Cisco Meraki MX X-Large Advantage - subscription license + Support - 1 license

In my opinion, this firewall allows ANY ANY on internal networks by default, does not have many of the features other firewalls in this price range have, and has limited to no value once your license expires.

Firewall that doesn't do content filtering. We have messed with this device for six months. You whitelist a site and it works for some users and not for others. I'm in a school district and must be CIPA compliant. This device doesn't close to allowing you to be CIPA compliant. We were told that all our whitelist sites must only be the home site address, no wild cards. We did that and it was still mixed as to whether or not the site would be blocked or open. We sent in log files with the issues that we are experiencing and engineering now says that it is a bug that they are looking into. Also found out that this wasn't designed from the ground up as a firewall. Piece of garbage. We are going back to a true Cisco firewall.

The MX64 is perfect for a small-medium business who has a need for advanced security features and capabilities but does not have the size or labor force to be able to afford a full time Cisco trained network engineer. Easy to use and with powerful features: firewall, site-to-site vpn, client vpn, web filtering, traffic capture, automated alerts. The MX64 doesn't have all the features of a full blown solution, but it has 95+% of what you need at 10% of the cost. I'm particularly fond of being able to pre-configuring a via the cloud and sending it to a remote site directly without needing to route it through the home office first.

The low end of the Meraki MX line is a fantastic buy, depending on your need. Don't buy these if you're looking for a full featured firewall or proxy server - there are better, more specialized devices for that. Don't buy one and expect it to let you do fancy configurations at the command-line. If you're a Cisco command-line guy these may just tick you off. But if you have lots of small network nodes and relatively few resources (no matter how talented), these are worth their weight in gold. We have several dozens of small remote offices and project locations, and I have two network guys. Most have two circuits or ISP lines of some sort for redundancy, all are VPN'ed together. This device allows us to provide redundant, fully meshed, multi-path VPN with automatic fail over and without requiring static IPs (useful for broadband connectivity at temporary project sites). It allows us to prioritize VoIP traffic, to block web usage by category across the split-tunneled internet traffic, and to provide some level of IPS. We can deploy them in a heartbeat, and have them pre-configured and plug-and-play by the time they arrive on site. We also have scenarios where we're looking at using them to provide simple performance based routing between satellite and cellular networks aboard ships. If the cell drops below a certain performance metric, they can automatically route across the (normally slower) satellite link instead. We can also do traffic shaping, so that dropbox and crashplan syncing doesn't completely kill WAN performance. The portal based visibility, especially for connected devices and client activity is pretty great. The MX devices also give us netflow now, so when the portal based reporting and visibility isn't enough, we can see exactly what's going on. SNMP capabilities are still iffy, but coming along as they continue to make improvements. We're also using Meraki APs now for the same reasons, and even some switches in non-datacenter use cases. All of that is pretty darn impressive for a little device like this, and exactly what we've needed. So again, if you're looking for a corporate firewall and proxy device, this ain't it. If you want a full-featured device to do routing and VPN connectivity for retail outlets, project sites or smaller branch offices, or better yet to give you visibility and manageability in a dynamic and ever-changing environment, these are definitely worth a look.

