Note: When you first start you may get a bunch of messages like these on the screen

                                                                       
Auto Image Upgrade: DHCP Client Bound interfaces:                                                                                
                                                                               
Auto Image Upgrade: DHCP Client Unbound interfaces: ge-0/0/0.0 ge-0/0/7.0                                                                                
                                                                               
Auto Image Upgrade: To stop, on CLI apply                                      
"delete chassis auto-image-upgrade"  and commit                                                                               
                                                                               
Auto Image Upgrade: No DHCP Client in bound state, reset all DHCP clients                                                                               
                                                                               
Auto Image Upgrade: DHCP Client State Reset: ge-0/0/0.0 ge-0/0/7.0                        

once you issue the first commit command (see below) these messages will stop

root@% cli                                                                      
root> configure                                                                 
Entering configuration mode                                                     
                                                                                
[edit]                                                                          
root# set system root-authentication plain-text-password                        
New password:                                                                   
Retype new password:                                                            
      
delete system autoinstallation
set system time-zone America/New_York 
delete chassis auto-image-upgrade
commit



delete security log report                                                                           
/* set up dns servers for the SRX. If you have domain controllers, they are a better option */  
/* note these are used by the SRX for configuration, updatees, etc */
/* the computers on the network use the dns servers supplied in the dhcp settings further down */    
delete system name-server                                                                  
set system name-server 176.103.130.130
set system name-server 176.103.130.131
set system name-server 8.8.4.4 


/* set up some users to ssh in */
set system login user USERNAME class super-user
set system login user USERNAME authentication plain-text-password
New password: (enter password here)
Retype new password:

/* optional - add ssh key */
set system login user USERNAME authentication ssh-rsa "(insert public key - include " around the key)"

/* optional allow root to ssh */
set system services ssh root-login allow

/* syslog system changes and who logs in to a syslog server facility local6 */
set system syslog host MY.SYSLOG.SERVER.IP authorization info
set system syslog host MY.SYSLOG.SERVER.IP conflict-log any
set system syslog host MY.SYSLOG.SERVER.IP change-log ony
set system syslog host MY.SYSLOG.SERVER.IP facility-override local6

VERY IMPORTANT

Make sure

security policies default-policy permit-all

is either set to

delete security policies default-policy

-or-

set security policies default-policy deny-all

                                       
/* we are going to connect the internet to ge-0/0/0 - note that in the other commands below */

/* this is the ip address on our internet facing interface */
set interfaces ge-0/0/0 unit 0 family inet address 9.9.9.9/29 

/* set the default route */
set routing-options static route 0.0.0.0/0 next-hop 9.9.9.10 

/* give the systme a name */
set system host-name gw-srx

/* set the domain name */
set system domain-name mydomain.org 


commit

/* address any errors that come up after the "commit" command */


/* change to internal ntp server or your preferred ntp servers */ 
/* again, if you have domain controllers, replace 1.pool.ntp.org and 2.pool.ntp.org with */ 
/* ip addresses of domain controllers */ 
set system ntp server 1.pool.ntp.org 
set system ntp server 2.pool.ntp.org 

/* set backup of system */
/* set system to back up every time we commit changes */
set system archival configuration transfer-on-commit 

/* SCP your configuration to 1.1.1.1 port 2022 username juniperback and put it into */
/* /home/juniperback directory using the password "L3tM3SaveM7Config" */
/* you can replace 1.1.1.1 with a fqdn */
set system archival configuration archive-sites "scp://juniperback@1.1.1.1:2022/home/juniperback" password "L3tM3SaveM7Config"

/* Note the following reply will be sent */

The authenticity of host '[1.1.1.1]:2022 ([1.1.1.1]:2022)' can't be established.
ECDSA key fingerprint is d2:8b:cd:42:1c:31:92:85:22:f5:1a:3f:fb:b9:22:91.
Are you sure you want to continue connecting (yes/no)? 
/* you need to reply with "yes" */
yes

/* then yu will recieve confirmation */
Warning: Permanently added '[1.1.1.1]:2022' (ECDSA) to the list of known hosts.

