planning to implement meraki sdwan on 15 branches, with DC to be colocated . 2 sites have more than 800 users others have 250 users on an average. for now we have firewalls at branches. please suggest what mode in should I run my MX devices and do i need a firewall at all branches along with MX devices.
As always, it depends. If your actual firewalls do all of the processing for Internet-traffic, you only need the MX-Enterprise licenses which will save you money. But you have to maintain two platforms. If you move the firewalling to the MX, you will likely go with the Advanced Security license because that will give you more security-features. Very positive with Meraki MX, for high-availability you only need an additional MX, but not an extra license.
For the sizing, the sites with 250 users will likely be a candidate for the MX95, while the sites with 800 users could use a MX250. But you should also take into account the needed throughput for internet-traffic and VPN.
Yes, you can mix them as you want. Keep in mind that with concentrator-mode you can not have two WAN connections on the MX. That is a restriction that I typically don't like as nearly all customers have two ISPs at the HQ/DC and I want to have both active for AutoVPN.