What would be a cost-effective solution for a customer with a global presence who prefers not to adopt a major SD-WAN vendor ? The customer is willing to rely on site-to-site VPN connectivity while ensuring secure access for remote and office users. Currently, their infrastructure includes a mix of edge devices such as Palo, Check Point, ISR, and others, which they are comfortable retaining. Some sites operate on Cato SD-WAN, while others use MPLS/Internet. Their goal is to phase out Cato SD-WAN at some locations but retain it in the data center to serve as a backbone for inter-regional connectivity. What would be the cheaper recommended solution that takes care of connectivity + Secure access (ZTNA). (Netskope/Zscaler/Prisma Etc?)
Depends what you mean by “SD-WAN”; it appears you’re talking of the variety that comes with some amount of backbone networking.
Fortinet’s SD-WAN features (mostly built into the base license of their FortiGate firewalls), for example, just does IPSEC tunnel management, traffic shaping, and the like. You can do SD-WAN without ridiculously expensive branch-level subscriptions.
Dead-cheapest option will be Mikrotik routers combined with an orchestration platform of one variety or another. But you’re potentially going down the road of technical debt to support and maintain these systems.
Poor man’s SD WAN is IPsec + BGP. Pick your platform.
There is no such thing as as SDWAN, not in the way you think. There are a bunch of solutions that all try to accomplish the same goals, but go about it in very different ways.
In the case of Fortinet, it’s literally just IPsec + BGP with PBR and SLAs added on - that’s it. Sure there is the central management plane with FortiManagers and reporting with FortiAnalyzer, but those are technically optional to the solution.
Saying “SDWAN is too big of a change” or “SDWAN is too expensive” is absolutely silly and annoys me to no end, because people buy into the vendor nonsense without understanding the different ways an “SDWAN” can be made.
Assuming that a branch losing access to its regional datacenter is not a big deal if/when it happens? You’re confident that the value of SD-WAN is not applicable within the region itself?
SDWAN alternatives
A router with multiple WAN ports?
Which describes SDWAN, SASE, ZT, Next-Gen, blah, blah. 40 years in the industry and it’s just smart people doing smart things with a multi-port router. The only “innovation” is what Marketing comes up with to describe the router.
One of the major benefits of SDWAN is the orchestration factor. Does the customer want in invest in some sort of orchestration/automation method for turning up and maintaining tunnels? What kind of traffic do they send and what QoS do they expect for it?
You could look at a client SASE option for small sites that just need connectivity into some cloud or on-prem resources.
Whats the goal/business driver here? Consolidation? Cost reduction? Removing SDWAN due to moving to ZTNA (which works at device/user level so why care about sites)? New capabilities?
1 cost effective option is open source OpenZiti - https://openziti.io/. Its a zero trust networking platform that can be used for any use case, deploy at site, device or app level. Should enable the phase out of Cato and MPLS which would save tons of money.
My concern is any solution at implied scale requires orchestration. Thats what you pay for. Even OpenZiti, while having its own ‘lite’ admin console is free as in free beer. The commercial implementation exists from the company I work for (NetFoundry).
Zerotier is pretty great. Full mesh layer2 VPN. Zero cost if you run your own controller with ZTNCUI. Run any routing protocol you want with it utilizing FRR. Highly recommended.
what does sdwan do in your case?
I find so many definitions of sdwan that now its like vpn, doesn’t tell much
You can leverage the backbone of Harmony SASE from Check Point to achieve your goal.
Deploy multiple regions (PoPs) and do an IPSec tunnels from your offices and Datacenters so they can communicate each other
Your remote workers will connect to the backbone through the ZTNA agent and will learn the routes to access data spread over your locations.
You can then leverage the full mesh capabilities and connect everything together (remote users to datacenter, to offices, to cloud; office to datacenter, to another office; etc)
I guess other vendors can offer the same it’s just then a matter of pricing
Flexvpn managed partially through ISE has served me well in many cases.
If you’re looking at a ZTNA vendor, probably worth asking yourself if you need a traditional SD-WAN vendor?
For example with Zscaler you can simply point all your sites to their exchange and they’ll make all the access enforcement.
You can also use their hardware (Branch Connector) to get traffic to their cloud and provide external user access if they are permitted via the exchange
If you know Linux, tailscale, nftables, gnu zebra & iproute can do almost anything you may need.
Super cheap and dirty? QNAP quwan routers.
Why phase out Cato btw?
Consider Forcepoint. Those are NGFWs
You manage all firewalls from one Management Server in which you have same objects you can use across all of your firewalls (you can drag and drop objects from a firewall policy to another one)
You have SD-WAN included (other vendors make you pay for this) = site to site VPNs that use multiple internet connections all together. If you have 2 ISPs on Site A and 3 ISPs on site B you have a total of 6 ACTIVE VPNs and all the traffic is balanced between them.
Not “cheap” but I think it’s worth considering them
Source: I work in an MSSP with clients that have Fortigates, PaloAlto, Checkpoint. None of them are as easy to manage as the Forcepoint ones.
Sounds like a recipe for disaster… If they are global, can’t they afford to spend a bit more on tried and proven technology in order to maintain their business? Use the opportunity to standardize instead of trying to retain the hodgepodge they accumulated over the years. Define standards for small / medium / large bandwidth sites, determine where full mesh / regional meshes are needed, determine which sites are eligible for circuit / router redundancy. Determine how you’re going to extend their WAN into the cloud. I’d go greenfield, integrate the LAN’s into a WAN model that’s the same everywhere. Penny wise, pound foolish.
The idea of a global network of orchestrated microtik routers both excites and terrifies me.
SDWAN is site-to-site VPNs with BGP, policy-based routing and health checks from what I’ve seen.