This GigaOm Research Reprint Expires: Jan 9, 2024

GigaOm Radar for Software-Defined Wide Area Networksv3.0

Delivering Robust Connectivity

1. Summary

Simplifying remote connectivity while ensuring optimal application performance, a software-defined wide area network (SD-WAN) virtualizes the underlying WAN connection—either between remote offices or to the internet—over multiple underlying connectivity technologies—including fiber, mobile, multiprotocol label switching (MPLS), and digital subscriber lines (xDSL)—presented as a single internet or site-to-site connection. Branch offices can be provisioned, monitored, and managed from a central location using an SD-WAN controller, giving network administrators complete control over their WAN and remote devices via a single interface. In addition, SD-WAN provides remote offices with secure local network access to cloud applications and resources via encrypted virtual private networks (VPNs). An SD-WAN makes secure VPNs faster and more affordable by combining the bandwidth of multiple connections into a single logical WAN connection.

However, prospective users should be aware that simply plugging existing broadband circuits into an SD-WAN device won’t necessarily improve performance or drastically reduce costs. While an SD-WAN can be optimized via careful planning, configuration, and oversight, the speed at which traffic routed over the public internet or mobile networks reaches its destination will ultimately depend on usage levels and delivery capabilities. Furthermore, while an SD-WAN can save money by replacing expensive MPLS with inexpensive broadband, enterprises may choose to retain their MPLS to meet the needs of latency-sensitive workloads.

Representing features and capabilities widely adopted and well implemented in the industry, the following table stakes are the minimum requirements for solutions to be included in the GigaOm Radar for SD-WAN.

  • Virtual overlay network: An SD-WAN virtual overlay allows enterprises to retain existing network investments—either in-house or from an MNSP—as an underlay while implementing a virtualized overlay network to increase agility, availability, and performance at a reduced cost. Based on tunnels carrying traffic over multiple underlay networks, an SD-WAN typically comprises a hybrid of existing carrier services and unmanaged connections via the public internet. In addition, an SD-WAN virtual overlay network incorporates IPsec, secure socket layer (SSL)/transport layer security (TLS), or other forms of encryption for data security.
  • Centralized orchestration: Providing global, granular control regardless of where end users are or the device being used, centralized orchestration ensures the application of consistent network access, governance, and policies via a single portal, saving time and allowing administrators to respond more quickly to business demands. Automation enables policy-based zero-touch provisioning (ZTP) to deploy and configure SD-WAN controllers and edge infrastructure while application- and performance-aware routing automate traffic steering to and between remote locations and to trusted IaaS and SaaS providers based on business intent.
  • Built-in resilience: Leveraging a mix of private lines and the internet for connectivity, an SD-WAN separates the control plane from the physical network underlay, increasing aggregate bandwidth, fault tolerance, and resilience. For example, if one of the links fails or becomes congested, the SD-WAN platform will automatically divert traffic to a more optimal path, creating seamless connectivity without users experiencing any delay or downtime. In addition, some SD-WAN solutions include self-healing capabilities, minimizing operator intervention by automating configuration updates and software upgrades at scale to maximize uptime and throughput.
  • Integrated security: With a rapidly expanding threat surface, a fully integrated platform approach ensures that security seamlessly adapts and scales with SD-WAN connectivity, minimizing the risk of security gaps that often occur when deploying an overlay security solution. Enabling direct, private, and secure internet access, an SD-WAN solution should include a full stack of enterprise-grade security at all edges, including anti-malware, a next-generation firewall (NGFW), an intrusion prevention system (IPS), and web filtering in accordance with regulatory network and security compliance requirements.
  • Dynamic traffic engineering: Leveraging centralized policy-based management to determine which traffic should go over which link based on bandwidth, latency, packet loss, or other characteristics, dynamic traffic engineering dramatically reduces the number of round trips required to complete a transaction or transfer data. Moreover, since migrating applications to the cloud often increases latency, dynamic traffic engineering should address the behavior of network and application protocols over long distances, including accelerating applications hosted in the cloud and IaaS or SaaS environments.

Once the table stakes are met, each solution is scored on key criteria and evaluation metrics. Key criteria are the basis on which organizations decide which solutions to adopt for their particular needs, while evaluation metrics determine the impact the solution may have on the organization.

This GigaOm Radar for SD-WAN provides an overview of notable vendors and their available offerings. The corresponding GigaOm “Key Criteria Report for Evaluating SD-WAN Solutions” outlines critical criteria and evaluation metrics for selecting an SD-WAN solution. Together, these reports offer essential insights for secure enterprise networking initiatives, helping decision makers evaluate solutions before deciding where to invest.

How to Read this Report

This GigaOm report is one of a series of documents that helps IT organizations assess competing solutions in the context of well-defined features and criteria. For a fuller understanding, consider reviewing the following reports:

Key Criteria report: A detailed market sector analysis that assesses the impact that key product features and criteria have on top-line solution characteristics—such as scalability, performance, and TCO—that drive purchase decisions.

GigaOm Radar report: A forward-looking analysis that plots the relative value and progression of vendor solutions along multiple axes based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering in the sector.

Solution Profile: An in-depth vendor analysis that builds on the framework developed in the Key Criteria and Radar reports to assess a company’s engagement within a technology sector. This analysis includes forward-looking guidance around both strategy and product.

2. Target Markets and Deployment Models

To better understand the market and vendor positioning (Table 1), we assess how well a vendor’s SD-WAN solution supports different target markets and deployment models. For SD-WAN, we recognize five target markets:

  • Cloud service provider (CSP): Providers delivering on-demand, pay-per-use services to customers over the internet, including infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS).
  • Network service provider (NSP): Service providers selling network services—network access and bandwidth—provide entry points to backbone infrastructure or network access points (NAPs). In this report, NSPs include data carriers, ISPs, telcos, and wireless providers.
  • Managed service provider (MSP): Service providers delivering managed application, communication, IT infrastructure, network, and security services and support for businesses at either the customer premises or via MSP (hosting) or third-party data centers (co-location).
  • Large enterprise: Enterprises of 1,000 or more employees with dedicated IT teams responsible for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a co-location facility.
  • Small-to-medium business (SMB): Small (<100 employees) to medium-sized (100 to 1,000 employees) businesses with limited budgets and constrained in-house resources for planning, building, deploying, and managing their applications, IT infrastructure, networks, and security in either an on-premises data center or a co-location facility.

For SD-WAN, we also recognize three deployment models:

  • In house: Organizations manage their own SD-WAN infrastructure, typically investing in a full team with the specialized skills responsible for designing and supporting complex SD-WAN deployments, including monitoring and managing connectivity and reliability.
  • Co-managed: Installation, maintenance, upgrades, monitoring, and troubleshooting are shared between the enterprise and a managed SD-WAN provider to relieve some of the burdens of hiring, training, and retaining in-house resources.
  • Managed: The management of the communications network and its related applications is outsourced to a third-party service provider responsible for service-level agreement (SLA)-based installation, maintenance, upgrades, monitoring, and troubleshooting.

Table 1. Vendor Positioning

Market Segment

Deployment Model

CSPs NSPs MSPs Large Enterprises SMBs In-House Co-Managed Managed
Barracuda Networks
Bigleaf Networks
Cato Networks
Evolving Networks
FatPipe Networks
HPE Aruba
Juniper Networks
Palo Alto Networks
Versa Networks
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

3. Key Criteria Comparison

Following the general criteria introduced in GigaOm’s “Key Criteria for Evaluating SD-WAN Solutions,” Tables 2, 3, and 4 summarize how well each vendor included in this research performs in the areas we consider differentiating and critical for the sector.

  • Key criteria differentiate solutions based on features and capabilities, outlining the primary criteria to be considered when evaluating an SD-WAN solution, including application awareness, intelligent traffic distribution, and multicloud connectivity.
  • Evaluation metrics provide insight into the impact of each product’s features and capabilities on the organization, reflecting fundamental aspects, including infrastructure support, manageability, and total cost of ownership (TCO).
  • Emerging technologies and trends indicate how well the vendor executed against the technologies and trends identified in the previous report compared to the competition over the last 12 months.

The objective is to give the reader a snapshot of the technical capabilities of available solutions, define the perimeter of the market landscape, and gauge the potential impact on the business.

Table 2. Key Criteria Comparison

Key Criteria

Business-Driven SD-WAN Intelligent Traffic Distribution Next-Generation Security Multicloud Connectivity Built-In Self-Healing Application Awareness Integrated Branch Support Managed SD-WAN
Aryaka 2 3 2 3 3 3 2 3
Barracuda Networks 2 3 2 1 1 3 3 1
Bigleaf Networks 1 3 1 2 2 3 1 1
Cato Networks 3 3 3 3 3 3 3 3
Cisco 2 2 3 3 2 2 3 3
Cradlepoint 2 1 2 1 2 3 3 2
Ecessa 2 2 2 2 3 1 0 1
Evolving Networks 3 2 2 2 3 2 2 3
FatPipe Networks 3 2 2 2 2 2 3 2
Forcepoint 2 2 3 3 2 3 3 0
Fortinet 3 3 3 3 3 2 3 1
Graphiant 3 2 1 2 2 1 2 3
HPE Aruba 3 3 2 3 3 2 3 2
Huawei 2 3 2 2 2 3 3 2
Juniper Networks 2 3 1 2 3 3 2 1
Nokia 3 2 2 2 3 2 2 3
Palo Alto Networks 2 2 2 3 3 3 3 3
Peplink 3 3 2 2 2 2 3 1
Versa Networks 3 3 3 3 3 3 3 2
VMware 3 3 2 3 3 3 3 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 3. Evaluation Metrics Comparison

Evaluation Metrics

Infrastructure Support Scalability Manageability Observability Ecosystem Support Vendor Support Pricing & TCO Vision & Roadmap
Aryaka 2 3 3 3 3 3 2 2
Barracuda Networks 2 3 2 2 1 2 3 2
Bigleaf Networks 2 2 2 2 2 1 3 2
Cato Networks 3 3 3 3 2 3 2 3
Cisco 2 3 2 3 2 3 1 2
Cradlepoint 2 3 3 3 2 3 2 3
Ecessa 2 2 2 2 2 1 3 1
Evolving Networks 3 2 2 1 1 2 2 2
FatPipe Networks 2 2 2 1 2 1 2 1
Forcepoint 3 2 2 3 3 3 2 3
Fortinet 3 3 2 2 1 2 2 3
Graphiant 3 3 2 2 2 1 3 3
HPE Aruba 2 2 2 3 3 3 3 3
Huawei 3 3 2 3 2 3 2 2
Juniper Networks 2 2 2 3 2 2 1 2
Nokia 3 3 3 2 2 3 2 2
Palo Alto Networks 3 3 2 2 2 3 2 2
Peplink 3 3 3 2 2 2 3 3
Versa Networks 3 3 3 3 2 3 2 3
VMware 3 3 3 3 3 3 2 3
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

Table 4. Emerging Technologies and Trends Comparison

Emerging Tech

Integrated ZTNA AIOps Private 5G
Barracuda Networks
Bigleaf Networks
Cato Networks
Evolving Networks
FatPipe Networks
HPE Aruba
Juniper Networks
Palo Alto Networks
Versa Networks
3 Exceptional: Outstanding focus and execution
2 Capable: Good but with room for improvement
2 Limited: Lacking in execution and use cases
2 Not applicable or absent

By combining the information provided in the tables above, the reader can understand the technical solutions available in the market.

4. GigaOm Radar

This report synthesizes the analysis of key criteria and their impact on evaluation metrics to generate the GigaOm Radar in Figure 1. The chart is a forward-looking perspective on all the vendors in this report based on their products’ technical capabilities and feature sets.

