The SD WAN solution market is a complicated mix of licensed software, NaaS (Network-as-a-Service) products, SASE security and managed service offerings using one of the commercial software products. The following is a summary of the 10 best SD WAN solutions.
Here's a list of the best SD WAN solutions.
- Cato Networks
- Cisco SD WAN Viptela
- Cisco Meraki
- Open Systems
- Palo Alto
- VeloCloud by VMWare
“Our SD WAN & SASE quick assessment tool is the easiest way to create your own vendor shortlist. Rated as excellent by Square Enix, Tilney, Medivet, CDC, Permira and more.”
1. Aryaka (Smart portfolio)
View Aryaka SD WAN strengths and focus areas on the vendor marketplace. View Aryaka now →
Aryaka, which was arguably the original NaaS (Network as a Service), has evolved a multifaceted portfolio around core connectivity, cloud interconnect, security and network analysis services. The company’s NaaS service, which includes core SD WAN features, called SmartConnect is available with either global or regional connectivity with global private backbone access. Users access their local private PoP using DIA (Direct Internet Access). To this, Aryaka developed the following complementary services:
- SmartCloud, a multi-cloud backbone with direct connections to AWS, Azure, Google Cloud and Oracle and accelerations for SaaS (Software as a Service) applications.
- SmartSecure, a SASE tier with a integrated advanced security firewall, micro-segmentation and remote access VPN.
- SmartOptimize providing WAN and acceleration across cloud applications
- SmartManage and SmartInsights WAN infrastructure management portal and APM
Aryaka recently acquired Secucloud which adds their own SASE security capability to their SD WAN solution. If your business is reluctant to move away from private based, QoS (Quality of Service) enabled MPLS circuits, Aryaka is worth considering as a good half way networking and security capability.
What are the PROS of Aryaka SD WAN?
- Multi-cloud access to AWS, Azure and Google Cloud
- Fully managed services
- Sourcing of global SD WAN DIA underlay connectivity
- Private backbone
What are the CONs of Aryaka SD WAN?
- SASE security only just on the horizon with their purchase of Secucloud
- Not typically a great fit for national requirements
- Marketing push for managed services, not so much DIY
2. Cato Networks (Cato Cloud portfolio)
View Cato SD WAN strengths and focus areas on the vendor marketplace. View Cato now →
Like Aryaka, Cato Networks is another cloud-based NaaS that was one of the first to develop and promote a set of integrated security services that we later dubbed SASE. As a NaaS, Cato operates a global backbone with more than 50 POPs that uses proprietary routing and traffic management software to improve performance and availability. Aryaka are capable of sourcing DIA from multiple service providers with end to end management.
Other Cato services build off the backbone foundation, these include:
- Edge SD WAN functionality which uses a hardware appliance to provide SD WAN service to enterprise branch locations.
- SASE provides firewall, IPS, secure Web gateway and malware scanning services.
- Remote access with authenticated access to a private network supporting SSO and MFA.
- Multi-cloud access with direct connections to AWS, Azure/O365, Box and other IaaS and SaaS properties.
CATO is listed as a Gartner Visionary, formed in 2019. CATO is viewed as a great solution for the SME or large Enterprise with a large number of remote users. With next-generation Firewall security included within the solution capability. Interesting fact, CATO is led by Shlomo Kramer, co-founder of the security giant Check Point Software.
The CATO service offering spans One Network, a Global SLA-backed backbone which can carry Internet and WAN traffic. One security and policy provide a unified cloud-based solutions to protect traffic across users, HQ & branch office locations and apps.
What are the PROS of Cato SD WAN?
- Easy to use GUI interface for DIY and Co-managed requirements
- Leading the way in SASE security SD WAN features and performance
- Global 50+ private backbone cloud PoP's
What are the CONs of Cato SD WAN?
