Hi, I am charged in my company to analyse the main pros and cons to go either with a SASE model with Velocloud sdwan & Zscaler SSE solution (FWAAS, SWG, CASB, ZTNA) that’s to say an hybrid model either with Fortinet SDWAN either with PALO ALTO prisma access, that’s to say a model with a firewall onsite combined with SSE cloud solution.
My point is to put a focus at cybersecurity standpoint of what would be the pros and cons of each architectural scenario, considering that main objective is to secure the company from cybersecurity threats as ransomwares, data exfiltrations, DDOS, etc…all attacks which can have impacts on confidentiality, availability and integrity.
Furthermore, I want to check what are the key differences between security at edge for velocloud devices in comparison with fortinet/palo alto firewalls as I understood in SD-WAN edges we can have firewall rules configurations, IPS/IDS …
My point is not to get theoretical information but more in the field experience, and how in terms of design we can get the best from each type of SD-WAN architectures and solutions.
Thanks very much and if there are any additional information you require do not hesitate so that this post is interesting for everyone working on same topics !
Do you have resources in a datacenter or office?
then you likely have no reason to use ZTNA or VPN.
so you’re probably where we will be in 2 months - a SASE solution to replace our antiquated vpn.
we also don’t need a wan or SD WAN any longer - as people will be on SASE from home or the road.
keep us posted!
All vendors are relatively new to this SASE game. I personally would go with fortinet since they offer complete solution. If you throw in fortiswitch, fortiap, fortianalyzer, and Fortimanager in the mix you got a complete fortinet solution. Palo can’t offer that
Cato Networks all the way. The Gartner SASE sample vendor for a reason…
Can recommend the Velocloud/ZScaler stack.
Been running it for a few years and never hit any shortfalls, the solutions you can design with it are incredible.
Maybe check out a modern ZTNA like Axis Security. HPE just acquired them.
Correct! Axis security is a single platform for ZTNA, SWG, CASB and DEM. Zscaler is old tech with a bunch of products bolted on.
Biased comment here, I work for Netskope. If you’re looking for both SD-WAN and SSE (CASB, SWG, DLP, ZTNA) we have a great solution. One UI, one client. And the first to create SD-WAN for the remote user without having to send anyone home with a physical appliance. Beyond, that, if your big concern is data exfiltration, this is where we truly shine vs the competitors you listed. I know this is an old post put come check us out if you haven’t already settled on something else.
Yes we have ressources in IAAS/PAAS Cloud and all O365 applications including sharepoitn teams etc…
Having worked with a few vendors, Fortinets SD-WAN solution feel s very much tagged on as an extra to their main firewalling functionality.
When it comes to UX in a cloud environment, having flexibility around how data is routed is key, Fortinet don’t offer the same level of complexity other vendors do and i don’t rate them for their connectivity. Firewalling and hardware management platforms are top tier though 
Not ALL vendors are new to SASE. Furthermore, most aren’t even doing right.
“Because it’s the Gartner leader…” famous last words of everyone spending half their next year on hold waiting for support tickets because they trusted a paid for analyst that doesn’t event test.
CATO seems ok for SMBs not for big companies isn t it ?
Yeah but which kind of edge security are you implementing? I was thinking for critical traffic to pass through a Hub and activate security there with a security vendor like fortinet or palo alto. Then for teams traffic how are you securing it ? Passing this through Zscaler even if it is not recommended by microsoft ? Thanks!!
Ok thanks didnt know such solution…is it mature enough for big deployments ? Hundreds of sites
How does SD-WAN work with Netskope? Does it all go into the Netskope cloud and get routed to the destination? or is there site-to-site connectivity between edge devices?
As you consider options, take into account whether or not you need the benefits of SDWAN/last mile optimization to apply to internet destinations (SaaS) as well. In order to take advantage of those optimizations to the internet you must have supplier with a Cloud/PoPs that sit in between the sites/users and the internet application. That actually works in Velos favor here, but they do not have a fully converged network and security stack and have traditionally partnered with another security vendor to deliver network security services.
Disclaimer
I work for a supplier/vendor of SASE and am very familiar with how the competition works. I won’t solicit beyond that to respect the community rules.
You know where to find me now.
You’ve got it the wrong way around. In their initial report about SASE there was only one vendor who did it this way, Cato. When all the others jumped the bandwagon, Cato was never mentioned again for at least 2 of 3 years in any of the Gartner reports, presumably since they didn’t slip 'm any money? Who knows…
Now Gartner is reporting Cato as a challenger years after their install base has exponentially grown along with their value. Gartner is a laughing stock but their original report at least got it right.
It’s the other way around, they have reference cases in lots of multinationals. Some with 1000+ locations and tens of thousands of users.
Yes, 350+ PoPs globally. Leverages Major Cloud Providers like AWS, GCP, Azure. Routes app traffic to the closest based on performance and re-routes traffic if there is a slowdown or an outage. Support for branch offices and remote workers plus agent-less access for third-party.
