When I am looking to choose the right firewall for my organization’s SD-WAN deployment, there are several key factors I need to consider to ensure I select the optimal solution. In this article, I will provide an in-depth look at the key criteria to evaluate when selecting a firewall for SD-WAN.
Key Factors To Consider
Integration With SD-WAN Platform
The first and most important consideration is how well integrated and optimized the firewall is with my chosen SD-WAN platform. I need to select a firewall that is certified and integrates natively with the SD-WAN orchestrator. This ensures centralized visibility, control, and seamless interoperability between the firewall and SD-WAN fabric.
Some key integration capabilities I look for include:
-
Centralized policy management – The ability to manage firewall policies alongside SD-WAN policies from a single pane of glass. This enables consistent policy control across the entire WAN.
-
Real-time application visibility – Firewall should integrate with SD-WAN telemetry for real-time application visibility and control. This allows me to implement application-aware policies.
-
Automated provisioning – Firewall policies, configurations and updates should be provisoned automatically along with the SD-WAN overlay. This ensures consistency across the WAN.
-
Seamless network integration – The firewall overlay should integrate seamlessly with the SD-WAN underlay for a unified network fabric.
Form Factor And Deployment Flexibility
I need to evaluate how the firewall can be deployed across my network. Key considerations include:
-
Physical and virtual appliances – Having both hardware and software-based options allows me to deploy the firewall in the optimal form factor for each site.
-
Cloud-delivered firewall – A cloud-hosted firewall integrated with SD-WAN allows me to securely connect branches to the cloud.
-
Network integration – The firewall solution should support LAN, WAN and out-of-band deployments to fit my network design.
-
Scalability – The firewall solution needs to scale across my network which may consist of thousands of sites.
Advanced Security Capabilities
With distributed sites connecting directly to the internet, advanced security capabilities are essential in my firewall. I evaluate firewalls based on:
-
Threat prevention – Capabilities like intrusion prevention (IPS), malware analysis, URL filtering, antivirus etc. to protect against zero-day threats.
-
Application security – Ability to detect risks within allowed applications and enforce application-specific policies.
-
Encryption – Site-to-site and client-to-site VPN with latest encryption standards to secure WAN traffic.
-
Cloud sandboxing – Integration with cloud-based threat analysis to detect unknown threats.
-
Data loss prevention – Capabilities like file type controls and data leak prevention to protect sensitive data.
Performance And Reliability
The firewall must be able to support my network and application performance requirements:
-
Throughput – Firewall should support multi-Gbps throughput to handle high bandwidth applications and traffic spikes.
-
Latency – Minimal packet latency introduced by the firewall to ensure good application performance.
-
High availability – Clustering support and failover capabilities to provide reliability and uptime.
-
WAN transport independence – The firewall solution should work over any WAN transport like broadband, MPLS etc deployed at a site.
Centralized Management And Analytics
I require centralized management, monitoring and analytics around my firewall infrastructure:
-
Unified dashboard – Single pane of glass to manage firewall policies, configurations, updates across the WAN.
-
Monitoring and reporting – End-to-end visibility into firewall performance, security events, threats detected etc.
-
Troubleshooting – Tools to identify root cause of issues like site outages, slow applications etc involving the firewall.
-
Analytics – Usage and threat analytics to gain insights into traffic patterns, suspicious activities etc.
Key Firewall Vendors To Evaluate
Based on my criteria, some of the leading firewall vendors I shortlist and evaluate are:
-
Cisco – Cisco firewalls like the Adaptive Security Appliance (ASA) integrate natively with Cisco SD-WAN platforms. Cisco provides a comprehensive secure SD-WAN solution.
-
Fortinet – Fortinet offers FortiGate firewalls that are purpose-built for SD-WAN deployments across Fortinet’s SD-WAN solution.
-
Palo Alto Networks – Palo Alto firewalls integrate with SD-WAN solutions from VMware, Cisco and others via API integration and automation capabilities.
-
Check Point – Check Point’s quantum security gateways complement SD-WAN deployments with advanced threat prevention capabilities.
Validating Proofs Of Concept
Once I shortlist firewall vendors, I validate the solutions through hands-on proofs of concept. My key evaluation criteria in POCs include:
-
How intuitively the firewall integrates with SD-WAN policies and dashboards.
-
How comprehensive the security capabilities are out-of-the-box.
-
How seamlessly the firewall provisioning and life-cycle management integrates with the SD-WAN fabric.
-
How well the solution performs under different traffic scenarios.
-
How useful the centralized monitoring, analytics and reporting capabilities are.
By testing against these criteria, I can identify the optimal firewall for my SD-WAN environment. The right firewall architecture is critical for securing my distributed network and achieving desired business outcomes from my SD-WAN investment.
