In bridge mode do I still get firewall functionality? My understanding is bridge mode is firewall operating in layer 2 mode which means no routing, with one-armed concentrator deployment its still a layer 3 device, so by Passthrough or VPN Concentrator how does the MX know it needs to work on bridge mode with no routing and or VPN concentrator mode?
@AamirPassthrough/Concentrator Mode is best used when there is an existing Layer 3 device upstream handling network routing functions. The MX in this instance would still act as a security appliance, but with less functionality for Layer 3 networking.
The recommended use case for the MX security appliance in passthrough mode is when it is acting as a VPN Concentrator for the Cisco Meraki Auto VPN feature. Passthrough/VPN Concentrator mode ensures easy integration into an existing network that may already have layer 3 functionality and edge security in place. With this mode, a Cisco Meraki MX security appliance can be integrated into the existing topology and allow for seamless site to site communication with minimal configuration needed.
I have a follow up question though. In MX's documentation it is written :
"When using an MX as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the Internet or other destinations will simply pass through the appliance:"
Let's say that I have that kind of topology
Internet -Edge FW - DMZ - MX L2/VPN concentrator - Router - LAN
if I have a layer 3 functionality to ensure routing, if I set the MX in passthrough mode, is it possible for it to deal with S2S VPN, Client VPN AND to still pass all internet traffic (incoming and outgoing) through the MX using filtrering, IPS and AMP functionalities ?