Security Director don't delivery correct schema configuration for SDSN

uff... sometimes with security director is difficult :-|

Here my case.

I've update the DMI schema from JunosSPACE 17.2 R1, in order to perfectly match my vSRX17.3R1.10.

The problem is that meanwhile I'm trying to configure SDSN 17.2R1 by Junos Security Director, it's missing some parameterse that JunOS require but security director don't mention.

For example here below. I try to configure manually SDSN by CLI and it's correctly working!

After that I syncronized the policy with security director, update the policy and try to push it.

The problem specifically is that it's trying to remove "match and permit" policy from the service advanced-threat-prevention, but as I said seems that it's required from the system!

Maybe Security Directory is right and I should install one old DMI because "match and permit statenement" was allowed in 15.x version. ...but it's really strange this things BTW.

ANy update please?

##Security Policy Settings##
set security policies policy-rematch
##Security Firewall Policy : contact - Server##
delete security policies from-zone contact to-zone Server policy VPN-Client_to_Server then permit application-services 
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match application junos-dns-udp
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match destination-address dc_host
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match destination-address synology_host
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : Server - contact##
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match application junos-dns-udp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match application server-internet_access
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match destination-address any
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match source-address server-net
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services idp 
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services utm-policy Advance_internet_antivirus
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match application Synology-Torrent
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match application synology_internet
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match destination-address any-ipv4
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match source-address synology_host
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services idp 
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application junos-icmp-ping
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application junos-snmp-agentx
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application snmp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match destination-address any-ipv4
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match source-address phpipam
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application junos-https
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application junos-ssh
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application snmp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match destination-address fw-edge-inside
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match destination-address EX-Core
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match source-address Junos-SPACE
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match source-address phpipam
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : contact - junos-host##
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-https
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ssh
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ping
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : Server - junos-host##
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-icmp-all
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ssh
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-snmp-agentx
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application snmp
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match source-address server-net
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : junos-host - contact##
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match source-address Block_from_Reagion
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match destination-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : junos-host - Server##
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match application any
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : contact - junos-host##
insert security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 before policy HQ_mgmt_FW
##Security Firewall Policy : contact - Server##
insert security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 before policy HQ_to_serverDNS
##Security Firewall Policy : Server - contact##
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 before policy DNS-DC_request
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 before policy server_internet_access
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 before policy synology_internet_access
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 before policy Observium_to_HQ
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 before policy Space-MGMT
##Security Firewall Policy : Server - junos-host##
insert security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 before policy SNMP-Monitoring
##Security Firewall Policy : junos-host - Server##
insert security policies from-zone junos-host to-zone Server policy vSRX-Server after policy PolicyEnforcer-Rule1-2
##Security Firewall Policy : global ##
set security policies global policy PolicyEnforcer-Rule1-2 match application any
set security policies global policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies global policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies global policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies global policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
##Advanced AntiMalware Policy Configurations##
delete services advanced-anti-malware policy SkyATP_DMZ match   (THIS IS NEEDED!!!!)
delete services advanced-anti-malware policy SkyATP_DMZ then  (THIS IS NEEDED!!!!)
delete services advanced-anti-malware policy SkyATP_DMZ inspection-profile 
delete services advanced-anti-malware policy SkyATP_DMZ default-notification 
delete services advanced-anti-malware policy SkyATP_DMZ whitelist-notification 
delete services advanced-anti-malware policy SkyATP_DMZ blacklist-notification