Unified security policies on Juniper SRX devices integrate traditional 5-tuple matching with dynamic application identification (AppID). When a new session starts, the application is not yet known. The device performs an initial lookup and may identify multiple policies that could potentially match the traffic based on source/destination addresses and ports. This makes option C correct. Once AppID inspects the traffic and identifies the specific application, the SRX performs a final, more specific policy lookup using the AppID result. This determines the definitive policy that will be applied to the session for its duration, making option D correct.

A. Unified security policies require an advanced feature license.

The unified policy framework itself is a base feature in modern Junos OS versions; specific security services used within a policy (e.g., IPS, AppFW) require their own licenses.

B. Unified security policies are evaluated after global security policies.

Policy lookup order is zone-specific first, then global. A unified policy can be configured in either context, so its evaluation order depends on its configuration, not its type.

1. Juniper Networks TechLibrary

Security Policies User Guide for Security Devices

"Understanding Unified Security Policy Session Match": This document explains the multi-stage match process. It states

"If the application is not known

the SRX Series device performs a preliminary match... and identifies a list of potential policies." This directly supports option C. It further states

"After the application type is identified

the SRX Series device performs a final policy match to find the best-fit policy for the session." This directly supports option D.

2. Juniper Networks TechLibrary

Security Policies User Guide for Security Devices

"Unified Policies Overview": This guide clarifies licensing: "You must purchase and install the license for each Application Security service that you want to use. The unified policy itself does not require a separate license." This confirms that option A is incorrect.

3. Juniper Networks TechLibrary

Security Policies User Guide for Security Devices

"Understanding Security Policy Lookup": This document details the policy evaluation order

stating

"The device first checks for a matching policy in the user-defined (zone-based) policy database... If it does not find a match

it checks the global policy database." This shows that unified policies are not a separate evaluation step and that their position depends on whether they are configured as zone-based or global

making option B incorrect.