The GigaOm Radar plots vendor solutions across a series of concentric rings, with those set closer to the center judged to be of higher overall value. The chart characterizes each vendor on two axes—Maturity versus Innovation and Feature Play versus Platform Play—while the length of the arrow indicates the predicted evolution of the solution over the coming 12 to 18 months.

Figure 1. GigaOm Radar for SD-WAN

As seen in Figure 1, there are nine vendors in the Leaders circle (Aryaka, Cato Networks, Cradlepoint, Fortinet, HPE Aruba Networks, Nokia, Palo Alto Networks, Versa Networks, and VMware), nine Challengers (Barracuda Networks, Bigleaf Networks, Cisco, Ecessa, FatPipe Networks, Forcepoint, Huawei, Juniper Networks, and Peplink) and two New Entrants (Evolving Networks and Graphiant).

It should be noted that Maturity (that is, being positioned in the top two quadrants) does not exclude Innovation. Instead, it identifies the solution as being proven in a production setting compared to a newer solution undergoing innovation to achieve customer acceptance and adoption. In addition, the length of the arrow (Forward Mover, Fast Mover, or Outperformer) is based on customer adoption and execution against roadmap and vision (based on vendor input from the previous report and in comparison to improvements made across the industry in general).

Furthermore, positioning in the Platform-Play quadrants indicates that the vendor has a fully integrated solution—usually built from the ground up—at the functional level. However, some vendors may focus on a limited target customer set, only provide SD-WAN as a service (SD-WANaaS), or only be active in specific geographies. In contrast, vendors positioned in the Feature-Play quadrants either lack certain capabilities or rely on third-party vendors to fill the gaps.

New additions to the list of vendors are Bigleaf Networks, Cato Networks, Ecessa, FatPipe Networks, Graphiant, and Huawei. Moreover, on October 29, 2022, Citrix announced that as of December 31, 2022, it would stop selling Citrix SD-WAN subscriptions and SD-WAN bandwidth upgrades, and that support will end on December 31, 2025. In addition, due to the company’s change in focus, Oracle SD-WAN no longer meets the table stakes for this report. As a result, both Citrix SD-WAN and Oracle SD-WAN have been removed from this year’s Radar report.

VMware has become the Leader in this space, followed by Versa Networks, Cato Networks, and HPE Aruba. In addition, Cato Networks, Cradlepoint, Graphiant, HPE Aruba, and VMware are recognized as Outperformers based on the speed of innovation compared to the industry in general. In some cases, being an Outperformer also reflects the acquisitions made to create differentiation aligned with the vendor’s vision and roadmap.

Since publishing the 2021 Radar for SD-WAN, Cisco has slipped from being a Leader to a Challenger based on its lagging behind the industry in general based on the pace of innovation. Vendors to watch are Cato Networks, Cradlepoint, and Graphiant.

Inside the GigaOm Radar

The GigaOm Radar weighs each vendor’s execution, roadmap, and ability to innovate to plot solutions along two axes, each set as opposing pairs. On the Y axis, Maturity recognizes solution stability, strength of ecosystem, and a conservative stance, while Innovation highlights technical innovation and a more aggressive approach. On the X axis, Feature Play connotes a narrow focus on niche or cutting-edge functionality, while Platform Play displays a broader platform focus and commitment to a comprehensive feature set.

The closer to center a solution sits, the better its execution and value, with top performers occupying the inner Leaders circle. The centermost circle is almost always empty, reserved for highly mature and consolidated markets that lack space for further innovation.

The GigaOm Radar offers a forward-looking assessment, plotting the current and projected position of each solution over a 12- to 18-month window. Arrows indicate travel based on strategy and pace of innovation, with vendors designated as Forward Movers, Fast Movers, or Outperformers based on their rate of progression.

Note that the Radar excludes vendor market share as a metric. The focus is on forward-looking analysis that emphasizes the value of innovation and differentiation over incumbent market position.

5. Vendor Insights


Founded in 2009, Aryaka offers a fully managed, global SD-WAN solution providing enterprise customers with a combination of hybrid WAN connectivity, optimization, security, and analytics with multitenant automation and orchestration capabilities. The SmartConnect service leverages Aryaka’s FlexCore global backbone network with over 40 points of presence (PoPs) reaching more than 95% of business population centers across six continents with sub-30 ms latency.

Figure 2. SmartConnect SD-WAN at a Glance

Mapping traffic into one of two transport infrastructures, Aryaka FlexCore allows customers to designate sites according to their connectivity, security, and lifecycle services management requirements. The foundation of Aryaka’s SmartConnect Pro service, the Layer 2 private core offers deterministic, MPLS-like performance at a reduced cost, while Aryaka’s SmartConnect EZ service uses the Layer 3 private core, offering a best-of-breed, multiprovider backbone delivering better predictability and lower risk than the public internet as enterprises migrate from MPLS to internet connectivity. Moreover, SmartConnect Pro sites designated as high-performance or mission-critical have the flexibility to utilize both cores, while SmartConnect EZ sites can only use the Layer 3 private core.

Aryaka SmartConnect EZ and Pro are available in six fixed T-shirt-sized tiers (XS, S, M, M+, L, XL) based on subscribed bandwidth and site licenses for worldwide deployments. Offering enhanced optimization capabilities and 99.999% availability, SmartConnect Pro is also available as an a-la-carte service with flexible bandwidth—including bursting and pooling—and separate site licenses for customers who prefer a more granular option for global and regional deployments. In addition, Aryaka FlexCore also supports patented Adaptive quality of service (QoS) and AppAssure auto-configuring and network optimization technologies providing complete control over network resource allocation and full, immediate visibility into network and application performance. The MyAryaka cloud portal offers role-based access by customers.

Aryaka SmartConnect routes traffic based on sophisticated Layer 4 through Layer 7 deep packet inspection (DPI) and application classification technologies and can apply automated policies to direct traffic over the most appropriate links. Furthermore, a significant benefit is that Aryaka controls the network underlay at a global scale, enabling customers to deterministically control application performance and eliminating the need for customers to acquire additional networking monitoring tools to troubleshoot application performance issues. Relieving enterprises of essential network responsibilities—including link procurement, deployment, monitoring, and responding to outages—Aryaka’s Last Mile Services provide last-mile internet connections for customers seeking an end-to-end connectivity solution managed by a single vendor.

Strengths: Leveraging Aryaka’s high-performance global FlexCore network, the SmartConnect service provides adaptable and resilient regional, hybrid, and worldwide network as a service connecting clouds, sites, and users anywhere in the world with global end-to-end SLAs. Offering multicloud connects and security convergence at the edge, SmartConnect includes stateful firewalls, microsegmentation, and zones within Aryaka’s managed customer premises equipment (CPE), the Aryaka Network Access Point (ANAP). It also integrates cloud security and virtual firewalls from best-in-class security partners. Moreover, SmartConnect is being incorporated into a zero-trust platform comprising Aryaka and partner solutions.

Challenges: While sales are usually based on Aryaka field engagement and proofs of concept (POCs), Aryaka is a channel-driven organization with over 85% of orders fulfilled via the channel. Aryaka needs to continue to iterate and evolve its security capabilities beyond managed firewalls, secure web gateways (SWGs), and VPN as a service (VPNaaS) to compete with new, innovative offerings. We expect Aryaka to integrate a cloud access security broker (CASB) and other security capabilities into its managed SD-WAN solution within the next 12 to 18 months.

Barracuda Networks

Founded in 2003 and acquired by KKR, a leading global investment firm, in August 2022, Barracuda Networks is a leader in application delivery, data protection, and security solutions, with an installed base of over 200,000 organizations worldwide. The result of a joint development program between Microsoft and Barracuda, CloudGen WAN is a unified solution ensuring highly secure, seamless connectivity to all locations and cloud-based resources and applications. Furthermore, CloudGen WAN is the only global secure SD-WAN service built natively on Microsoft Azure, leveraging the high-performance Microsoft Global Network.

Figure 3. CloudGen WAN at a Glance

Deployed from the Azure marketplace, the CloudGen WAN gateway runs inside one or more regions within an Azure Virtual WAN (vWAN) hub interconnected with other hubs via the Microsoft Global Network. Branches connect to one or more CloudGen WAN gateways inside the vWAN hub via an on-premises, performance-based CloudGen WAN site device, ensuring optimized connectivity from every branch office to the nearest Azure Cloud entry point. In addition, WAN optimization technologies—such as network traffic compression, advanced data caching, and network link pooling—help ensure the best QoS.

Administered from an intuitive central management portal for all remote clients, regions, and sites, deep integration with native Azure services seamlessly integrates Barracuda CloudGen WAN into each enterprise’s Azure cloud infrastructure. Supporting out-of-the-box smart configurations for common cloud applications and SaaS services, CloudGen WAN’s zero-touch deployment and orchestration capabilities eliminate travel and costs associated with setting up on-site devices. In addition, Barracuda CloudGen WAN offers multilayered, next-generation protection against advanced threats and zero-hour-attacks, including cloud-based, full emulation sandboxing for every location in widely dispersed corporate networks.

The Azure backbone replaces costly, inflexible MPLS circuits, and the entire network can be dynamically sized to match current traffic workloads. Barracuda supports dynamic path selection across multiple ISPs for Azure Virtual WAN, optimizing network performance while minimizing cost and providing customers with failsafe, always-on cloud connectivity. In addition, application steering dynamically selects the most suitable uplink for each application in real time based on traffic characteristics, available bandwidth, and latency between VPN endpoints to minimize latency or maximize bandwidth based on current network conditions.

Moreover, CloudGen WAN is more than just another SD-WAN solution. It lets you build an automated cloud-based network by leveraging the Microsoft Global Network. The product of a joint development program by Microsoft and Barracuda, CloudGen WAN is a single, unified solution that makes it very simple to ensure highly secure, seamless connectivity to all locations and all cloud-based resources and applications. In addition, CloudGen WAN can also be deployed as an SD-WAN-only solution complementing an existing firewall, or as a secure SD-WAN with the option to consolidate all functions on a single device.

Strengths: Built on the award-winning Barracuda CloudGen Firewall, Barracuda CloudGen WAN combines the benefits of a NGFW, secure SD-WAN, native Azure integration, and intelligent automation within a single solution, replacing multiple point link balancing, security, SD-WAN, and WAN optimization solutions. Offering zero-touch deployment, default configurations, and an intuitive management interface, CloudGen WAN automates and simplifies tasks that traditionally make SD-WAN management complex and challenging.

Challenges: CloudGen WAN is primarily positioned for the SMB market and does not run on Amazon Web Services (AWS) or Google Cloud Platform (GCP). In addition, Barracuda Networks is changing its focus from providing standalone SD-WAN solutions to creating a new integrated secure access service edge (SASE) solution platform that will include SD-WAN. The new, unified platform will include robust security capabilities, including FWaaS and zero-trust network access (ZTNA) and a Barracuda-hosted SaaS deployment model. As a result, deploying the new platform will mean replacing existing security solutions since Barracuda lacks integration with industry-leading security vendors.

Bigleaf Networks

Founded in 2012, Bigleaf Networks unlocks the power of the cloud for multitenant MSPs and SMBs with seamless application failover, intelligent load balancing, and dynamic QoS over commodity internet, optimizing business internet for access to cloud applications, including voice over internet protocol (VoIP), virtual desktop infrastructure (VDI), and SaaS. Bigleaf SD-WAN combines proven SD-WAN technology with self-driving artificial intelligence (AI) to deliver predictable performance and connectivity over any ISP connection (cable, DSL, fiber, fixed-wireless, or T1), irrespective of the location of applications and users.