To say the Cisco Meraki MX series is missing some essential features of a firewall/proxy box would be a huge understatement. For example one of their big selling points is how easy it is to setup a site to site VPN. It is pretty easy, I will admit that, but once setup some of the key features are either hard to use or missing completely. For example there is a section called "Site to Site VPN Firewall". You would think this is a firewall to restrict traffic between a site to site VPN and you would be right. However the firewall rules have to be written out per IP address and per port. So if you want bi-directional communication between one of your subnets and one of your remote peers subnet for 10 different ports you have to write 20 rules, 10 from your subnet to theirs for each port and another ten the other way. If you have 5 subnets internally and they have 5 subnets those same 10 ports will now take 500 SEPARATE RULES! It doesn't allow you to put in multiple subnets and ports per line. And if you are doing a Site to Site VPN with a Non-Meraki peer then the site to site firewall doesn't work at all. I talked to tech support (January 2016) about this and they said that is true and its not a "feature that has been implemented yet". The problem is this is one of many features that haven't been implemented. For example the client VPN can be setup a single way, L2TP. It uses Aggressive mode IKE with a preshared key, which by the way fails PCI compliance scans. When asked about this I was told that's the only option and they are not looking to change that. Logging is a big missing one also. You can write firewall rules and the interface lets you see "hits" against each rule but there is no way to see what actually was accepted or blocked by a rule. So if you write all your rules and then you have a Deny rule as your last rule, a industry standard, there is no way to actually log what is hitting the deny rule. There is no way to see whats hitting any rule other then a hit counter. When I asked tech support about that (January 2016) I was told "Oh, just put a allow all rule before your deny rule". *smh* These are examples of the shortcomings I've found in the first month of working with the MX units and I've asked my sales person what the return policy is on it. I have both a MX84 and a MX64 and both have the same limitations and issues. I am coming from a Forefront TMG 2010 server which at 6 years old and going end of life this year has twice the features and is easier to use then this device. This really feels like a incomplete product just thrown on the market and touted as "Cloud Enabled" to make it sell but it's a bunch of smoke and mirrors. I HIGHLY recommend avoiding the Cisco Meraki MX product line.

If you need a simple firewall / content filter and are not hosting any services, using a VPN, or doing really anything other then protecting your network from hackers and browsing the web then the MX64 will be fine. Otherwise I HIGHLY recommend avoiding the Cisco Meraki MX product line. To say the Cisco Meraki MX series is missing some essential features of a firewall/proxy box would be a huge understatement. For example one of their big selling points is how easy it is to setup a site to site VPN. It is pretty easy, I will admit that, but once setup some of the key features are either hard to use or missing completely. For example there is a section called "Site to Site VPN Firewall". You would think this is a firewall to restrict traffic between a site to site VPN and you would be right. However the firewall rules have to be written out per IP address and per port. So if you want bi-directional communication between one of your subnets and one of your remote peers subnet for 10 different ports you have to write 20 rules, 10 from your subnet to theirs for each port and another ten the other way. If you have 5 subnets internally and they have 5 subnets those same 10 ports will now take 500 SEPARATE RULES! It doesn't allow you to put in multiple subnets and ports per line. And if you are doing a Site to Site VPN with a Non-Meraki peer then the site to site firewall doesn't work at all. I talked to tech support (January 2016) about this and they said that is true and its not a "feature that has been implemented yet". The problem is this is one of many features that haven't been implemented. For example the client VPN can be setup a single way, L2TP. It uses Aggressive mode IKE with a preshared key, which by the way fails PCI compliance scans. When asked about this I was told that's the only option and they are not looking to change that. Logging is a big missing one also. You can write firewall rules and the interface lets you see "hits" against each rule but there is no way to see what actually was accepted or blocked by a rule. So if you write all your rules and then you have a Deny rule as your last rule, a industry standard, there is no way to actually log what is hitting the deny rule. There is no way to see whats hitting any rule other then a hit counter. When I asked tech support about that (January 2016) I was told "Oh, just put a allow all rule before your deny rule". *smh* These are examples of the shortcomings I've found in the first month of working with the MX units and I've asked my sales person what the return policy is on it. I have both a MX84 and a MX64 and both have the same limitations and issues. I am coming from a Forefront TMG 2010 server which at 6 years old and going end of life this year has twice the features and is easier to use then this device. This really feels like a incomplete product just thrown on the market and touted as "Cloud Enabled" to make it sell but it's a bunch of smoke and mirrors.

I have purchased several of Meraki's appliances for 10 offices, but when we tried to consolidate 3 offices in to 1 I wanted to trade in/up 3 smaller MX devices in to a larger unit. NO GO, I had to purchase the larger unit as well as the License key as those are not upgradable. So if you really need to think about where your company is going in the next few years before purchasing this product as you will be left with devices you cannot use.