address-book global address 10.4.0.0/16 10.4.0.0/16
 
## Security Firewall Policy: LAN-LAN - LAN-LAN ##
delete security policies from-zone LAN-LAN to-zone LAN-LAN
delete security policies from-zone LAN-LAN to-zone LAN-LAN policy ALLOW_LAN_1
 
## Security Firewall Policy: trust - trust ##
set security policies from-zone trust to-zone trust policy r023_1 match source-address 10.4.0.0/16
set security policies from-zone trust to-zone trust policy r023_1 match destination-address any
set security policies from-zone trust to-zone trust policy r023_1 match dynamic-application any
set security policies from-zone trust to-zone trust policy r023_1 match application junos-udp-any
set security policies from-zone trust to-zone trust policy r023_1 then permit
delete security policies from-zone trust to-zone trust policy ALLOW_LAN_1
 
## Security Firewall Policy : LAN-LAN - trust ##
delete security policies from-zone LAN-LAN to-zone trust
delete security policies from-zone LAN-LAN to-zone trust policy ALLOW_LAN_1
 
## Security Firewall Policy : trust - LAN-LAN ##
delete security policies from-zone trust to-zone LAN-LAN
delete security policies from-zone trust to-zone LAN-LAN policy ALLOW_LAN_1
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search