SD-WAN competitive comparison

• Comprehensive traditional routing services and smooth migration with features relevant to SD-WAN on the same platform
• Unified image common across traditional routing and SD-WAN
• Industry-leading traditional routing and SD-WAN within the same platform

SD-WAN available with existing infrastructure

• SD-WAN available with existing infrastructure

• No investment protection for smoother migration in relation to SD-WAN on legacy routing platforms

• Supports traditional routing, firewall, and SD-WAN capabilities on the same PAN OS NGFW platform

• Dedicated control, data, and management plane components for scalability and performance, offering an SDN-compliant architecture

• Legacy firewall-based architecture
• Integrated control plane and data plane within each firewall
• Extensive peer required for setup of routing protocols and related services

• Dedicated control, data, and management plane components

• Segregated control, data, and management plane components, VMware edge, and VMware SD-WAN orchestrator

• Legacy combined control and data plane architecture
• Integrated control plane and data plane within each firewall
• Extensive peer required for setup of routing protocols and related services

• Integrated control and data plane components limit flexibility in PAN OS SD-WAN
• Integrated control plane and data plane within each firewall
• Extensive peer required for setup of routing protocols and related services

• Faster, more reliable connectivity to cloud workloads
• Supported with dual stack
• Supports services including performance routing, MPLS, RIP, EIGRP, LISP, OSPF, OSPFv3, PIM, BGP, per VRF routing instances, and VRF route leaking

• Supports advanced routing protocols, including BGP and OSPF

• Supports advanced routing protocols, including BGP and OSPF

• Supports advanced routing protocols, including BGP and OSPF, but OSPF is only available in a global setting and not per instance
• No flexibility in creating multi-segment topologies like full mesh, regional mesh, hub and spoke

• BGP and OSPF routing protocols are supported with limitation of a maximum of 64 OSPF neighbors and 64 BGP peers supported per appliance

• Supports advanced routing protocols, including BGP and OSPF

• Automatically steers critical applications to the best path, making decisions around network problems/metrics like latency, jitter, and loss

• SD-WAN rules used to control path selection by dynamically sending specific traffic to a specific link

• Ability to traffic-engineer based on application-aware policy

• Offers dynamic multi-path optimization (DMPO) steering and application-aware per-packet steering

• Policies created and reused from business intent perspective
• Limitations within microsegmentation and multi-domain policy enforcement

• Intelligent path selection based on metrics like latency, loss and jitter, and dynamic application steering based on routing attributes, security policy, and application policy

Supports sub-regions in multi-fabric region solution, providing:

• Ability to share BR
• Ability to make BR as backup for a sub-region

Helps scale the WAN with hierarchical regions improving performance and reliability

• Sub-region not supported in multi-region fabric

• Sub-region not supported in multi-region fabric

• Sub-region not supported in multi-region fabric

• Sub-region not supported in multi-region fabric

• Sub-region not supported in multi-region fabric

• Supports multiple identity providers for checking user identities to access digital and cloud-hosted applications
• Three IDPs supported in case of single tenant; three IdPs supported per tenant in case of multi-tenant

• Integration with multiple IDPs not supported

• Integration with multiple IDPs not supported

• Supports integration with multiple IDPs

• Integration with multiple IDPs not supported

• Supports integration with multiple IDPs

• Supports the configuration of security posture policies in the SD-WAN fabric, context extension, and periodic reassessment of device posture

• Supports identity and access management system

• Needs third-party integration with ClearPass

• Relies on third-party integration

• ClearPass integration

• Relies on third-party integration

• Automated registration and creation
• IPsec tunnels to Umbrella Secure Internet Gateway (SIG)
• Guided workflows on Catalyst SD-WAN Manager
• Complete integration with Cisco AnyConnect and Cisco Duo

• Support integrations with FortiSASE and native SIG
• Workflows for third-party SIG integration

• Support for complete SASE integration and native security services built into a native SSE service

• Offers an integrated single-vendor SASE solution which is not a proven/mature security offering.