- Cloud provider access is not native and requires adding a Cato socket into each cloud DC
- No fully managed SD WAN underlay
- GUI features are not well suited to large complex requirements
3. Cisco SD WAN (Viptela)
View Cisco SD WAN Viptela strengths and focus areas on the vendor marketplace. View Viptela now →
Cisco SD WAN Viptela offers significant SD WAN solution capability for organisations which require support for large or complex architecture. Application performance features are supported by real-time analytics and reporting with comprehensive SASE security via their Umbrella cloud product-set. Viptela is deployed across Cisco Catalyst 8000, standard routers and industrial routers. Alongside the traditional WAN edge, Cisco SD WAN can be virtualised using the Catalyst 8200 uCPE device, the ENCS 5000 series and SD-Branch.
Cisco’s core SD WAN product, by way of the Viptela acquisition and dubbed a Secure Extensible Network (SEN), has four components:
- The vManage centralised management system for configuration and monitoring.
- A centralised virtual network vSmart Controller to route traffic, authenticate and interconnect edge devices and enforce network policies and security.
- The vBond Orchestrator automates the installation and configuration of controllers and edge devices and provide redundancy and load balancing in environments with multiple vSmart Controllers.
- Remote site vEdge Routers, which can be either a virtual or hardware appliance, that terminates SD WANs and provides standard router functions like VLAN tagging, QoS, and ACL-base policies. Source: Cisco documentation.
- Cisco DNA offers the features you need based on product tiers which includes Essentials, Advantage and Premier.
What are the PROS of Viptela SD WAN?
- Suited to large complex Enterprise customers
- Requires significant expertise to self manage solutions
- Strong, powerful feature set with advanced routing
- Support segmentation of WAN with VPN across individual hosts
What are the CONs of Viptela SD WAN?
- Selecting the right partner to deliver services requires significant thought and analysis
- The migration to Viptela from legacy solutions is often problematic
- Testing is a firm requirement for all Viptela deployments
4. Cisco Meraki SD WAN
View Meraki SD WAN strengths and focus areas on the vendor marketplace. View Meraki now →
Many of Cisco’s Meraki wireless products like the MX appliances with SD WAN provide VPN and SD WAN services such as support for IKE/IPSec tunnels, L2TP termination, VPN link redundancy, policy-based-routing, dynamic path selection for best WAN performance, support for application-layer performance profiles and automatic provisioning. The MX devices also include UTM security features such as a firewall, IPS, content filtering and malware scanning.
- Meraki supports strong Wireless access point capability with BYoD (Bring your own device) policies
- Cisco Meraki CCTV and camera support
- Integrates well with Cisco Meraki LAN solutions resulting in an end to end platform
What are the PROS of Meraki SD WAN?
- Huge base of integrators and resellers
- Meraki offers additional CCTV support, ideal for retailers
- Traditional vendor with solid roadmap and prior experience
What are the CONs of Meraki SD WAN?
- Gartner suggest customers often experience issues with the Cisco sales process
- Cisco are consolidating products but as of today, licensing costs can become high as features are added
- Meraki is often viewed as SD WAN-lite
View Fortinet SD WAN strengths and focus areas on the vendor marketplace. View Fortinet now →
Fortinet is a leading provider of UTM (Unified Threat Management) appliances that primarily targets branch office and SOHO environments. Its appliances scale from two-port 10 GbE to 32-port 10/25/100 GbE devices with up to 310 GBPs VPN throughput. The FortiOS software powering its appliances includes an SD WAN subsystem with the following features:
- Multi-link traffic management supporting both active-active and active-standby configurations and hub-spoke or full-mesh topologies.
- Protocol optimisations, compression and error correction to improve performance.
- L7 application identification and QoS policies using DPI with SSL decryption.
- Central management console for all Fortinet devices in a network. Fortigate devices use a custom ASIC to accelerate SD WAN packet processing and inspection.
What are the PROS of Fortinet SD WAN?