Figure 4. Bigleaf SD-WAN at a Glance

Supporting up to four simultaneous ISP connections per router, Bigleaf’s networking platform creates a dedicated owned-and-operated backbone network with multiple paths to virtually any cloud- or internet-based technology using preconfigured edge routers that install quickly and transparently onto any network. Building redundancy into every connection, Bigleaf SD-WAN abstracts away the underlying internet circuits by encapsulating each packet within a tunnel. Static public IP blocks are issued to enable same-IP failover and protection against distributed denial of service (DDoS) attacks.

Bigleaf’s AI combines networking expertise with self-driving intelligence, configuring itself based on circuit conditions and traffic makeup and instantly adapting to any change—irrespective of where they are in the last-mile or middle-mile—to prevent disruptions before they impact users. In addition, Bigleaf can incorporate intelligent DDoS attack mitigation services that identify malicious traffic and automatically filter it before it disrupts connectivity. A multitenant web dashboard provides visibility into network performance and application experience, while Bigleaf Risk Monitoring aggregates network health and performance metrics to isolate critical events that pose a threat to business and the site’s continuity or uptime.

Using patent-pending heuristic algorithms to integrate application traffic flow data with real-time circuit monitoring data, Bigleaf’s QoS capabilities provide effective and automatic prioritization for traffic traversing the public internet without having to coordinate the network devices between the endpoints. Bigleaf QoS dynamically detects different types of applications and prioritizes traffic according to priority levels, giving each broad category of traffic ideal treatment based on the network requirements for that type of traffic.

Bigleaf’s fully redundant network includes nine core PoPs in North America and three edge PoPs in Europe, and peers with over 150 different cloud, content, and carrier networks. The data center location of each of Bigleaf’s core POPs is carefully selected to ensure the best possible connection to the major peering exchange—or internet hub—in each region. A subscription to Bigleaf’s service includes a hardware device—the Bigleaf router—which monitors circuit conditions between the customer site and Bigleaf’s core network, adapting traffic flow based on real-time data. In addition to warm spare and high-availability options, Bigleaf offers a high-availability on-site router setup that includes redundant routers and switches to eliminate any single point of failure. Service levels are based on the availability option chosen and the maximum combined bandwidth of all internet connections.

Strengths: Unlike traditional policy-based SD-WAN solutions, Bigleaf’s intelligent SD-WAN auto-detects application requirements and adapts in real-time to internet performance and connectivity issues before they impact users. Connecting to Bigleaf’s backbone network over one to four internet circuits using a single IP block, edge routers are installed on the WAN side of the firewall, allowing customers to add Bigleaf to new or existing business locations without having to change existing security or network policies.

Challenges: Compared to other vendors, Bigleaf has a limited number of PoPs located primarily in North America with limited reachability in Europe. In addition, Bigleaf only offers an SLA-backed 99.99% uptime guarantee compared to 99.999% of many other SD-WAN providers. Mainly targeting SMBs and MSPs providing services to smaller organizations, Bigleaf lacks the enhanced security capabilities and integration with industry-leading security vendors required by enterprise customers. Furthermore, as a relatively small vendor, Bigleaf relies mainly on its partner network for support.

Cato Networks

Founded in 2015, Cato Networks was one of the first vendors to launch a global cloud-native service converging SD-WAN and security as a service. Developed in house from the ground up for low latency and predictable performance, Cato SASE Cloud connects all enterprise network resources—including branch locations, cloud and physical data centers, and the hybrid workforce—within a secure, cloud-native service via a global private backbone. In addition, Cato’s cloud-native security engine, SSE 360, enforces granular corporate access policies across all on-premises and cloud-based applications, protecting users against security breaches and threats. Cato claims an installed base of over 1,450 enterprises in more than 150 countries, connecting over 23,000 sites and supporting some 450,000 remote zero-trust users.

Figure 5. Cato SASE Cloud at a Glance

A geographically distributed SLA-backed network, Cato SASE Cloud runs over a global private backbone of more than 75 PoPs interconnected by multiple Tier 1 network service providers. The backbone’s cloud-native software provides defense-in-depth with full encryption, distributed policy enforcement, automated load balancing, dynamic route selection, self-healing capabilities, and built-in cloud and WAN optimization for maximum end-to-end availability and throughput. Connected across IPsec connections or through virtual sockets, Cato PoPs are located in the same physical data centers as leading cloud providers, providing fast onramps to cloud instances at no additional cost.

Each Cato PoP comprises multiple compute nodes running the Cato Single Pass Cloud Engine (Cato SPACE), a converged, self-healing software stack that extracts context from the traffic flow, applies specific user policies, and runs all Cato’s access, network, and security engines in parallel. Each Cato SPACE can handle up to 3 Gbps of encrypted traffic from one or more edge tunnels distributed within the Cato SASE Cloud and across Cato SPACEs to adapt to changes in the overall load. Including complete network and security policy configuration and detailed analytics on network traffic and security events, Cato provides a cloud-based and self-service management application for configuring, monitoring, and managing the Cato SASE Cloud. In addition, Cato and its partners offer managed service options, with Cato maintaining the underlying platform, so customers do not need to upgrade, patch, or otherwise maintain the Cato SASE Cloud.

Providing last-mile redundancy using application-based dynamic path selection based on QoS policies, Cato’s edge device, the Cato Socket, connects a physical location to the nearest Cato PoP via one or more last-mile connections. Customers can choose any mix of fiber, cable, xDSL, and 4G/LTE connections. The Cato Socket applies multiple traffic management capabilities, such as active-active link usage, application- and user-aware QoS prioritization, dynamic path selection to work around link blackouts and brownouts, and packet duplication to overcome packet loss and jitter. In addition, the Cato Socket can route site-to-site traffic over MPLS and the internet to address regional and application-specific requirements.

Strengths: Cato SASE Cloud is a converged cloud-native, single-pass platform connecting end-to-end enterprise network resources within a secure global service managed via a single pane of glass. By moving processing into the cloud using thin edge Cato Sockets, Cato SASE Cloud is easier to maintain and scale than competitive solutions, with new capabilities instantly available. Leveraging an expanding global SLA-backed network of over 75 PoPs, Cato is the only SD-WAN vendor currently bundling a global private backbone with its SD-WAN. Moreover, Cato offers both a standalone SD-WAN solution and a security service edge solution—Cato SSE 360—for securing third-party SD-WAN devices.

Challenges: Despite being a relatively new vendor compared to many of its competitors, Cato is rapidly evolving its capabilities, with new secure service access features recently added or about to be released. Moreover, in addition to the existing built-in monitoring capabilities provided via Cato Management, Cato needs to provide out-of-the-box integrations with third-party monitoring platforms to help streamline migrations. In addition, while Cato offers comprehensive global coverage, it needs to continue adding PoPs closer to customers to reduce latency and improve resiliency.


Founded in 1984 and the largest SD-WAN solution provider globally with over 43,000 customers, Cisco has developed an SD-WAN strategy combining networking with a broad set of security functions in the cloud and end-to-end observability. Cisco’s offerings include Cisco SD-WAN powered by Meraki and Cisco SD-WAN powered by Viptela. Each platform is separate and provides SD-WAN appliances with optional integrated security feature sets, management and orchestration, and optional integration with Cisco Umbrella’s multiple security capabilities delivered via a single cloud service—including threat intelligence from Cisco Talos. However, while Meraki combines all aspects of SD-WAN configuration, monitoring, and management into one cloud-based controller, Viptela dedicates certain functions to individual equipment within the network.

Figure 6. Cisco SD-WAN at a Glance

Focused initially on cloud-managed wireless and acquired by Cisco in 2012, Cisco SD-WAN powered by Meraki enables the management of thousands of wireless endpoints as a full-stack service offering. Designed for simplicity and ease of use, Cisco SD-WAN powered by Meraki can be managed with limited technical knowledge via the intuitive cloud-based Meraki Dashboard. Devices connect to the Cisco Meraki Cloud using an SSL and are automatically updated with the latest software. After powering up, devices contact the SD-WAN controller and download the predefined configuration for that particular device based on its serial number. An NGFW provides content filtering and geographical IP restrictions, allowing administrators to restrict global connectivity based on security policies.

One of the first pure SD-WAN vendors, Viptela was acquired by Cisco in 2017 to support its edge routing (Cisco ASR) and branch connectivity (Cisco ISR) product lines. Deployed on-premises or in the cloud, Cisco SD-WAN powered by Viptela is a granular, segmented network overlay running over standard network transports—including MPLS, broadband, and internet—to deliver applications and services. In addition to offering full-stack multilayer security capabilities on-premises and in the cloud, Cisco SD-WAN powered by Viptela includes DPI, support for advanced routing, and sophisticated orchestration suited for large, complex enterprise networks.

Cisco SD-WAN powered by Viptela comprises vEdge Routers (full-featured IP routers that perform standard functions), vSmart Controllers (on-premises or cloud-hosted centralized management of routing, policy, security, segmentation, and device authentication), vBond Orchestrator (authentication, authorization, and device connectivity), and vManage (centralized network configuration and management dashboard). The vManage dashboard allows users to quickly connect all company data centers, core and campus locations, branches, co-location facilities, cloud infrastructure, and remote workers by applying the overlay management protocol (OMP) to the entire network.

Strengths: Cisco’s product portfolio includes a broad range of robust capabilities, including advanced network visibility and digital experience monitoring and management (DEMM) with Cisco vAnalytics and Cisco ThousandEyes. Offering one-click integration and automated deployment options, Cisco provides a combined Cisco SD-WAN and Umbrella package, quickly connecting users with hundreds of remote applications monitored via a consolidated, cloud-based dashboard with simplified management and consistent policy control.

Challenges: Cisco has multiple SD-WAN offerings that are not integrated and cannot be managed via a single management interface. While Cisco SD-WAN powered by Meraki is easy to operate via an intuitive GUI, it offers relatively limited functionality, including a lack of end-to-end segmentation. While providing powerful segmentation, Cisco SD-WAN powered by Viptela is highly customizable and complex, making it challenging to configure and manage. Cisco does not offer mobile provider visibility and prioritization and lacks 5G intelligence and insights. While Cisco has a large installed base, it tends to lag behind many new vendors in terms of the pace of innovation.


Founded in 2006 and an Ericsson subsidiary since 2020, Cradlepoint provides SD-WAN connectivity over 4G and 5G with optimal routing capabilities and built-in failover, enabling hybrid WAN with wired broadband options to be used as primary or mixed-use solutions to connect remote locations. Cradlepoint’s SD-WAN portfolio encompasses SD-WAN routers, NetCloud Service, and NetCloud Exchange (NCX). In addition to offering a choice of adapters, routers, and NetCloud Service Essentials or Advanced subscriptions, Cradlepoint also offers five discrete packages providing connection management and internet of things (IoT), network, and security services for branch, IoT, mobile, and small office/home office (SOHO) deployments.

Figure 7. NetCloud at a Glance

Orchestrating Cradlepoint’s LTE and 5G wireless edge routers and adapters, the subscription-based NetCloud Service offers end-to-end visibility for users, devices, and applications via centralized dashboards, analytics, and insights. It automates processes and unlocks services as needed to scale, delivering zero-touch deployment, policy-based control and lifecycle management, enterprise-class routing and security, full-stack analytics and insights, and extensibility tools.

As an extension to Cradlepoint NetCloud Service, NetCloud Exchange (NCX) is a cloud-native WAN architecture that integrates advanced SD-WAN, security, and 5G—sharing standard components, policies, and processes—all managed via a single pane of glass. In addition, advanced cellular intelligence provides enhanced insights and visibility of the 5G network. NCX encompasses NCX Secure Connect, NCX Service Gateway, and NCX SD-WAN.

