As @ww hints, the question here is; what role is the extra non-MX firewall there to perform? Most customers will, at branches, just have a/the routed mode MX. With the right license level, it's usually all the branch firewall you need. Except if you really have to perform https decrypt, in which case, pairing up the MX with Umbrella is probably the most scalable approach Hopefully you found this already but, for your DCs, go with one-armed VPN Concentrator MXs behind your DC firewalls, as per https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide
... View more