- Highly capable SASE security vendor
- Good SD WAN capability sold by channel partners
- Fortinet build their own custom ASICs (Application Specific Integrated Circuits)
What are the CONs of Fortinet SD WAN?
- Security first means networking experience is limited compared to other vendors
- Not viewed as a typical fit for large global Enterprise solutions
- Fortinet are associated with branch security and rather than cloud security
View Globalgig SD WAN strengths and focus areas on the vendor marketplace. View Globalgig now →
Globalgig is a global MVNO offering a unique multi-IMSI SIM with more than 600 carrier profiles in 200 countries resulting in extensive hybrid WAN capability. Globalgig takes a similar Switzerland approach to its managed SD WAN service allows customers to customise the features and implementation by supporting products from Cisco (both flavors), Cradlepoint, Fortinet, Palo Alto Networks and Peplink. Globalgig provides a central management console to monitor site and path availability, traffic and device metrics and application performance. It supports remote locations via wireless service using its MVNO partners and offers three service tiers with added features at each level.
- Service provider with global reach and carrier independent access
- Major focus on development of cellular technologies across SD WAN
- Platform agnostic allowing their presales to draw from multiple vendors
- Hybrid networking is available with MPLS, private line and VPLS
What are the PROS of Globalgig SD WAN?
- Globalgig major on cellular failover and bandwidth bonding (4G/5G)
- Capable of delivering SD WAN with strong underlay support via service provider partnerships
- Strong capability surrounding WiFi deployments
What are the CONs of Globalgig SD WAN?
- Globalgig offer a wide range of service provider partners which may result on diluted capability
- Companies without cellular requirements may not suit their USP
- Brand awareness is limited outside of North America
7. Open Systems
View Open Systems SD WAN strengths and focus areas on the vendor marketplace. View Open Systems now →
Open Systems is a cloud-based NaaS focusing on SASE whose service combines SD WAN and monitoring of network WAN circuits, security features and predictive analytics of network and security event and performance data. As such, it includes core SD WAN features like encrypted links, dynamic path selection, QoS controls, application-specific routing and traffic management policies and traffic metrics for each path, device and application.
The product can be deployed on-premises or in the cloud and provides most of the core SASE capabilities including IDS, IPS for both SD WAN networks and connected endpoints, NGFW, CASB, SWG, secure email gateway, cloud-based application sandbox. Notably absent is zero-trust authentication (ZTNA), although Open Systems does support 2FA for remote VPN authentication.
- Considerable Firewall capability using multi-zoning and advanced filtering with global and local policies
- User authentication, URL filtering, SSL scanning, malware and phishing protection are all features of the Open Systems security service
- Excellent dashboard which covers all aspects of SD WAN and SASE security
- 97% customer satisfaction rate
What are the PROS of Open Systems SD WAN?
- Company has evolved from a strong security background
- Capable of delivering SASE security
- DIY, Co-managed and fully managed services are available
What are the CONs of Open Systems SD WAN?
- Reports that their GUI is not straightforward
- Not a well known brand compared to other security vendors
- Reporting is limited
8. Palo Alto Networks (CloudGenix)
View Palo Alto SD WAN strengths and focus areas on the vendor marketplace. View Palo Alto now →
Like Cisco, Palo Alto Networks entered the SD WAN market via acquisition in early 2020 when it absorbed and integrated the CloudGenix SD WAN product into the Prisma Access SASE product. CloudGenix is available as a cloud service, as a virtual x86 appliance or as an add-on to Palo Alto’s Next NGFW firewalls and differentiates itself with application-specific policies, performance optimisations and analytics including response time, app reachability, server response time and total roundtrip time. Like competitors, CloudGenix integrates with leading IaaS, SaaS and co-location providers to bypass Internet bottlenecks.