  • NCX Secure Connect: A network security solution offering a simple-to-manage alternative to complex VPN infrastructures for securely connecting sites, vehicles, IoT, and remote workers, NCX Secure Connect provides any-to-any connectivity and drastically reduces the attack surface by building undiscoverable network resources. Unlocking operational agility through built-in tunnel orchestration, Secure Connect simplifies configuration with name-based routing and overlapping IP addressing.
  • NCX Service Gateway: The service delivery foundation for NCX, the NCX Service Gateway provides the secure data-plane and policy enforcement capabilities for Secure Connect to orchestrate agile networks from Cradlepoint routers between sites, vehicles, IoT, remote workers, and digital resources in the cloud, data center, and external sites. In addition, the gateway houses the engines that power SD-WAN and security services at the network level. Delivered on-premises or in a hosted environment, the Service Gateway can be deployed on a physical server, virtual infrastructure, or cloud environment.
  • NCX SD-WAN: Delivering SD-WAN capabilities with a specific focus on optimizing traffic over wireless WANs, NCX SD-WAN is built for wireless scale and simplicity. It provides cellular optimization, including carrier-centric traffic steering, inline traffic measurement, and cellular-centric policy criteria (such as signal strength and data usage). As a result, it allows organizations to enhance application quality of experience easily and optimize traffic across redundant cellular providers and hybrid WANs.

Secure Connect service is a prerequisite for the NCX SD-WAN service. The Service Gateway is provisioned and managed via the NetCloud Service.

Strengths: Backed by Ericsson, Cradlepoint has a broad 5G business portfolio encompassing both routers and adapters with indoor and outdoor deployments optimized for spectrum layers and cellular bands. Sophisticated cloud management simplifies all aspects of the wireless WAN lifecycle, including intuitive multilayered dashboards, bulk orchestration, zero-touch deployments, over-the-air OS upgrades, and rich application programming interfaces (APIs) for integration with third-party applications. Cradlepoint NetCloud Exchange includes fully integrated ZTNA and recognizes over 3,500 applications for creating application-based policies applied across the entire WAN edge with just a few clicks.

Challenges: Cradlepoint’s portfolio is designed to optimize traffic over LTE, 5G NSA, 5G SA network slices, broadband, and Wi-Fi as WAN, and may not align with enterprises that don’t require cellular wireless connectivity. Cradlepoint NetCloud currently lacks adaptive traffic steering leveraging AI/machine learning (ML) capabilities and out-of-the-box integration with public clouds. Cradlepoint primarily provides solutions to NSPs, CSPs, and system integrators (SIs) for building public and private LTE and 5G networks. Enterprises wishing to take advantage of Cradlepoint’s endpoints as part of a broader LTE or 5G initiative may need to involve an SI, resulting in significantly increased project costs.


Founded in 2002 and a subsidiary of Pineapple Holdings, Inc., Ecessa has been designing and supporting SD-WAN solutions for over 20 years. Ecessa deploys automatic failover and leverages up to 25 communication links—from MPLS, low-cost broadband, cable, satellite, microwave, and cellular 5G/4G/LTE—to guarantee uptime for their clients’ businesses. Regarding the availability of its SD-WAN solutions, Ecessa registered “Never Down” as its trademark. Ecessa’s portfolio includes Ecessa Edge appliances, Ecessa PowerLink controllers, Ecessa WANworX Secure SD-WAN, and Ecessa Insight.

Figure 8. WANworX Secure SD-WAN at a Glance

Ecessa’s WANworX Secure SD-WAN is a full-featured SD-WAN solution for virtualized environments, combining robust hardware, innovative software, and network design and support services. Offered as appliances or virtual instances, WANworX allows organizations with multiple locations to combine private MPLS leased lines and public broadband links to create a cost-effective and scalable multitenant network spanning headquarters, data centers, co-location facilities, and Microsoft Azure public cloud instances. The WANworX software stack includes a Layer 7 NGFWl, encryption, and full routing capabilities. When combined with Ecessa Insight, WANworX enables customer networks to automatically detect, respond, and report on all network connection issues.

All traffic management features are located on the Ecessa Edge devices appliance, with configuration and policies managed via Ecessa Insight. Routing and traffic shaping are also managed locally or globally within the existing enterprise network leveraging multiple WAN connections from any combination of wired and wireless transports. Using intelligent outbound traffic management to load balance across all WAN links and DNS to load balance inbound services, Ecessa PowerLink delivers failover and load balancing technology combined with an NGFW for increased reliability, security, bandwidth, and redundancy of any network. By leveraging multiple connections—including 4G/5G, cable, fixed wireless, satellite, and xDSL—Ecessa PowerLink creates multihomed networks of up to 25 WAN links to eliminate link congestion and deliver reliable access and network performance. In addition, PowerLink allows traffic to be deployed across multiple internet and/or service provider networks for redundant link connectivity, enabling automatic real-time failover.

In addition to supporting geographically redundant, full mesh networking and active hardware failover, Ecessa’s Fail-to-Wire option keeps a data path open during unexpected interruptions—such as a power loss—of an Ecessa appliance. In the unlikely event of a controller failure, the secondary device seamlessly takes control of all traffic, adding another layer of network resiliency. In addition, WANworX Virtual Instance support for Azure includes the same IP failover, so connections to cloud-based VoIP, unified communications as a service (UCaaS), and other applications are never lost.

Ecessa provides multitier management services via command-line interface (CLI), device graphical user interface (GUI), and web application interfaces. A centralized, browser-accessed management tool, Ecessa Insight is an end-to-end deployment, configuration, and management tool that can easily be customized with multiple user-definable applications, including maps, dashboards, and reports. Providing detailed network and historic device performance data, the interface enables administrators to view various layers of physical and geographical topologies. In addition, it includes QoS traffic management for guaranteed performance of business-critical applications.

Strengths: Ecessa’s product line provides everything SMBs require—from basic failover to full data duplication in both physical and virtual formats. Ecessa Edge appliances incorporate load balancing and Layer 7 security, while PowerLink adds enhanced performance and resilience capabilities to the network. In addition, The WANworX can be installed on either physical hardware or on different hypervisors to provide performance tailored to the customer’s needs.

Challenges: WANworX Secure SD-WAN lacks application awareness, integrated branch support, ZTNA capabilities, and on-premises management capabilities. In addition, WANworX only supports Azure public cloud instances. As a relatively small company, Ecessa lacks the ability to innovate at the same speed as industry-leading vendors. Moreover, Ecessa is currently looking for a buyer to ensure the company’s long-term viability, so prospective customers should verify the situation before committing.

Evolving Networks

Founded in 2008, UK-based Evolving Networks offers SD-WANaaS catering to any network topology and any number of sites connecting any combination of data centers, clouds, and branch locations. The result of over a decade of development, Evolving Networks’ SDN Platform is a flexible networking solution sitting above traditional ISP infrastructure. Leveraging a unique, multiple virtual network operator (VNO) model featuring redundancy across all systems, the SDN Platform includes additional systems designed to support and augment Evolving Networks’ connectivity via a series of interconnected cloud platforms.

Figure 9. SDN Platform at a Glance

Evolving Networks SDN Platform is a multilink, carrier-independent, aggregated multiple-Gbps managed SD-WAN with cloud integration. Transcending any single carrier or provider, the network underlay comprises Ethernet leased lines where appropriate and cost-effective, FTTx where it will deliver more bandwidth at lower cost, and 4G/5G where access is difficult or transient. Circuits are installed and managed by Evolving Networks under VNO agreements with the carriers. Data is transferred through multiple carrier networks simultaneously to ensure SLA-based resilience, uptime, and aggregated bandwidth. Any combination of Layer 2 and 3 virtual network topologies can be customized to match each customer’s business needs, with stretch VLANs spanning multiple sites.

SDN Platform offers full bi-directional QoS with zero-touch packet optimization and automated carrier switching for prioritized applications. Advanced link health monitoring and telemetry of network underlay circuits allow traffic flows to be visualized, engendering increased confidence in the usability of the network. Multipath packet vectoring provides seamless sub-second reaction times to network events, with EVX edge appliances and the central AI engine making complex decisions to determine where each packet is vectored.

Implemented on physical Evolved Networks appliances or as a virtual network function (VNF) running on the customer’s virtual platforms, the EVX is an intelligent edge device connecting each site to the SDN Platform via Evolved Network’s Intelligent Network Fabric (INF), which is embedded in every EVX and throughout the core network. In addition to gathering critical telemetry and diagnostic data, EVX devices manage bandwidth aggregation, WAN optimization, QoS, and failover between lines in the event of faults. Rather than customers having to source their own appliances, each EVX—whether an edge appliance in a branch office or a core VNF handling a peering point to the cloud—is included as a component of the SD-WAN as a service.

Critical to the ecosystem’s traffic management, fault detection, and fault remediation capabilities, each EVX appliance works in concert with the broader intelligence of the ecosystem and Evolving Networks engineers based on the telemetry and other diagnostic data collected. Everything—from sync rates and signal-to-noise ratios to latency and jitter—is continually analyzed by the ecosystem’s AI engine to make dynamic routing decisions. In addition, developing faults are proactively detected before they impact end users and fed back to the EVX through network routing or packet prioritization commands, reducing the decision-making workload.

Strengths: Designed from the ground up, Evolving Networks’ SDN Platform provides customized, flexible, resilient, and scalable SD-WANaaS connectivity between customer premises and the internet, linking users to applications and data, irrespective of the users’ locations or devices used, or where applications and data reside. A unique network topography is tailored to meet the visualization needs of each customer. It employs packet-level traffic management to address the quality and bandwidth issues of the UK’s broadband infrastructure, including the customer’s connection to the ISP.

Challenges: While previously only available in the UK, Evolving Networks has active sites in Australasia and Europe. In addition, the company is rolling out its first deployment in the US. Moreover, since building a robust ecosystem in new geographies takes time, prospective customers should evaluate their requirements against Evolving Networks’ partner roadmap and support capabilities. SDN Platform does not offer the advanced security capabilities found in many other SD-WAN solutions but does provide integration with third-party providers, including routing Zscaler tunnels across SD-WAN backbones for customers.

FatPipe Networks

Founded in 1989, FatPipe specializes in business continuity solutions and holds 11 US patents and more than 180 technology claims related to WAN acceleration, optimization, reliability, and security. FatPipe claims to be the original creator of the SD-WAN and “the world’s most innovative creator of router clustering, a WAN redundancy technology, which affords companies automatic and dynamic failover of a downed data line connection due to a WAN component or service failure.” FatPipe sells its products worldwide through a network of authorized distributors and value-added resellers (VARs).

Figure 10. FatPipe SD-WAN at a Glance

FatPipe SD-WAN offers easy migration to a managed hybrid network (a combination of the public internet and private circuits), enabling enterprises to manage their wide area network centrally, manage branch office configurations, and deploy appliances with zero-touch installation. FatPipe provides connectivity using any combination of MPLS, broadband, wireless, or satellite connections. FatPipe load balances across these multiple paths and split-tunnels the internet traffic to the public cloud for access to public servers. Direct internet access can be added efficiently and cost-effectively at the branch level to increase available bandwidth. Furthermore, FatPipe’s advanced policy management allows cloud-destined applications to be routed directly from the local internet connection while maintaining corporate security policies.

Combining multiple public and private data lines enhances flexibility and increases reliability by over 300%. Ideal for businesses requiring a secure, highly available WAN, FatPipe’s Hybrid Multi-Line WAN technology accelerates the transfer of encrypted data over multiple lines and significantly increases the security of the transmission. Designed for simplicity, FatPipe technology is easy to use and can be implemented with minimal disruption. Eliminating the need to replace or upgrade existing hardware, increasing bandwidth capacity or adding features is a matter of updating software licenses and initiating remote upgrades.