/* use irb.0 to group the rest of the interfaces into a group and set the ip address for the inside network */
set interfaces irb unit 0 family inet address 10.6.10.1/24

/* set up dhcp *//
/* OFFICEDHCPPool and OFFICERange are names I made up to identify things */
set access address-assignment pool OFFICEDHCPPool family inet network 10.6.10.0/24
set access address-assignment pool OFFICEDHCPPool family inet range OFFICERange low 10.6.10.100
set access address-assignment pool OFFICEDHCPPool family inet range OFFICERange high 10.6.10.200
set access address-assignment pool OFFICEDHCPPool family inet dhcp-attributes router 10.6.10.1  
set access address-assignment pool OFFICEDHCPPool family inet dhcp-attributes domain-name mydomain.org
set access address-assignment pool OFFICEDHCPPool family inet dhcp-attributes name-server 10.5.9.21
set access address-assignment pool OFFICEDHCPPool family inet dhcp-attributes name-server 10.5.9.22
set access address-assignment pool OFFICEDHCPPool family inet dhcp-attributes name-server 176.103.130.130

/* set up so that the dhcp pools are served up out correct interfaces
/* 10.6.10.0 is associated with irb.0 */
/* add the next line with other POOL names and the correc interface name for each pool you set up
set system services dhcp-local-server group OFFICE-POOL interface irb.0
/* only need the next line once - if skipped and you have multiple pools - the wrong ip address may
/* be served up out the wrong interace
set system services dhcp-local-server requested-ip-interface-match


/* I am changing the name of the internal zone from "trust" to OFFICE */
delete security zones security-zone trust
set security zones security-zone OFFICE host-inbound-traffic system-services all
set security zones security-zone OFFICE host-inbound-traffic protocols all
set security zones security-zone OFFICE interfaces irb.0

/* changing the outsize zone from untrust to INTERNET */
delete security zones security-zone untrust
set security zones security-zone INTERNET interfaces ge-0/0/0.0 host-inbound-traffic system-services ping, ssh, ike
set security zones security-zone INTERNET screen untrust-screen

/* set up NAT - note we changed our zone names */
delete security nat source rule-set trust-to-untrust
set security nat source rule-set OFFICE-to-INTERNET from zone OFFICE
set security nat source rule-set OFFICE-to-INTERNET to zone INTERNET
set security nat source rule-set OFFICE-to-INTERNET rule NAT-OFFICE-INTERNET match source-address 0.0.0.0/0
set security nat source rule-set OFFICE-to-INTERNET rule NAT-OFFICE-INTERNET then source-nat interface

/* set up interzone traffic */
delete security policies from-zone trust to-zone trust
set security policies from-zone OFFICE to-zone OFFICE policy OFFICE-to-OFFICE match source-address any
set security policies from-zone OFFICE to-zone OFFICE policy OFFICE-to-OFFICE match destination-address any
set security policies from-zone OFFICE to-zone OFFICE policy OFFICE-to-OFFICE match application any
set security policies from-zone OFFICE to-zone OFFICE policy OFFICE-to-OFFICE then permit

/* set up traffic from inside to outside */
delete security policies from-zone trust to-zone untrust
set security policies from-zone OFFICE to-zone INTERNET policy OFFICE-to-INERNET match source-address any
set security policies from-zone OFFICE to-zone INTERNET policy OFFICE-to-INERNET match destination-address any
set security policies from-zone OFFICE to-zone INTERNET policy OFFICE-to-INERNET match application any
set security policies from-zone OFFICE to-zone INTERNET policy OFFICE-to-INERNET then permit

/*******************************************/
/** IMPORTANT!!!!!!!!!!!                   */
/* MAKE. SURE. YOU. SET. THIS!!!           */
/* if you dont set this - anything that    */
/* does not fit in the security policies   */
/* will be PERMITTED!!!                    */
set security policies default-policy deny all