Palo Alto is a San Jose based business, their service offerings consist of ION (Instant-On Network) which offers the capability to meet data centre and edge appliance/software demands. CloudGenix is a good option for hybrid Internet VPN, MPLS and Wireless connectivity aggregation. We note that CloudGenix approaches SD WAN via layer 7 application sessions through app-based SLA policies.
- Palo Alto has a strong history of security with global reach
- Accurate analytics and reporting makes it easy to automate routine network tasks
- Palo Alto are an SD WAN vendor but their focus in on SASE security
- 80K customers across 150 countries
What are the PROS of Palo Alto SD WAN?
- Coming together of CloudGenix SD WAN with strong security history from Palo Alto Networks
- Strong SD WAN and SASE capability
- Good statistics and reporting
What are the CONs of Palo Alto SD WAN?
- The Palo Alto Networks legacy security solution only offers basic SD WAN
- Other vendors offer stronger application optimisation and WAN acceleration
- Not suited to small branch sites where requirements are simpler
View Versa SD WAN strengths and focus areas on the vendor marketplace. View Versa now →
Versa Secure SD WAN platform focuses on the core elements of SASE by building a next-generation firewall (NGFW), secure remote access, and unified threat management (UTM) services into its Versa VOS SD WAN platform. Its security features, along with robust network and control-plane separation in multi-tenant environments, make Versa popular with MSPs and carriers offering SD WAN services. Besides its software product, Versa Titan is the company’s cloud NaaS tailored to SMBs that prefer a managed service.
Versa solution is a relative newcomer to the Software defined space, their solution is already listed as a Visionary within the Gartner magic quadrant. The Versa SD WAN architecture is edge-based physical hardware with Cloud based network management.
Versa is perceived to be a simple solution to activate branch locations and other sites with mobile application support, next-generation Firewall security and WiFI access (WAP).
Versa employs approximately 300 employees with the majority of support provided out of the US. The market perception of Versa surrounds ease of deployment via their Titan product combined with a cost-effective price point. As you would expect, the solution is cloud managed from desktop or mobile including access to back end support. Versa suggests their typical customer profile is: SME (Small to Medium Enterprise business), Up to 2Gbps connectivity, 1-500 site scaling and Carrier agnostic.
- Capable of meeting complex Enterprise requirements and SME needs
- Smaller vendor but expansion is on the horizon via mergers and aquisitions
- Over 5000 worldwide WAN edge deployments
- Multi-Service with Layered Security: Integrated L3-L7 network services with multiple layers of robust security.
What are the PROS of Versa SD WAN?
- Positioned to offer strong SD WAN features with full SASE security
- Strong market growth due to good features, service and price point
- One of only a few vendors to support complex and simple requirements
What are the CONs of Versa SD WAN?
- Versa do not focus on any particular feature-set, the company prefers a broader approach
- Versa VOS is similar to Cisco Viptela in terms of complexity
- Not typically associated with larger Enterprise clients due to size
10. VMware SD WAN / VeloCloud
View VeloCloud SD WAN strengths and focus areas on the vendor marketplace. View VeloCloud now →
VMware bought and incorporated VeloCloud’s product as the foundation of its Virtual Cloud Network portfolio, which includes NSX, software-defined security (firewall, IDS/IPS) and public cloud connectivity (NSX Cloud). VMware SD WAN uses a central orchestrator to control network connections to VeloCloud edge sites, with dozens of managed cloud gateways (POPs) and VMware’s managed cloud security services. The cloud gateways also provide low-latency direct connections to major cloud providers in all regions.
- VMware had huge brand recognition but unlike Cisco, their experience is not focussed on networking
- VeloCloud includes SD WAN edge (VCE) appliances, gateways (VCG) and an SD WAN orchestrator (VCO)
- Typically available via large service providers rather than bought as DIY
- Strong, robust financials making VeloCloud a good fit for large Global Enterprise
What are the PROS of VeloCloud SD WAN?
- Strong track record with huge channel support
- Support for over 1000 branches if needed
- Security and reporting is strong in respect of roadmap
What are the CONs of VeloCloud SD WAN?