On-premises applications also benefit from a FatPipe-managed hybrid network. FatPipe’s patented multipath security, or MPSec, manages application flows, and load balances them across the available paths between the data center and remote sites. Offering granular control of how traffic flows are load balanced, MPSec performs DPI based on numerous factors—such as jitter, latency, packet loss, and point-to-point bandwidth—to find the optimal path and dynamically load balance traffic, ensuring the best possible network experience. Moreover, MPSec’s path failure remediation capabilities provide sub-second failover to an available route, ensuring that critical transactions—such as credit card, patient information, and other continuity-required transactions—remain up and stateful without the need for resending.

FatPipe’s comprehensive Hybrid WAN management suite includes FIPS 140-2 encryption and FatPipe’s patented SmartDNS, providing customers with inbound failover capabilities. In addition, FatPipe is incorporating NGFW and IPS/IDS features into FatPipe SD-WAN, providing a highly secure traffic management solution with an integrated firewall. FatPipe SD-WAN comes in three tiers: SD-WAN Basic, SD-WAN Advanced, and SD-WAN Pro. Users can choose the appropriate tier providing the features required at each branch.

Strengths: Simplifying the deployment and management of connectivity at remote sites, FatPipe SD-WAN offers the ability to manage both WANs and branch office configurations centrally. A centrally orchestrated overlay network allows the enterprise to select the best available underlay per location and deploy edge appliances using zero-touch installation. In addition, the central orchestrator will enable companies to dynamically allocate additional bandwidth to improve the performance of VOIP, video, and other business-related applications.

Challenges: Users complain of a lack of visibility into the status of each connection, with some reporting that their ISP connection was down for as long as two days before being discovered. In addition, FatPipe support services do not have a customer-facing ticketing system, increasing time to resolution. Finally, FatPipe edge devices need to be upgraded every two or three years—including replacing solid state drives (SSDs) inside the appliance to upgrade the firmware—increasing TCO.


Founded in 1994, Forcepoint is a cybersecurity company delivering data loss prevention technology and risk-adaptive protection (RAP) to ensure the trusted use of critical data and systems. Launched in June 2022, the FlexEdge Secure SD-WAN portfolio integrates Forcepoint’s application-centric SD-WAN with the company’s proven network security and threat protection technologies embedded in the Forcepoint ONE SSE platform, simplifying connectivity and network security for branch offices and remote sites of all sizes.

Figure 11. FlexEdge Secure SD-WAN at a Glance

Simplifying and modernizing branch networking and security, FlexEdge enables connectivity for remote sites of all sizes to be seamlessly managed from a single set of policies in a centralized console. It allows distributed enterprises and governments to use a combination of private MPLS, local internet broadband, and mobile links, automatically using the correct connections for each application. Furthermore, FlexEdge also builds on advanced intrusion protection that businesses and government agencies depend upon to accelerate performance for accessing cloud applications, protect machine-to-machine communication between branches and internal systems, and future-proof their operations by transitioning to a secure service access (SSA) architecture.

FlexEdge Secure SD-WAN enables direct-to-cloud links to be mixed with private MPLS circuits to deliver high reliability and performance when connecting sites to the cloud or other offices. In addition, it can monitor application and network performance to help networking teams proactively spot and fix issues before they impact business productivity. Deployed as physical, virtual, or cloud appliances managed via a single console, Forcepoint tailors access control and deep inspection to each connection to provide high performance and security.

Combining granular application control, IPS defenses, built-in VPN control, and mission-critical application proxies into an efficient, extensible, and highly scalable design, FlexEdge Secure SD-WAN incorporates powerful anti-evasion technologies to decode and normalize network traffic before inspection and across all protocol layers to expose and block advanced threats. It also leverages endpoint executable enforcement and machine authentication using Forcepoint Endpoint Context Agent (F1E).

Forcepoint’s distributed architecture is designed specifically for hybrid environments, with up to 16 nodes comprising different models running different software versions that can be clustered together in active-active, mixed clustering mode. Moreover, Forcepoint enables policy updates and software upgrades to be seamlessly pushed to a cluster without interrupting service. FlexEdge Secure SD-WAN can also be configured with Forcepoint MultiLink technology to help to maintain business continuity in the event of an unexpected outage or downtime.

Forcepoint is tightly integrating FlexEdge Secure SD-WAN with Forcepoint ONE—an all-in-one cloud platform encompassing a SWG, CASB, and ZTNA—to protect people using the web, cloud, and private applications at remote sites by enabling FlexEdge Secure SD-WAN appliances to be managed from anywhere. In addition, Forcepoint will be incorporating the networking components of FlexEdge onto the Forcepoint ONE platform to provide a true, cloud-native, all-in-one SSA solution. Forcepoint ONE is deployed in AWS with more than 300 PoPs worldwide, providing low-latency connectivity and 99.99% uptime SLAs. In addition, elements of Forcepoint ONE can be deployed in Microsoft Azure and other leading cloud platforms.

Strengths: Offering easy, rapid deployment (zero-touch with a simple download, plug-and-play through a USB, or via an API-based configuration), FlexEdge Secure SD-WAN allows teams to improve operational efficiency without sacrificing security or functionality. Integrating direct-to-cloud connectivity with industry-leading network security and threat protection, Secure SD-WAN centrally administers and controls up to 6,000 physical, virtual, and cloud appliances from a single console using zero-touch deployment and management.

Challenges: Replacing Forcepoint Secure SD-WAN, FlexEdge Secure SD-WAN is Forcepoint’s strategy for strengthening its SD-WAN capabilities before incorporating the networking components of FlexEdge into the Forcepoint ONE platform to modernize networking infrastructure to support the hybrid workforce. While greenfield customers looking for an end-to-end SSA solution would do well to add FlexEdge Secure SD-WAN to their shortlist, non-Forcepoint brownfield customers wishing to deploy an SD-WAN should carefully evaluate the cost and effort before committing.


Founded in 2000, Fortinet offers a comprehensive product portfolio supporting hardware, software, virtual machines, containers, and cloud-based deployment options. Consolidating SD-WAN, NGFW, advanced routing, and ZTNA application gateway functions, Fortinet Secure SD-WAN supports cloud-first, security-sensitive global enterprises, and the hybrid workforce.

Figure 12. Fortinet Secure SD-WAN at a Glance

Organically developed and purpose-built, Fortinet Secure SD-WAN enables thin edge (routing or SD-WAN) and WAN Edge (NGFW, routing, or SD-WAN) to securely connect to any application, user, or data located anywhere. The application-driven approach provides broad application steering with accurate identification, advanced WAN remediation, and accelerated cloud on-ramp for optimized network and application performance. In addition, a built-in NGFW combines SD-WAN and security capabilities in a unified solution to help preserve the security and availability of the network.

Complemented by an ASIC-accelerated platform to deliver a high-performance SD-WAN solution, Fortinet Secure SD-WAN consists of FortiGate appliances, the FortiOS operating system, the centralized Fabric Management Center, and FortiGuard Security Services.

  • FortiGate: A broad portfolio available in different form factors (physical and virtual), FortiGate appliances help reduce cost and complexity by combining NGFW, SD-WAN, and advanced routing capabilities within a unified platform that allows customers to eliminate multiple point products at the WAN edge. Application-specific integrated circuit (ASIC) acceleration of SD-WAN overlay tunnels and application identification, steering, remediation, and prioritization help ensure the best user experience for business-critical, SaaS, and UCaaS applications.
  • FortiOS: Offering real-time application optimization for a consistent and resilient application experience, Fortinet’s unified operating system delivers a security-driven strategy to secure and accelerate network and user experience. An advanced NGFW offers protection and prevention from internal and external threats while providing visibility across the entire attack surface. Cloud integration and automation are enabled via dynamic cloud connectivity.
  • Fabric Management Center: Providing simplified management, deployment, and automation, the Fabric Management Center allows administrators to centrally manage over 100,000 devices—including firewalls, switches, access points, and LTE/5G extenders—from a single console. REST APIs, scripting tools (such as Ansible and Terraform), and fabric connectors enable automation to reduce complexity, while role-based access control (RBAC) provides management flexibility and separation.
  • FortiGuard Security Services: Enhancing SD-WAN security with advanced protection, FortiGuard Security Services provide coordinated real-time detection and prevention against sophisticated known and unknown threats, protecting content, applications, people, and devices. Real-time insights are achieved by processing extensive amounts of data at cloud scale, analyzing that data with advanced AI, and then automatically distributing the resulting intelligence back for enforcement and protection.

Fortinet Secure SD-WAN is also a core component of FortiSASE. A cloud-delivered security service designed for securing remote users, FortiSASE combines cloud-delivered security services with flexible deployment options in a security as a service (SECaaS) model. In addition, Fortinet has over 30 PoPs located worldwide but relies on peering relationships with partners to deliver connectivity via private backbones.

Strengths: Boasting an installed base of over 20,000 customers, Fortinet Secure SD-WAN enables enterprises to transform and secure all WAN edges. Secure SD-WAN provides an enhanced security posture based on converged networking and security to help achieve operational continuity and efficiency by leveraging a security-first networking approach using one operating system and one centralized management console. A mature solution offered at a competitive price, Secure SD-WAN is highly scalable from small to extensive sites with robust cloud on-ramp features.

Challenges: While Fortinet is an industry leader, failover from one SD-WAN circuit to another is not seamless, requiring manual intervention at times. Customers report increasing complexity, challenging migrations, high licensing costs, and too many firmware updates, many of which include software bugs. In addition, several functions are missing from the GUI, requiring administrators to use the CLI for configuration. Furthermore, Fortinet lacks an extensive partner ecosystem and seamless out-of-the-box integrations with third-party devices.


Founded in 2020 by Khalid Raza (the co-founder and CTO of Viptela before its acquisition by Cisco), Graphiant is a Silicon Valley-based startup of next-generation edge services. Launched in September 2022, the Graphiant Network Edge is an as-a-service solution providing connectivity between the enterprise WAN, hybrid cloud, network edge, customers, and partners. It combines MPLS-like performance—with guaranteed delivery and privacy—and internet-class agility, enabling network engineers to build enterprise-grade networks at the speed of business.

Figure 13. Graphiant Network Edge at a Glance

Graphiant’s goal is to create a new model of private networking to enable a marketplace for business communication, enhancing edge networking capabilities by building a network service platform delivered as a service. Instead of creating a network infrastructure to support new business projects, businesses consume the network. By providing a marketplace of connected applications and services, companies can publish services that only their private customers can access over programmable internet infrastructure.

Graphiant leverages several partnerships, including Intel Smart Edge, a converged Kubernetes-based, software-defined, edge-native computing platform that abstracts networking and deployment complexities. Combining cloud-native technologies, wireless networking, and high-performance computing experience kits helps speed up the development of edge solutions hosting network functions alongside AI, media processing, and security.

Running on physical, virtual, or cloud environments—including AWS, Azure, and GCP—the Graphiant Network Edge is made up of Graphiant Edge devices, the Graphiant Stateless Core, the Graphiant Cloud Edge, and the Graphiant Portal.