/* enable ssh on the untrusted interface */ 
/* https://www.juniper.net/documentation/en_US/junos/topics/example/permitted-ip-configuring.html */ 
set policy-options prefix-list ADMIN-IPS some.public,ip,itrust/32
set policy-options prefix-list ADMIN-IPS another.public.ip.itrust/29
set policy-options prefix-list ADMIN-IPS 10.6.14.0/24
annotate policy-options "ADMIN-IPS are permitted ssh access"
set firewall filter ADMIN-FILTER term BLOCK-NON-ADMIN from source-address 0.0.0.0/0
set firewall filter ADMIN-FILTER term BLOCK-NON-ADMIN from source-prefix-list ADMIN-IPS except
set firewall filter ADMIN-FILTER term BLOCK-NON-ADMIN from protocol tcp
set firewall filter ADMIN-FILTER term BLOCK-NON-ADMIN from destination-port ssh
set firewall filter ADMIN-FILTER term BLOCK-NON-ADMIN from destination-port telnet
set firewall filter ADMIN-FILTER term BLOCK-NON-ADMIN then discard
set firewall filter ADMIN-FILTER term accept_everything_else then accept

/* Finally the filter is assigned to the loopback interface. */
/* Note : Each filter is assigned to the loopback address as this ensures that only management traffic (traffic to the box) is filtered. */

set interfaces lo0 unit 0 family inet filter input ADMIN-FILTER

/* limit ssh access from ipv6 addresses */
set policy-options prefix-list ADMIN-IPV6 9999:9999::/64
/* firewall rules*/
set firewall family inet6 filter ADMIN-FILTER6 term BLOCK-NON-ADMIN from source-address ::0/0
set firewall family inet6 filter ADMIN-FILTER6 term BLOCK-NON-ADMIN from source-prefix-list ADMIN-IPV6 except
set firewall family inet6 filter ADMIN-FILTER6 term BLOCK-NON-ADMIN from destination-port ssh
set firewall family inet6 filter ADMIN-FILTER6 term BLOCK-NON-ADMIN from destination-port telnet
set firewall family inet6 filter ADMIN-FILTER6 term BLOCK-NON-ADMIN then discard
set firewall family inet6 filter ADMIN-FILTER6 term accept_everything_else then accept
/* apply filter*/
set interfaces lo0 unit 0 family inet6 filter input ADMIN-FILTER6

Cconfigure interfaces

delete interfaces ge-0/0/0 unit 0 family inet
set interfaces ge-0/0/0 unit 0 description INTERNET
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members INTERNET
delete interfaces ge-0/0/1 unit 0 family ethernet-switching
delete interfaces ge-0/0/2 unit 0 family ethernet-switching
delete interfaces ge-0/0/3 unit 0 family ethernet-switching
delete interfaces ge-0/0/4 unit 0 family ethernet-switching
delete interfaces ge-0/0/5 unit 0 family ethernet-switching
delete interfaces ge-0/0/6 unit 0 family ethernet-switching
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members INTERNET
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members OFFICE
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members OFFICE
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members OFFICE
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members OFFICE
set interfaces ge-0/0/6 unit 0 family ethernet-switching vlan members OFFICE
delete interfaces ge-0/0/7 unit 0 family inet 
set interfaces ge-0/0/7 unit 0 family ethernet-switching vlan members OFFICE

set interfaces irb unit 0 description OFFICE
delete interfaces irb unit 0 family inet address 192.168.1.1/24
set interfaces irb unit 0 family inet address 10.128.100.1/24
set interfaces irb unit 10 description WOW
set interfaces irb unit 10 family inet address 216.130.131.106/28
set interfaces irb unit 20 description COMCAST
set interfaces irb unit 20 family inet address 96.80.59.236/28

delete vlans vlan-trust
set vlans COMCAST vlan-id 20
set vlans COMCAST l3-interface irb.20
set vlans OFFICE vlan-id 3
set vlans OFFICE l3-interface irb.0
set vlans WOW vlan-id 10
set vlans WOW l3-interface irb.10