- SASE security is not as comprehensive compared to other vendors
- Prospects should be wary of additional features which might be required pushing the price up
- Reviews are average in respect of customer experience
Which SD WAN features should your IT team understand before comparing vendors?
- Year launched - the year of SD WAN product launch.
- Network backbone - the ability to offer middle-mile long haul inter-country global traffic.
- SD WAN architecture - is the solution WAN edge-based, gateways for hosted access or based on their own PoPs.
- Gartner status - the vendor or providers placement in the Gartner's Magic quadrant for the industry.
- Form factor - appliance is delivered on physical, virtual or white boxes (uCPE).
- Firewall - basic, stateful at layer 7 or advanced next generation with anti-malware, IDS (Intrusion Detection Systems), IPS (Intrusion Protection System), content filtering, sandbox.
- WAN optimisation - features to accelerate app performance such as TCP optimisation, caching, deduplication and compression.
- Traffic handling - may be based on sessions or per-packet.
- Cloud app path selection - how the solution measures application performance for making decisions for apps such as SaaS. 4G/5G - support for
SD WAN solution comparison matrix
LTE, 4G and 5G.Vendor solution comparison matrix 1 to 5.
|SD WAN architecture||WAN edge based||25+ global PoPs for site to site and cloud traffic||40+ global PoPs for site to site and cloud traffic||Edge based||Edge based|
|Gartner status||Visionaries||Visionaries||Not ranked||Visionaries||Niche players|
|Form factor||Physical||Physical||Physical, Virtual (VMware), Cloud (AWS, Azure)||Physical, Virtual (VMware), Cloud (AWS)||Physical, Virtual (VMware, Hyper-V), Cloud (AWS, Azure, KVM, Oracle)|
|Firewall||Advanced||Basic, advanced via partners||Advanced||Basic, advanced via partners||Basic, advanced via partners|
|WAN optimisation||No||Yes||Limited (TCP optimisation)||No||Yes via add on|
|Traffic handling||Session based, per packet possible||Packet based||Packet based||Session based||Packet based|
|Cloud app path selection||Limited, monitors loss, delay and jitter to consider the best path||Partnered with AWS & Microsoft Azure, manual routes for other cloud/SaaS apps||Cloud apps can leverage the CATO backbone||Measures app performance to select best path||None|
|4G/5G||Yes, SIM card on all devices||No||No||No||No|
Vendor solution comparison matrix 6 to 10.
|Vendor||Cisco Meraki||Citrix||Masergy||Silver Peak||VeloCloud|
|SD WAN architecture||Edge based||Edge based||102+ Global PoP infrastructure located in metro areas||Edge based||100+ global, public gateways for Internet and cloud traffic|
|Form factor||Physical, Cloud (AWS, Azure)||Physical, Virtual (VMware, XS, Hyper-V and KVM), Cloud (AWS, Azure)||Physical, Virtual (VMware, Hyper V, Xen, KVM), Cloud (AWS, Azure, GCP, Oracle Cloud)||Physical, Virtual (VMware, Xen, KVM), Cloud (AWS, Azure)|
|Firewall||Advanced||Basic, advanced via partners||Advanced||Basic, Advanced via partners||Basic, Advanced via partners|
|WAN optimisation||Limited||Yes, 5100, 2100 and 1100 devices. Requires premium edition device||Limited||Yes via add on||No|
|Traffic handling||Session based||Packet based||Packet based||Packet based||Packet based|
|Cloud app path selection||None||Yes, via 14 global gateways||Yes, via global PoP infrastructure||SaaS optimisation WAN egress point (via data centre or hub site)||Yes, 100+ shared gateways for path optimisation|
|4G/5G||Via SIM on MX67C, Via USB air card on other devices||Yes, 210SE device has integrated 4G/5G||Limited||No||Limited via USB|