  • Graphiant Edge: Physical Intel Xeon-based or virtual edge devices connect the customer network to the Graphiant Stateless Core. Ready for deployment within a few minutes of booting, the devices are on-boarded and identified via the Graphiant Portal. All data traveling across the tunnel connection between the edge and the web portal is encrypted before it leaves the customer or partner site and never decrypted in transit.
  • Graphiant Stateless Core: Accessed via the Graphiant Portal, the Graphiant Stateless Core is a PoP-based private network that handles all routing. Since traffic stays encrypted from edge to edge based on standard SLAs and QoS, the core does not contain any customer information, ensuring regulatory compliance and guaranteeing SLA-grade performance.
  • Graphiant Cloud Edge: A virtual connector, Graphiant Cloud Edge connects the Graphiant Stateless Core to public clouds, including AWS, Azure, and GCP.
  • Graphiant Portal: An intuitive cloud-based user interface enabling the enterprise to set up network policies and provision connectivity. The Graphiant Portal acts as the single entry point to access, configure, and monitor Graphiant Edge devices.

Strengths: Eliminating the need to build tailored connectivity between every resource, edge network, hybrid cloud, customer, and partner, Graphiant Network Edge provides MPLS-level network connectivity delivered as a service. Built in partnership with Intel, the Graphiant Network Edge puts customers in control of their networks, allowing them to spin up connectivity on demand and scale at the speed of business by avoiding costly configuration time and tunneling bottlenecks. Graphiant Network Edge also eliminates the need for specialized hardware at the core and edge.

Challenges: Graphiant Network Edge runs out of Equinix data centers and is currently only available in the continental United States. However, Graphiant is expanding its global footprint with plans to spin up its first international PoPs in early 2023. As a revolutionary new SD-WAN concept, potential Graphiant Network Edge customers should engage in a proof of concept before committing. In addition, the company plans on doing all of its business through the channel.

HPE Aruba Networking

Founded in 2015 when it was spun off from HP Inc. (formerly Hewlett-Packard Company, or HP), Hewlett Packard Enterprise (HPE) is a global edge-to-cloud company portfolio offering workload-optimized products, solutions, and services. A solution within HPE Aruba Networking’s portfolio based on the 2020 Silver Peak acquisition, the Aruba EdgeConnect SD-WAN (previously branded as Aruba EdgeConnect Enterprise) platform enables enterprises to improve application performance and dramatically reduce the cost and complexity of building a WAN by leveraging broadband internet to connect users to applications.

Figure 14. EdgeConnect SD-WAN at a Glance

Aruba EdgeConnect SD-WAN is built upon an application-specific virtual WAN overlay model using any combination of underlay circuits, including 4G/5G, public internet, MPLS, and satellite. Multiple overlays may be defined to abstract the underlying physical transport services from the virtual overlays, each supporting different QoS, transport, failover, and security policies. In addition, groups of applications are mapped to different business intent overlays (BIOs), delivering applications to users based on business requirements. BIOs may also be deployed to extend microsegmentation of specific application traffic from the data center across the WAN to help maintain security compliance mandates.

The Aruba EdgeConnect SD-WAN platform comprises three components: Aruba EdgeConnect SD-WAN appliances, Aruba WAN Orchestrator, and Aruba WAN Boost.

  • Aruba EdgeConnect SD-WAN appliances: Supporting common hypervisors and public clouds, physical or virtual SD-WAN appliances are deployed in branch offices to create a secure, virtual network overlay. This enables customers to move to a broadband WAN at their own pace, whether site-by-site or via a hybrid WAN approach using MPLS or broadband internet connectivity.
  • Aruba WAN Orchestrator: Providing visibility into both legacy and cloud applications, Aruba WAN Orchestrator centrally assigns policies based on business intent to secure and control all WAN traffic, accelerating and simplifying the deployment of multiple branch offices and ensuring consistent policies across applications. Customers can launch the Aruba WAN Orchestrator software directly from Aruba Central, providing an enterprise-wide view of SD-WAN topology, health status, and alarms of all EdgeConnect Enterprise appliances in addition to other Aruba wired and wireless network devices.
  • Aruba WAN Boost: An optional WAN optimization performance pack, Aruba WAN Boost combines sophisticated WAN optimization technologies with Aruba EdgeConnect SD-WAN to create a single, unified WAN edge platform. It allows companies to accelerate the performance of latency-sensitive applications and minimize redundant data transmission across the WAN in a single, unified SD-WAN edge platform.

In addition to EdgeConnect SD-WAN, Aruba’s unified EdgeConnect SD-WAN Fabric offers multiple access gateways supporting locations of any size, including EdgeConnect Mobile for remote workers, EdgeConnect Microbranch for home and small offices, and EdgeConnect SD-Branch supporting branch transformation with fully integrated, cloud-managed wireless and wired switching, SD-WAN, and security. Furthermore, Aruba EdgeConnect SD-WAN offers out-of-the-box integration with leading cloud security solutions—from Check Point, McAfee, Netskope, Palo Alto Networks, Symantec, Zscaler, and others—to create a seamless SSA architecture, ensuring consistent enterprise-wide security policies based on business requirements.

Strengths: EdgeConnect SD-WAN Fabric offers an SD-WAN solution with multiple access gateways. Business intent overlays classify applications based on their unique performance and security requirements, while first-packet IQ technology identifies and classifies applications on the first packet, enabling granular traffic steering, fine-grained security policy enforcement, and differentiated application QoS based on business requirements. In addition, EdgeConnect includes automated integration with leading IaaS and PaaS providers, including AWS, Azure, Equinix, GCP, Megaport, and Oracle Cloud Infrastructure.

Challenges: HPE Aruba continues to integrate EdgeConnect SD-WAN (Silver Peak) solutions into the Aruba Edge Services Platform (ESP) portfolio. However, the company does not offer 5G cellular support, edge-to-edge orchestrated role-based microsegmentation, full-stack cloud-scale analytics, network as a service, or native SSA, cloud-delivered capabilities. Based on HPE Aruba’s roadmap, we expect to see several of these features in the next 12 to 18 months.


Founded in 1987, Huawei Technologies Co., Ltd. is a Chinese multinational technology corporation and global provider of consumer electronics, communications and information technology infrastructure, and intelligent devices. Since 2005, Huawei’s overseas orders have exceeded its domestic sales, and it continues to expand its foreign operations in over 170 countries despite geopolitical issues and exclusion from numerous mobile 5G rollouts.

Figure 15. Huawei SD-WAN at a Glance

Purpose-built to provide on-demand connectivity between branches, data centers, and clouds, Huawei SD-WAN features anytime, anywhere 5G interconnections, application-based intelligent traffic steering and acceleration, and intelligent operations and maintenance. Offering flexible networking and on-demand service interconnections—including 5G ultra-broadband—Huawei SD-WAN supports up to 20,000 devices.

Huawei SD-WAN comprises NetEngine AR routers (the network connection layer), Reflect Routers (the control layer), and iMaster NCE (the management layer).

  • NetEngine AR routers: Integrating routing, switching, voice, and security functions, the NetEngine AR portfolio ranges from large-capacity, high-reliability routers—serving as core nodes on large enterprise and metro networks—to enterprise gateways suitable for medium-sized campus networks and SMB headquarters and branches.
  • Reflect routers (RRs): An alternative to the full-mesh internal BGP (iBGP) routers, Reflect routers work with iMaster NCE to readvertise available routes, implement automatic deployment and configuration, automate policy provisioning, and provide optimal network interconnections.
  • iMaster NCE: An intuitive user interface, iMaster NCE offers complete process management across enterprise interconnection services. In the southbound direction, iMaster NCE uses NETCONF/YANG to implement unified device management, RR mapping and orchestration, configuration and orchestration of VPN topologies, and provisioning and managing network service policies. In the northbound direction, iMaster NCE provides standard RESTful APIs for easy integration with third-party applications and cloud platforms.

An optional iMaster NCE component, iMaster NCE CampusInsight is a network analyzer using telemetry to collect network metrics in real time, enabling administrators to visualize application and user connectivity at any time. Drawing on AI/ML technologies, iMaster NCE CampusInsight precisely identifies 85% of potential issues while efficiently detecting faults and optimizing the network.

Customers can flexibly select single-layer or multilayer networking topologies tailored to their network scale and needs. At the same time, NSPs and MSPs can deploy multitenant, high-performance gateway devices to provide enterprise tenants with services using traditional private-line networks and PoP-based networking services. For security purposes, tenants are fully isolated and invisible to each other, with each tenant independently maintaining their own SD-WAN. In addition, Huawei’s multitenant interworking gateway (IWG) provides flexible access between SD-WAN sites and legacy MPLS sites, facilitating migration from legacy enterprise networks to an SD-WAN.

Strengths: Boasting a robust, secure SD-WAN portfolio, Huawei has a rich history of innovation based on solid relationships forged with industry leaders and universities. A leader in 5G technologies, Huawei is leveraging its expertise to deliver a differentiated SD-WAN solution. Supporting 5G uplinks, Huawei SD-WAN offers cable-free connectivity, enabling rapid network provisioning and per-flow load balancing for optimized 5G link utilization. In addition, Huawei SD-WAN offers intelligent traffic steering capabilities, including first packet identification (FPI), service awareness (SA), and in-line detection technology for implementing multidimensional optimal route selection based on application SLAs.

Challenges: Huawei’s addition to the US Department of Commerce’s Bureau of Industry and Security’s Entity List for allegedly “undermining US interests” limits the company’s penetration of some markets and geographies (primarily for 5G deployments), including Australia, the UK, and the US. Huawei lacks some of its competitors’ advanced security and SSA capabilities, relying on third-party solution providers to fill the gaps.

Juniper Networks

Founded in 1996, Juniper is an industry leader in networking and has aggressively acquired several companies to fill out its AI-driven automation portfolio. Powered by Juniper’s Session Smart Routing (acquired with 128 Technology in 2020) and the Juniper Mist Cloud (acquired with Mist Systems in 2019), Juniper SD-WAN simplifies network operations and eliminates the inherent inefficiencies and cost constraints of legacy solutions with resilient WAN connectivity, proactive insights, and automation. In addition, when combined with the Juniper Mist WAN Assurance service, Juniper SD-WAN delivers insights and automates troubleshooting for improved uptime and additional performance enhancements.

Figure 16. Juniper SD-WAN at a Glance

Based on Juniper’s original Contrail SD-WAN solution, the Juniper SD-WAN portfolio includes Juniper Session Smart Routers, Juniper SRX Series Firewalls, Juniper NFX Series Network Services Platform, Juniper Mist Cloud, and Juniper Mist WAN Assurance.

  • Juniper Session Smart Routers: Deployed as physical, virtual, or cloud appliances centrally managed via the Juniper Mist Cloud or Juniper Session Smart Conductor, Session Smart Routers create a zero-trust, application-aware network fabric offering failsafe service delivery.
  • Juniper SRX Series Firewalls: Protecting the network edge, data center, and cloud applications, SRX Series Firewalls are next-generation physical, virtual, and containerized firewalls providing flexibility, efficiency, and performance across on-premises, distributed, and cloud environments.
  • Juniper NFX Series Network Services Platform: A universal CPE platform providing secure SD-WAN and service delivery, the NFX Series Network Services Platform is an open framework supporting third-party VNFs for flexible branch deployments.
  • Juniper Mist Cloud: Delivered as a cloud service, Juniper Mist Cloud combines network intelligence, AI, deep-learning insights, and microservices agility to deliver predictable, reliable, and measurable network access with complete visibility into the quality of experience (QoE).
  • Juniper Mist WAN Assurance: Simplifying network deployment and operations, Juniper Mist WAN Assurance improves visibility into end-user experiences and reduces the mean time to repair SD-WAN issues with industry-leading network automation capabilities.

A core technology underpinning Juniper SD-WAN innovation, Mist AI uses a combination of AI, machine learning, and data science techniques to optimize user experiences and simplify operations across the wireless access, wired access, and SD-WAN domains. Data is ingested from numerous sources—including Juniper Mist access points, firewalls, routers, and switches—for end-to-end insight into user experiences. The output is used to optimize the client-to-cloud user experience, including automated event correlation, root cause identification, self-driving network operations, network assurance, and proactive anomaly detection.

