An MX is a security appliance - a firewall with a dash of router.
Specifically regarding the MX64/MX65, here is an overview of the device: https://documentation.meraki.com/MX/MX_Overviews_and_Specifications/MX64_and_MX65_Overview_and_Speci...
It's a wannabe firewall. It's good at site-to-site VPN and is very limited in other aspects. It's OK for a small business, and does a bit of everything. With a larger environment you will quickly discover its configuration / capabilities limits.
@IgorPodgorny I would have to disagree.. as long as you have an appropriately size MX it is one of the best firewalls money can buy. But a lot of the time people don't size there appliances approitaply for there environment or future proofing.
I'm not talking about a size or throughput. I'm referring to a "must have" functions of an edge device for a larger environment.
1. No dynamic routing. There is no way to propagate routes into upstream MPLS. I get that that with VPN you may not need to do that, but there is also no way to learn routes from a core/distribution downstream switch. The only option is to use static routes.
2. Many:1 NAT is not an option (this is a big one). I have multiple ISPs, yet there is no way to make server (Exchange for example) available on both of them. There is 1:1 NAT and with that you have to set outbound priority.
3. Limited port forwarding. There is no way to claim one of the public IPs on WAN and configure port forwarding. The only port forwarding you can do is done on IP assigned to WAN interface. Well I guess you can do 1:Many NAT, but that ties that internal server to one particular interface.
4. Layer 3 firewall rules can't be assigned per interface, or LAN / WAN side for that matter. No way to whitelist / bypass Layer 3 rules on all LAN traffic for example.
5. Layer 7 firewall lacks filtering all together. The only option is "Deny", can't make any exceptions. Once again all traffic is included LAN-side along with WAN. Something that happened recently in our environment, "Deny peer-to-peer" actually broke LAN side SQL traffic.
6. No visibility (this is also a big one). Tech support offered to create an exception to Layer 7 rule I mentioned above, which brings me to a point. Why can't I see what is being blocked and by what, and how come I can't make those exceptions?
7. IPS / IDS, once again, provides very little control. You can whitelist the rule, but not interface or traffic side. Some things I would like to whitelist as I know what they are (like outdated RDP or something), but I don't want to whitelist it on WAN side, just LAN.
Let me know if you want to know more.... "Best firewall money can buy" can't compete with some free products out there as far as firewall or Edge device goes. I do regret that we went with MXs and a 3 year license. Will be switching as soon as it expires.
@IgorPodgorny is bringing up valid points. The MX definitely has its lacks of features, but as long as you know these shortcomings and if you're placing it right, it also has its advantages too. Especially if you're looking into the integration into Merakis full stack or Ciscos other security offerings, just take a look at the Umbrella or Threat Grid integration.
Long story short: just place it into spots where it fits including the easy management, integration into the ecosystem or great SD-WAN capabilities and everyone will be happy.