 /* if you are running version 19, you must create a user to ssh in */ 
set system login user sshusername authentication 
set system login user sshusername class super-class 

Set up a Public Wireless Network

use vlan 20 and an ip address 172.16.1.0/24

/* set up the interface for the WIRELESS */
set interfaces irb unit 20 description PUBLIC-WIRELESS
set interfaces irb unit 20 family inet address 172.16.1.1/24

/* create the vlan */
set vlans PUBLIC-WIRELESS vlan-id 20
set vlans PUBLIC-WIRELESS l3-interface irb.20

 
/* set up a dhcp server for the wireless */
set access address-assignment pool WIRELESSPOOL family inet network 172.16.1.0/24
set access address-assignment pool WIRELESSPOOL family inet dhcp-attributes domain-name mydomain.wireless
set access address-assignment pool WIRELESSPOOL family inet range WIRELESS-RANGE low 172.16.1.10
set access address-assignment pool WIRELESSPOOL family inet range WIRELESS-RANGE high 172.16.1.200
set access address-assignment pool WIRELESSPOOL family inet dhcp-attributes name-server 176.103.130.130
set access address-assignment pool WIRELESSPOOL family inet dhcp-attributes name-server 176.103.130.131
set access address-assignment pool WIRELESSPOOL family inet dhcp-attributes router 172.168.1.1
/* set a security zone */
set security zones security-zone WIRELESS host-inbound-traffic system-services all
set security zones security-zone WIRELESS host-inbound-traffic protocols all
set security zones security-zone WIRELESS interfaces irb.20

/* permit intra WIRELESS traffic */
set security policies from-zone WIRELESS to-zone WIRELESS policy WIRELESS-to-WIRELESS match source-address any
set security policies from-zone WIRELESS to-zone WIRELESS policy WIRELESS-to-WIRELESS match destination-address any
set security policies from-zone WIRELESS to-zone WIRELESS policy WIRELESS-to-WIRELESS match application any
set security policies from-zone WIRELESS to-zone WIRELESS policy WIRELESS-to-WIRELESS then permit

/* nat wireless traffice to the INTERNET */
set security nat source rule-set WIRELESS-to-INTERNET from zone WIRELESS
set security nat source rule-set WIRELESS-to-INTERNET to zone INTERNET
set security nat source rule-set WIRELESS-to-INTERNET rule NAT-WIRELESS-INTERNET match source-address 0.0.0.0/0
set security nat source rule-set WIRELESS-to-INTERNET rule NAT-WIRELESS-INTERNET then source-nat interface

/* set up a trunk on ge-0/0/4 where the OFFICE network is the native vlan and the WiRELESS is tagged */
/* will plug in the wireless access point on this interface */
set interfaces ge-0/0/4 native-vlan-id 3
set interfaces ge-0/0/4 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members PUBLIC-WIRELESS

Troubleshooting

Show System Alarms

Make sure there are no alarms (red light on left side front)  if there is see

Configure the log file

set system syslog file firewall firewall info

View Log

root@srx240l> show log firewall
Sep 1 22:30:14 srx240 clear-log[15397]: logfile cleared
Sep  2 01:51:44  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 176.20.7.244 94.15.8.26 57837 34105 (1 packets)
Sep  2 01:51:53  srx240l last message repeated 2 times
Sep  2 12:35:06  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 8.2.13.83 4.15.26.70 18978    22 (2 packets)
Sep  2 12:35:08  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 82.132.19.83 94.15.26.70 18978    22 (2 packets)
Sep  2 12:35:11  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.2.39.83 94.15.26.70 18978    22 (2 packets)
Sep  2 12:35:14  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.12.19.83 94.1.2.70 18978    22 (1 packets)
Sep  2 12:35:16  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.132.19.83 94.1.2.70 18978    22 (1 packets)
Sep  2 12:35:19  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.132.13.206 94.1.26.70 21438    22 (3 packets)

Reboot

Erase Running Configuration

load factory-default (recommended)
or
delete

Rollback