So for the interfaces, I can still keep them L3 and just use unit 0? If a broadcast to 255 comes across that interface, won't the SRX process that and send it to the other interfaces of am I confusing things?
Absolutely understand that the full policy lookup only occurs on the first packet. One of the things think is great about the processing engine/process and the way Juniper has coded their engines.
The one benefit that I get on the filters is that my syslog server will register a firewall deny message which will help me to troubleshoot knowing that A: the packet did hit the interface I was expecting, and B:allow me to verify if there are odd port/protocols involved. Obviously for simple things like SSH and HTTP it's not needed but isn't there also the ability to be more granular at the filter than on the policy? Again, all of my training is self taught using Juniper's YouTube channel and lots of reading through the KBs here.
The logging of policies only produce session-init and session-close, correct? So how would I be able to know that my policy blocked something? If it's blocked, then session-init is never generated. That's kinda why I use the filters. That ensures that I know the packet made it from point A to at least the SRX. Then I can enable trace-options using the IP/port/protocol/etc. to follow the packet through.
I'm guessing too that maybe there is a lot of troubleshooting/tracing aides in J-Web? I don't use that and only use the CLI as that's what I'm confortable with.
Again, I really appreciate your input!!!