• No support for auto-registration or creation of IPsec tunnels for SASE
• Relies on third-party integrations

• Guided Workflows available for SIG integration with Prisma Access; involves multiple steps and support intervention

• Catalyst SD-WAN Manager includes enterprise firewall with application-awareness, snort IPS, URL filtering, AMP file analysis, threat grid sandboxing, Cisco Umbrella DNS security, SSL and Talos threat intelligence

• Integrated NGFW features with IPS/IDS, application control, and AMP capabilities

• Integrated NGFW features with IPS/IDS, application control, and AMP capabilities

• NSX firewall now available with performance impact unknown

• Lacks security integrations in the SD-WAN console
• Only IDS/IPS is natively supported; must rely on third-party integration for the rest of the advanced security functions

• Integrated NGFW features with IPS/IDS/application control/AMP/URL filtering/DNS Security capabilities in PAN OS NGFW; requires additional licensing
• Only basic zone-based firewall capabilities in Prisma SD-WAN

• x86 architecture with QFP3.0 for hardware-accelerated service, dynamic core allocation, data plane development kit (DPDK), and quick assist technology (QAT) to boost performance and faster encryption processes

• Custom ASIC available to boost firewall performance and faster encryption processes

• No custom silicon with dynamic core allocation techniques

• No custom silicon with dynamic core allocation techniques

• No custom silicon with dynamic core allocation techniques

• No custom silicon with dynamic core allocation techniques

• Proven, scalable MPLS/VRF-like end-to-end segmentation
• Support for multi-segment topologies and services
• Many MPLS services are supported in autonomous mode, including MPLS and layer 2/layer 3 VPN services

• SD-WAN, VPN, and BGP configurations support layer 3 VPN segmentation over a single overlay
• Complex VDOM configurations
• No dynamic and flexible multi-segment topologies creation

• Proven, scalable MPLS/VRF-like segmentation from layer 2 to layer 7

• VRF-based segmentation supported with no dynamic and flexible multi-segment topologies creation

• VRF-style segmentation with routing limitations in OSPF and peer priority

• Scalable VRF-like segmentation by creating zones but does not offer flexible multi-segment topologies creation

• Detects malware by matching encrypted SHA patterns without decryption

• Provides TLS/SSL traffic encryption

• Provides TLS/SSL traffic encryption

• Cannot detect encrypted malware

• Cannot detect encrypted malware

• PAN OS SD-WAN supports ETA by decrypting, inspecting, and controlling inbound and outbound SSL and SSH connections
• No support for ETA in Prisma SD-WAN

• Ability to send IPv6 encapsulated flows and apply ZBFW rules based on IPv6 address as source or destination filters

• IPv6 not supported for ZBFW

• IPv6 not supported for ZBFW

• IPv6 not supported for ZBFW

• IPv6 not supported for ZBFW

• IPv6 not supported for ZBFW

• Globally recognized threat intelligence (TALOS)
• Ability to deploy incident response services

• Provides threat intelligence capabilities

• Provides threat intelligence and monitoring

• No threat intelligence

• No threat intelligence

• PAN OS SD-WAN supports threat intelligence
• No support for threat intelligence in Prisma SD-WAN

• Zscaler, Palo Alto Networks, Netskope, Cloudflare, Skyhigh

• Zscaler, Netskope, and Cloudflare

• IPSEC and GRE tunnels

• Zscaler, Netskope, and Cloudflare

• Zscaler, Netskope, and Atmos

• Not available in PAN OS SD-WAN
• Basic integration through cloudblades with Zscaler and Netskope in Prisma SD-WAN

• Better visibility and control through security insights
• Provides heat maps, security events logging, and a security-centric dashboard

• Provides security insights with event logging on a security-centric dashboard

• Dashboard display for applications analytics, URL filtering, stateful firewall, NGFW firewall, and unified threat analytics

• Basic monitoring insights with no security monitoring dashboard

• Limited security insights with no security monitoring dashboard

• Provides security insights with event logging in Strata Cloud Manager

• Transport independence providing an intelligent path selection to leading SaaS applications based on performance metrics and best path selection

• Basic SaaS optimization with manual SLA creation for every application

• Basic SaaS optimization with manual SLA creation for every application

• SaaS optimization based on manual application rule creation through DIA broadband paths to colocations

• Transport independence providing intelligent path selection to leading SaaS applications based on performance metrics and best path selection

