I think I can help with that clarification too 🙂 The MX can only have NAT rules that are based on the destination IP address of a given flow. Note that I said 'flow' and not 'packet', because obviously the source IP address field in a _response_ packet is NAT'd, but you can never create a rule that intentionally modifies the source IP for a flow. If you're clever enough there are actually ways to write rules to make this happen for very specific use cases, but I would suggest these configs are bad practice as they are not intuitive and really just taking advantage of side effects of certain configurations. You would be running the risk of no one else understanding your config, and perhaps even Meraki breaking the functionality in future updates as it's not technically supported 🙂
... View more
I assume you are referring to the Advanced Malware Protection (AMP)? If so, " When enabled, all HTTP traffic will be analyzed for malware. Files determined to be malicious will automatically be blocked before they reach the client. For a description of file types that will be evaluated, visit our Security Filtering Documentation Page" So basically it just protects/stops the malware. It doesn't isolate or, in any way, contain the entire clients traffic. Only the malware identified traffic that the client is trying to participate in.
... View more