We had a few IP addresses trying to connect to our mail server via port 25 up to several thousand times a day. Our spam filter wasn't susceptible to the attacks, but did log them. Absolutely nothing in the Security Center.

I don't know about specific exploits, but these appear to be brute-force attacks to try to login into an SMTP server.

Another server that has a port forwarding rule has seen probes for the recent Sharepoint exploit. Nothing on that in security center. It also got targeted by a reflected XSS attempt (GET /Mondo/lang/sys/Failure.aspx?state=19753%22;}alert(document.domain);function%20test(){%22 HTTP/1.1), and it didn't show up in Security Center.

Weirdly, Security Center did flag some connections to that server as: limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt. So maybe it is inspecting some packets.

Maybe a brute-force attempt to logon to a server isn't supposed to be flagged by Security Center?

As far as blocking traffic, I meant using Threat Protection to block things. We currently have threat protection set to "Detection". My understanding is that these detections are what populate Security Center and that changing the setting to "Prevention" would block the detections it is currently finding. (Though it still has problems identifying clients and flagging DNS traffic to our DC and ISP as malicious).

I do have AMP disabled, but I would have thought that it would still check SMTP traffic.

Bigip is the key 

I did just notice that the MX Security Center was flagging some traffic to out SMTP server. I guess it really doesn't detect the brute-force-logon attempts (hard to do from inspection of individual packets).

I'll try turning AMP on to see if it picks up more http-based attacks.

For our SMTP server, nothing detecting brute-force logon attempts, but I did see that it picked up a few events. (Crypto-mining pool connection attempts, ISO file attachment). I didn't see them at first because the MX listed the client as "(none)" - it really doesn't do a good job with host resolution.

For a web server, it misses probes for Sharepoint exploits and Revese XSS attacks. It did flag a few connections for: limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt.

So, I guess it's not designed to flag brute-force attempts. 

Would enabling this allow blacklisting inbound IPv4 addresses?

https://documentation.meraki.com/MX/Networks_and_Routing/NAT_Exceptions-No_NAT_on_MX_Security_Applia... 

If so, can this be enabled without disabling NAT? I just want a L3 firewall on forwarded traffic.

Before I thought that this disabled AnyConnect, but it looks like you need to configure allow rules for inbound AnyConnect connections.

This caveat for AnyConnect still exists on that link
"In order to accommodate AnyConnect Client VPN on MX appliances, changes were required that prevent the concurrent use of Client VPN - either via AnyConnect or IPsec) - and No NAT."