• SaaS optimization with intelligent path selection based on metrics and dynamic application steering

• Simplified network management with traffic aggregation through colocation hubs to cloud workloads
• Guided workflows for automated deployment

• Limited colocated aggregation

• Limited colocated aggregation

• Limited colocated aggregation

• Limited colocated aggregation

• Limited colocated aggregation

• Guided workflows for automated deployment across various cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP)

• Limited workflows for multicloud connectivity

• Manual deployment across various CSPs

• Partnership with Microsoft Azure Virtual WAN

• Manual deployment across various CSPs

• Manual deployment across various CSPs

• Cloud OnRamp deployment support of cloud gateways into multiple virtual hubs within the same region
• Cloud gateways (C8000v) can advertise VNETs connected to the VHUBs
• Traffic directed using centralized policies
• Supports up to eight VHUBs per region

• Not supported

• Not supported

• Not supported

• Not supported

• Not supported

• Detection and recognition of custom cloud applications​
• Seamless mapping of service directory traffic profile to SD-WAN policy manager​
• Unified visibility for all services across all environments
• Easy creation of traffic profiles in service directory​

• Not supported

• Not supported

• Not supported

• Not supported

• Not supported

• Provides IoT/OT automation with integrated branch storage and compute
• Supported by Cisco Catalyst 8200 Series Edge Platform

• No edge VNF hosting capabilities

• VNFs available on Versa SD-WAN edge appliances

• VNFs available on VMware SD-WAN edge appliances

• No edge VNF hosting capabilities

• No edge VNF hosting capabilities

• Capability to horizontally scale with easy-to-use features

• Additional WAN switch required

• Supports active-active connections

• Does not support active-active connections

• Allows for active-active networking

• Only active-passive available on PAN OS SD-WAN and Prisma SD-WAN

• Rich voice services available in Cisco Catalyst 8000V Edge Software platforms
• Cisco is the only SD-WAN vendor to natively integrate analog/digital IP directly into a single CPE

• No native voice integration

• No native voice integration

• No edge application-hosting capabilities
• VNFs only available on VMware SD-WAN edge appliances

• No native voice integration

• No native voice integration

• Advanced cellular capabilities as a transport link
• Supported with the deployment flexibility of a built-in module, card, or external gateway on Cisco Catalyst 8000 Series Routers

• Cellular capabilities as a transport link

• Cellular supported

• Cellular capabilities as a transport link

• No significant cellular support

• Supports cellular capabilities on PAN OS SD-WAN and Prisma SD-WAN

• Ruggedized SD-WAN options for adverse and industrial environments

• Ruggedized SD-WAN options

• No native ruggedized option available; supported via third-party white box appliance

• No ruggedized SD-WAN options

• No ruggedized SD-WAN options

• Ruggedized SD-WAN options in PAN OS SD-WAN

• Uses advanced wireless frequency and protocol technology

• Uses advanced wireless frequency and protocol technology

• Uses advanced wireless frequency and protocol technology

• Uses advanced wireless frequency and protocol technology

• No advanced wireless capabilities

• No Wi-Fi capabilities; dependence on third parties to enable features

• Cross-domain integrations and common QoS policies between Cisco ACI and SD-WAN
• Extend TrustSec security group tags (SGTs)/metadata from WAN to campus to data center

• No data center integration

• No data center integration

• Unifies data center policies with edge needs

• No data center integration

• No cross-domain integration

• Predictive path recommendations (PPR) powered by ThousandEyes WAN Insights

• FortiMonitor used for providing end-to-end visibility

• No support

• Supported with Edge Network Intelligence

• No support

• No support for ADEM in PAN OS SD-WAN

• Advanced visibility and analytics into network and app performance
• Interactive global topology to monitor the WAN
• Alarm correlation for faster root-cause analysis
• Guided workflows for tasks such as site configurations, software upgrades, etc.

• Visibility and analytics into network and app performance

• Visibility and analytics into network and app performance

• Basic visibility and analytics into network and app performance

• Basic SD-WAN visibility with Aruba Unity Orchestrator

• Basic SD-WAN visibility into network and app performance in Panorama-managed PAN OS SD-WAN
• Predictive analytics in Prisma SD-WAN for site and link capacity prediction only; requires add-on license