Strengths: Driven by Mist AI, the Juniper SD-WAN solution enables enterprises and MSPs to transform their SD-WAN business with simplified operations, better network performance, and improved customer engagements based on resilient WAN connectivity, proactive insights, and advanced automation capabilities. Leveraging Juniper’s artificial intelligence for IT operations (AIOps) capabilities, the Juniper SD-WAN Service Solution enables MSPs to deliver optimal WAN performance with fast root cause discovery, event correlation, and automated troubleshooting.

Challenges: With a solution based on a series of acquisitions, Juniper has the products but has yet to clarify its long-term strategy or integrate its offerings into a cohesive SD-WAN portfolio that is easy to articulate, deploy, and manage. Moreover, the lack of advanced security capabilities and out-of-the-box integrations with third-party security vendors increase complexity for smaller organizations with limited resources.


Founded in 1865, Finland-based Nokia is a proven industry leader in wireless networking and is committed to innovation and technology leadership across mobile, fixed, and cloud networks. Working directly with enterprises, service providers, and SIs, Nokia claims to have an SD-WAN installed base including over 75 Tier 1, 2, and 3 CSPs and over 3,500 enterprise SD-WAN service instances. Acquired along with Alcatel-Lucent in 2015, the Nuage Networks Virtualized Services Platform (VSP) is an industry-leading network automation platform enabling a complete range of SDN, SD-WAN, and cloud solutions.

Figure 17. Nuage Networks Virtualized Services Platform at a Glance

Launched in 2014, VSP is a true SDN platform offering complete separation of management, control, and data planes delivering abstracted SD-WAN overlay services over any IP-based underlay transport (fixed or mobile). Supporting service provider scale and multitenancy customer instances, VSP is a platform of choice for CSPs wanting to deploy managed SD-WAN services from an on-premises network services platform. VNS provides robust integrations with existing IP-VPN/MPLS services, enabling brownfield networks to seamlessly migrate to SD-WAN or operate as hybrid MPLS-only and SD-WAN sites.

Built on VSP and hosted on a rigorously engineered, highly available cloud infrastructure, the Nokia Cloud Managed SD-WAN Service delivers managed SD-WAN on a subscription model to CSPs and SIs that want to enter the managed SD-WAN services market and provide self-branded managed network services directly to their enterprise customers. Hosted in Nokia or CSP-owned data centers, Nokia manages the Virtualized Services Directory (VSD), the Virtualized Services Controllers (VSC), and the enterprise-facing SD-WAN portal.

  • Virtualized Services Directory: A multitenant policy engine, VSD provides visibility and control across each enterprise SD-WAN service. It supports service definition capabilities with intuitive templates and provides a granular applications analytics engine with detailed reporting.
  • Virtualized Services Controllers: The VSC is a multitenant SDN controller built on Nokia’s SR-OS routing stack. It maintains all routing information and communicates with the customer branch appliances—or network service gateways—to establish SD-WAN overlay paths between enterprise locations.
  • SD-WAN portal: The SD-WAN portal is a multitenant management platform providing comprehensive network and application visualization and template-driven policy control of each SD-WAN service instance. Portal access can be assigned to the CSP or SI network operations center (NOC) team and the enterprise as a comanaged SD-WAN service.

Furthermore, Nokia Cloud Managed SD-WAN Service offers access to Nokia-operated SASE-Points of Presence (SASE-PoPs) as an optional feature, providing a natural extension from the SD-WAN service directly into the world’s leading public cloud providers, SaaS, and security vendors, including integration with Check Point’s unified Harmony security suite.

Strengths: Nuage Networks Virtualized Services Platform is an industry-leading network automation platform enabling a complete range of SDN, SD-WAN, and cloud solutions. Designed to scale, the VSP was built from the ground up as a managed services SD-WAN platform designed to replace MPLS WANs by offering strong isolation across all layers (management, control, and data plane) for multitenant SD-WAN service instances. In addition, integrated 4G and 5G mobile cores enable enterprises to incorporate their cellular/mobile assets—including IoT devices and sensors—into the same IT management domain as their SD-WAN branches.

Challenges: Despite being a leader in the 4G/5G space, Nokia needs to expand its SD-WAN capabilities to encompass mobile/IoT devices connected to the cellular network to provide consistent network, application, and security policies across the end-to-end enterprise landscape. Nokia has already integrated its SD-WAN service with the 4G/5G mobile core and can connect enterprise mobile devices to the SD-WAN instance, so we expect to see this capability in the next 12 to 18 months. In addition, Nokia needs to deliver an SD-WAN platform that will interoperate with any third-party security vendor to deliver a robust SSA solution.

Palo Alto Networks

With over 80,000 customers in more than 150 countries, Palo Alto Networks has been an established player in the cybersecurity market since 2005. The company’s SD-WAN solution, Prisma SD-WAN, is a cloud-delivered service that implements application-defined, autonomous, and integrated SD-WANs to help enterprises connect and secure their branch offices, data centers, and large campus sites without increasing cost and complexity. In addition, Prisma SD-WAN incorporates advanced technologies such as AIOps, integrated security, and application-aware policies to increase return on investment (ROI), simplify network operations, and improve the end-user experience.

Figure 18. Prisma SD-WAN at a Glance

Formerly known as CloudGenix, Prisma SD-WAN leverages AIOps and ML to simplify network and security management, combining deep application visibility with Layer 7 intelligence for network policy creation and traffic engineering. Facilitating application-aware policies, Prisma SD-WAN improves the end-user experience and enables the secure, cloud-delivered branch.

Enhanced AIOps capabilities provide rich telemetry of network insights, enabling administrators to perform granular trend analysis and automate tedious manual tasks. By analyzing historical data and continually learning (using a supervised learning methodology), Prisma SD-WAN provides visibility into performance data and dependencies, analyzes the data to identify events such as network bottlenecks, automatically alerts IT staff to problems and their root causes, and recommends solutions. Applying policies in the cloud, the platform provides complete visibility and traffic inspection across all ports and protocols, protecting traffic traversing the network across any link, including 5G, MPLS, and public clouds.

Integrating Prisma SD-WAN and Prisma Access for Networks (managed via a centralized cloud controller) allows customers to have a lightweight remote office hardware footprint while still providing a full suite of application-specific security policies. Prisma Access is a scalable, low-latency network leveraging the combined infrastructures of AWS and GCP, with over 100 service access points across 76 countries. Built from the ground up and backed by industry-leading SLAs, Prisma Access provides a consistent global services edge delivering comprehensive security coverage.

In October 2021, the company launched Prisma SASE (an SSA solution), combining the functionality of Prisma Access and Prisma SD-WAN with CASB, FWaaS, SD-WAN, SWG, and ZTNA in a single offering—with end-to-end visibility and autonomous digital experience management (ADEM) and remediation. Palo Alto also announced an integrated SD-WAN appliance with 5G, enabling customers to use 5G as a primary WAN with the flexibility of 4G/LTE in an active-active fashion. In February 2022, Palo Alto Networks introduced multitenant Prisma SASE enhancements for MSPs to simplify management and support of security and SD-WAN services for their customers, including an open API framework for MSPs to seamlessly integrate with their back-end infrastructure to automate Day 0 and Day 1 workflows.

Strengths: Providing consistent cloud-delivered security for remote users, Prisma SD-WAN automates tedious network operations using AIOps and ML methodologies. Palo Alto Network’s edge devices, Prisma CloudBlades, expedite branch deployments and deliver comprehensive branch services—including security, multicloud, and collaboration tools—without needing to update the hardware, eliminating service disruptions. In addition, Prisma SD-WAN’s site summary dashboards display VPNs, circuits, and site health metrics, enabling administrators to easily consume and correlate data to discover long-term trends and issues.

Challenges: Prisma SD-WAN lacks advanced on-premises security capabilities, forcing customers to use either pre-existing firewalls or Prisma Access cloud-delivered security integration. The incumbent in many enterprise and mid-market accounts, Palo Alto Networks is aggressively moving to the cloud by acquiring the necessary building blocks and investing in integration with security vendors so customers don’t have to rip and replace when deploying an SSA solution. However, due to the complexity, scope, and size of its portfolio, the company’s ability to deliver a fully-integrated SSA platform lags compared to other vendors building SSA solutions from the ground up.


Founded in 2007, Peplink provides a complete SD-WAN solution—including edge routers that can connect to multiple fixed or cellular WAN links simultaneously—and patented unique SpeedFusion technology. Peplink’s SpeedFusion SD-WAN technology incorporates over 70 patents powering enterprise VPNs using a single bonded data pipe tapping into the bandwidth of multiple cable, DSL, 3G/4G/LTE, and other low-cost links connected to corporate or institutional WANs.

Figure 19. Peplink SD-WAN at a Glance

Peplink’s SD-WAN solution comprises Peplink Routers, Peplink SpeedFusion, Peplink InControl 2, and SpeedFusion Connect Services.

  • Peplink Routers: Peplink has a comprehensive range of SD-WAN routers with various configurations offering different form factors, WAN/LAN interfaces, throughput, and carrier certifications to meet a wide range of customer requirements and deployment needs. The Peplink Balance series routers are designed for varying throughput requirements for enterprise use cases. In contrast, the rugged MAX series are primarily wireless 4G/5G routers equipped with single, dual, or multiple wireless modules. All Peplink routers can take advantage of SpeedFusion technology and be managed by InControl 2.
  • Peplink SpeedFusion: An end-to-end technology requiring a Peplink router and a headend (orchestrator), SpeedFusion technology uses carrier-agnostic bandwidth bonding to combine any type and number of low-cost WAN links—including mobile internet, public internet, and satellite—to boost network bandwidth, improve connection resilience, and improve network security. Customers have the choice of deploying the headend either on-premises or off-premises. The headend can be another Peplink router or FusionHub virtual appliance for on-premises deployment. Additionally, customers can use the SpeedFusion Connect Protect service to connect their routers to a Peplink or partner-hosted headend for off-premises deployments.
  • Peplink SpeedFusion Connect Services: Providing subscription-based access to Peplink’s global network of SpeedFusion endpoints and technology without requiring additional hardware, SpeedFusion Connect Services offers bandwidth bonding, WAN smoothing, and unbreakable connectivity from any compatible router. Simplifying deployment and reducing cost, customers can use SpeedFusion Connect Protect to connect to a Peplink or partner-hosted headend to establish a SpeedFusion connection. On newer Peplink devices, customers can use SpeedFusion Connect 5G/LTE (a prepaid service ideally used for failover standby) to purchase a block of mobile data enabling 5G or LTE access to cellular carriers in over 30 countries.
  • Peplink InControl 2: Enabling remote access to any Peplink device on the network, the InControl 2 cloud-based endpoint management system is an intuitive and easy-to-use centralized network controller providing granular control of any Peplink devices in the network. InControl 2 pushes configuration and firmware updates to hundreds of devices with a click of a button and applies schedules to SSID, firewall rules, outbound policies, and SD-switch ports. InControl 2 also simplifies network management by aggregating network information and presenting it in easy-to-read reports. The InControl 2 service is usually hosted on the public cloud, but a virtual appliance option for private hosting is also available.

Peplink offers standard hardware and software technical assistance via 8×5 support ticket and hardware warranty services to direct-purchase customers who are under a one-year warranty or have purchased CarePlan coverage. However, Peplink also provides extended support options for advanced hardware replacement and 24×7 ticket support.

