I am working on a SDWAN project, the customer has firewalls on all sites, I propose a one-armed architecture for the Hubs, my question is how can I connect the MX on the remote sites with the customer firewalls? in routed mode by positioning the Mx in front of the firewall? or MX behind the customer firewall?
As @ww hints, the question here is; what role is the extra non-MX firewall there to perform? Most customers will, at branches, just have a/the routed mode MX. With the right license level, it's usually all the branch firewall you need. Except if you really have to perform https decrypt, in which case, pairing up the MX with Umbrella is probably the most scalable approach