That is correct, security inspection such as Content Filtering and Threat Protection is done locally on the MX. The hub/concentrator MX will not inspect traffic from the remote VPN subnets. You can find this information referenced here: https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Content_Filtering_and_Threat_Protection_over_Full-tunnel_Site-to-site_VPN
... View more