Hey everyone sorry for the long question, I will try to be really clear here.

In my org we use an MX250 to tunnel guest wireless traffic out to the internet. We have a couple of different SSIDs that use this set up. Once they Leave the MX they traverse our DMZ in our data center and leave a Palo Alto NGFW. On the Palo I can see destination traffic. The issue is all of the source addresses are the outside interface of the MX. So my need that that I need to see client destinations on the inside before it leaves the MX. I am to understand from Meraki support that the MX does not capture this information, and there is no way to do this on the MX. Does anyone know or have experience with capturing this information this way? I realize that in this set up a tunnel is created from the Wireless access point to the MX so that may cause an issue here. Just trying to run down some traffic issues we are seeing with some folks connecting devices to our guest wireless and sending traffic we would like to investigate. We have URL blocks and L7 firewall wall rules on the MX for all the big bads, but I am sure everyone here knows how users are and folks are constantly finding ways around them. As well if we have folks using personal devices that are reaching out to known malware or botnet C2 that the Palo picks up I would like to be able to tie that back to a user to alert them of the issue.

thanks in advance

Caleb