@IgorPodgorny I would have to disagree.. as long as you have an appropriately size MX it is one of the best firewalls money can buy. But a lot of the time people don't size there appliances approitaply for there environment or future proofing. 

Dakota Snow | Network-dad
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad on

I'm not talking about a size or throughput. I'm referring to a "must have" functions of an edge device for a larger environment.

1. No dynamic routing. There is no way to propagate routes into upstream MPLS. I get that that with VPN you may not need to do that, but there is also no way to learn routes from a core/distribution downstream switch. The only option is to use static routes.

2. Many:1 NAT is  not an option (this is a big one). I have multiple ISPs, yet there is no way to make server (Exchange for example) available on both of them. There is 1:1 NAT and with that you have to set outbound priority.

3. Limited port forwarding. There is no way to claim one of the public IPs on WAN and configure port forwarding. The only port forwarding you can do is done on IP assigned to WAN interface. Well I guess you can do 1:Many NAT, but that ties that internal server to one particular interface.

4. Layer 3 firewall rules can't be assigned per interface, or LAN / WAN side for that matter. No way to whitelist / bypass Layer 3 rules on all LAN traffic for example.

5. Layer 7 firewall lacks filtering all together. The only option is "Deny", can't make any exceptions. Once again all traffic is included LAN-side along with WAN. Something that happened recently in our environment, "Deny peer-to-peer" actually broke LAN side SQL traffic.

6. No visibility (this is also a big one). Tech support offered to create an exception to Layer 7 rule I mentioned above, which brings me to a point. Why can't I see what is being blocked and by what, and how come I can't make those exceptions?

7. IPS / IDS, once again, provides very little control. You can whitelist the rule, but not interface or traffic side. Some things I would like to whitelist as I know what they are (like outdated RDP or something), but I don't want to whitelist it on WAN side, just LAN.

Let me know if you want to know more.... "Best firewall money can buy" can't compete with some free products out there as far as firewall or Edge device goes. I do regret that we went with MXs and a 3 year license. Will be switching as soon as it expires.

@IgorPodgorny is bringing up valid points. The MX definitely has its lacks of features, but as long as you know these shortcomings and if you're placing it right, it also has its advantages too. Especially if you're looking into the integration into Merakis full stack or Ciscos other security offerings, just take a look at the Umbrella or Threat Grid integration.

Long story short: just place it into spots where it fits including the easy management, integration into the ecosystem or great SD-WAN capabilities and everyone will be happy.

Another one, which huge and I totally forgot to mention is that it doesn't do SD-WAN at all:) When you go SD-WAN & Traffic shaping > SD-WAN Policies and add a new one, select service (Office 365 for example), make your custom performance class (should have an option "best link right now", or something along those lines), apply it only to find out that it applies to VPN traffic. Who builds VPN tunnels to all the services that you can selcet from?

They tried to copy fortigate, where it does allow monitoring WAN link performance to any given services and select a link which meets performance criteria or best performing link, and send traffic out of that WAN link, but failed miserably. Can optimize some site-to-site stuff, but not an SD-WAN in any shape or form:)

Interesting .  Thanks for the education

Great, I posted a reply with Meraki shortcomings and they removed it as spam.

@IgorPodgorny - very sorry about that. Our automated spam checker is over-aggressive sometimes. I have un-marked your post as spam and it is now visible.