Strengths: Peplink is a proven cellular router vendor focused on supporting the entire WAN edge, including Industry 4.0 and vehicle-installed IoT devices. Peplink’s patented SpeedFusion SD-WAN technology reduces costs and increases availability by consolidating multiple low-cost WAN links into a single bonded data pipe. In addition, Peplink’s InControl 2 provides public or private hosted single-pane-of-glass control of all Peplink devices deployed in the network.

Challenges: Peplink SD-WAN’s security lacks the robust features available in most competitive solutions. Moreover, customers find the InControl 2 dashboards challenging to navigate, and cellular health reports are not provided in real time. Devices must be registered in the cloud before being activated. In addition, Peplink’s hardware warranty is only one year, and standard support is currently only 8×5 and partner-led unless devices are purchased directly from Peplink. We expect this to change in early 2023 with the launch of a 24×7 support service offered by select partners.

Versa Networks

Founded in 2012, Versa claims to be the only vendor delivering a fully integrated, converged, secure SD-WAN solution deployed either on-premises or in the cloud—or as a hybrid combination of both—in a single software stack built on a single-pass parallel processing architecture. A core component of Versa SASE, Versa Secure SD-WAN offers an extensive set of capabilities, including integrated security capabilities, sub-second packet steering across multiple WAN interfaces, and packet loss reduction through services such as FEC, packet replication, and poor-performing link avoidance.

Figure 20. Secure SD-WAN at a Glance

Versa Secure SD-WAN leverages a centralized policy-based management and a distributed enforcement model for configuring and enforcing which traffic should be sent over what path based on multiple variables, including but not limited to bandwidth, latency, jitter, and packet loss. SLA monitoring monitors the underlay network while thresholds trigger predefined SLA policies, ensuring that traffic always uses the best possible path across all available WAN circuits.

Moreover, Versa recognizes over 3,500 applications, using a combination of device heuristic matching and SSL identification to configure SD-WAN traffic steering and firewall policies. Application signatures are regularly updated as part of the Versa Security Package deployments. Paths are assigned at runtime based on their configured priority, and traffic is sent on the SLA-compliant path with the highest priority. If there are multiple paths with the same priority, traffic is load balanced on a per-session basis (by default).

Versa SD-WAN also acts as a DNS proxy with SD-WAN traffic steering, MP-BGP route exchange with SDN controller, stateful high availability, link aggregation, hierarchical QoS, per-tunnel QoS, and overlay encapsulation options (VXLAN, IPSec). Additional features include encrypted and unencrypted overlays with MPLS/GRE or VXLAN, SD-WAN controller, WAN circuit support, full-mesh topology, hub-spoke topology, dynamic IPSec overlays, direct internet access, and a perfect marriage of HTTP/S proxy.

The Versa SD-WAN portfolio includes the Versa Operating System (VOS), Versa Director (VOS orchestration), Versa Analytics (historical, prediction, and forensic insights), Versa Controllers (providing secure connectivity between branches), and the Versa Cloud Services Gateway (delivering cloud-native Versa SD-WAN services on-premises).

Versa Secure SD-WAN leverages the single-pass parallel processing architecture found in VOS. A multiservice, multitenant software solution built on cloud principles, VOS provides automation, programmability, and segmentation at scale. VOS’s unique architecture increases performance and mitigates security vulnerabilities and exposure by touching each packet only once for both networking and security. Maintaining complete routing and management separation, a single instance of VOS supports multicloud connectivity for multiple end customers. As a result, Versa’s multitenant architecture allows any MSP to deliver productized, value-added multicloud services.

Designed for lean IT enterprises lacking network and security resources, Versa Titan is a cloud-managed SD-WAN available through Versa’s partner ecosystem. Both Versa Secure SD-WAN and Versa Titan use the same building blocks, with the latter having a simplified user interface and a reduced set of configurable options.

Strengths: Versa Secure SD-WAN offers a broad set of features addressing a diverse group of customer needs. Versa provides an extensive list of secure SD-WAN capabilities such as sub-second packet steering across multiple WAN interfaces, packet loss reduction through services such as FEC, packet replication, and poor-performing link avoidance. Built from the ground up for multitenant environments, Secure SD-WAN’s core component, VOS, offers native segmentation and a true multitenant implementation with separate data planes, control planes, management planes, and analytics for each tenant.

Challenges: While boasting a competitive offering, numerous awards, a healthy roadmap, and over 5,000 SD-WAN customers, Versa Networks still lacks a fully integrated solution and end-user awareness in the SSA space. Moreover, despite Versa’s “one architecture fits all” philosophy, Versa SD-WAN lacks the flexibility and granular controls available in some alternative solutions. In addition, Secure SD-WAN cannot be combined with advanced security in the same appliance, resulting in customer frustration and churn. Finally, with Versa focused on developing Versa SASE, SD-WAN innovation may be delayed.


Founded in 1998, VMware is a leading provider of multicloud services for all applications, enabling digital innovation with enterprise control. Available standalone or as part of VMware SASE, VMware SD-WAN is a cloud-delivered solution ensuring high application performance and availability while lowering network costs. VMware SD-WAN provides a reliable and resilient WAN with a choice of connection types—including MPLS, LTE, Wi-Fi, and broadband. It can detect the slightest degradation in application performance, mitigate the risk over a single link using congestion mitigation technology, and adapt the network to a new layout without any noticeable impact on the user experience.

Figure 21. VMware SD-WAN at a Glance

In addition, VMware Edge Network Intelligence (integrated with VMware SD-WAN) offers deep visibility and actionable insights into the user experience extending beyond the WAN Edge. For example, it helps administrators determine whether a user experience is impacted due to the local wireless or wired LAN network, the SD-WAN network, network services, or the application.

VMware SD-WAN comprises VMware SD-WAN Gateways, VMware SD-WAN Edge appliances, the VMware SD-WAN orchestrator, and VMware SD-WAN Clients.

  • VMware SD-WAN Gateway: VMware SD-WAN incorporates a distributed network of service gateways deployed at top-tier cloud data centers worldwide, providing scalability, redundancy, and on-demand flexibility. Providing optimized data paths to all applications, branches, and data centers—and the ability to deliver network services from the cloud— VMware SD-WAN Gateway delivers multitenant gateway services and policy control points over a global footprint of more than 2,000 gateways providing scalable application access and performance supported by VMware and its partners.
  • VMware SD-WAN Edge: VMware SD-WAN Edges are zero-touch, enterprise-class appliances providing secure, optimized connectivity to private, public, and hybrid applications, compute, and virtualized services. They perform deep application recognition to enable application-aware packet steering, collect performance and end-to-end QoS metrics, and host VNF services.
  • VMware SD-WAN Orchestrator: Enabling one-click provisioning of virtual services in the branch, the cloud, or the enterprise data center, the VMware SD-WAN Orchestrator provides centralized enterprise-wide installation, configuration, and real-time monitoring, and orchestrates the data flow through the cloud network.
  • VMware SD-WAN Client: Following zero-trust principles, VMware SD-WAN software clients extend the benefits of reliable, optimal, and secure connectivity to end-user devices without needing a hardware appliance.

In August 2022, VMware announced the VMware Private Mobile Network. Seamlessly integrated with existing IT management platforms and delivered by service providers, this managed service offering provides enterprises with private 4G/5G mobile connectivity in support of edge-native applications. Building on VMware Edge Compute Stack, the service incorporates VMware’s compute, network, security, and edge intelligence solutions.

Strengths: With over 18,000 VMware SD-WAN customers and more than 600,000 edge appliances deployed worldwide, VMware continues to drive SD-WAN market expansion and customer adoption. VMware’s robust roadmap and continued investment strengthen its product offerings and differentiation. For example, in November 2022, VMware announced that it acquired Ananda Networks to accelerate the development of the VMware SD-WAN Client to create high-performance private network fabrics between servers, clouds, and remote workers’ desktop or mobile devices.

Challenges: VMware is investing heavily to fill the gaps in its SD-WAN and SASE portfolio, including gateway disaggregation with hardware acceleration, high-throughput edge appliances, high-performance work-from-home Wi-Fi connectivity, and zero trust at the edge. However, integrating various in-house, acquired, and OEM products at a deeper level will take time. In addition, rumors of MSRP increases of up to 40% may generate churn and slow growth. Prospective customers should carefully evaluate their options before committing.

6. Analyst’s Take

The cost of MPLS lines and the shift to remote working in response to the COVID-19 pandemic is driving enterprises to reevaluate their networking requirements. As a result, several vendors offer optimized bandwidth over low-cost links, while others are delivering high-throughput connectivity over 5G infrastructure.

Breaking the mold, Graphiant has gone one step further, developing pay-as-you-go, next-generation edge services powered by Intel Smart Edge Open. Eliminating the need to build tailored connectivity between every resource, edge network, hybrid cloud, customer, and partner, Graphiant Network Edge provides MPLS-level network connectivity delivered as a service. Setting another precedent, Evolving Networks only offers SD-WAN as a service based on a multiple-link, carrier-independent, managed SD-WAN with cloud integration. While Evolving Networks only services the UK, we expect other SD-WANaaS-only vendors to emerge over the next 12 to 18 months.

Moreover, as enterprises focus on flexible and secure fully integrated networking solutions to reduce deployment and management costs, SD-WAN vendors are meeting the challenge of networking and security convergence with SSA, SSE, and SASE solutions. As a result, the SD-WAN landscape is becoming increasingly blurred, with incumbent vendors repackaging and repositioning legacy products as integrated platforms, acquiring new technologies, or making strategic alliances to fill the gaps in their portfolios. Moreover, this trend is undermining the importance of an SD-WAN, relegating it from being a core technology upon which enterprises rely to a line item on a request for proposal (RFP).

As a result, prospective customers need to carefully consider the following:

  • Existing networking and security stacks
  • In-house expertise versus the need for a managed SD-WAN or converged networking and security solution
  • SD-WAN and security solutions that can easily be integrated with the existing environment
  • The vendor strategy that best meets the needs of the business based on required features and functions
  • Each vendor’s ability to deliver the required capabilities over the next 12 to 24 months

As you evaluate your networking requirements, use this report to assess your current and future needs based on critical elements before creating a shortlist of vendors supporting your target market, deployment model, and use case. With the emergence of new entrants and exciting innovations, don’t just settle for your incumbent vendor’s solution. Instead, explore all your options before creating a shortlist based on features, integration, as-a-service capabilities, and in-house skills. When talking to vendors, ensure that their vision is aligned with yours and that their roadmap includes the features and integrations you need.

7. About Ivan McPhee

Formerly an enterprise architect and management consultant focused on accelerating time-to-value by implementing emerging technologies and cost optimization strategies, Ivan has over 20 years’ experience working with some of the world’s leading Fortune 500 high-tech companies crafting strategy, positioning, messaging, and premium content. His client list includes 3D Systems, Accenture, Aruba, AWS, Bespin Global, Capgemini, CSC, Citrix, DXC Technology, Fujitsu, HP, HPE, Infosys, Innso, Intel, Intelligent Waves, Kalray, Microsoft, Oracle, Palette Software, Red Hat, Region Authority Corp, SafetyCulture, SAP, SentinelOne, SUSE, TE Connectivity, and VMware.

An avid researcher with a wide breadth of international expertise and experience, Ivan works closely with technology startups and enterprises across the world to help transform and position great ideas to drive engagement and increase revenue.

8. About GigaOm

GigaOm provides technical, operational, and business advice for IT’s strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands.

GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises.

GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

9. Copyright

© Knowingly, Inc. 2023 "GigaOm Radar for Software-Defined Wide Area Networks" is a trademark of Knowingly, Inc. For permission to reproduce this report, please contact