Critical Capabilities for SD-WAN

Software-defined WAN connects enterprise branches with other enterprise locations, the cloud and wherever applications are hosted. Infrastructure and operations leaders responsible for networking should use this research to identify the offerings aligned with common enterprise use cases.

Overview

Key Findings

• The software-defined wide-area network (SD-WAN) offerings in this research generally have good enough functionality across the use cases.
• There is differentiation in performance optimization, cloud onramp and partner-integrated security capabilities that drive scoring across the use cases.
• To simplify and optimize network management, SD-WAN vendors are improving operational capabilities in the areas of network automation, digital experience monitoring (DEM) integration and AI networking.

Recommendations

Infrastructure and operations leaders responsible for networking:

• Select vendor solutions that meet your requirements and offer “good enough” functionality in order to avoid overpaying for SD-WAN solutions.
• Prioritize vendors for cloud-first organizations by focusing on cloud onramp integrations and SaaS optimization capabilities to enable simpler and higher-performing connectivity to cloud workloads.
• Validate SD-WAN offering integrations with third-party security service edge (SSE) vendors by focusing on automated traffic redirection and management plane integration when implementing a dual-vendor secure access service edge (SASE) architecture.
• Select vendors for operationally focused organizations by rating network automation, digital experience monitoring (DEM) integration and AI networking capabilities as core requirements to improve efficiency.

Strategic Planning Assumptions

By 2027, 65% of new SD-WAN purchases will be part of a single-vendor SASE offering, an increase from 20% in 2024.

By 2027, 70% of network operations personnel will rely on generative AI for Day 2 SD-WAN management, up from less than 5% in early 2024.

What You Need to Know

This document was revised on 1 October 2024. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.

SD-WAN enables the shift from traditional private WAN architectures, such as hub-and-spoke Multiprotocol Label Switching (MPLS), to connecting enterprise locations to cloud workloads. Major capabilities that we analyze in this research include:

• Routing and application steering
• Operational capabilities
• Deployment flexibility
• Performance optimization
• Scalability
• Cloud onramp
• Small platform flexibility
• On-premises security (local)
• Partner-integrated cloud security

Based on those capabilities, we analyze five popular use cases:

• WAN for small branches — Requires simple and secure branch networking solutions with ease of use as a main driver. This use case can be any number of sites with branch locations, typically with fewer than 10 people.
• Large hybrid WAN — For larger organizations with more than 100 sites that operate a hybrid environment with branch locations connecting to both on-premises data centers as well as cloud workloads.
• On-premises secure SD-WAN — Provides SD-WAN with security functionality integrated within the same appliance.
• Cloud-first WAN — Connects branch locations to workloads mainly in the cloud and, to a lesser extent (if at all), in colocation and on-premises data centers.
• SD-WAN with partner-integrated cloud security — Enables SD-WAN offerings to integrate with third-party SSE vendors in support of a dual-vendor SASE architecture. Note: This research does not cover single-vendor SASE; for that, see Critical Capabilities for Single-Vendor SASE.

Scoring is based on a 1-5 numerical system. We describe scoring outcomes based on the text below mapping to each numerical score.

1 = Poor or Absent: Most or all defined requirements for a capability are not achieved

2 = Fair: Some requirements are not achieved

3 = Good: Meets requirements

4 = Excellent: Meets or exceeds some requirements

5 = Outstanding: Significantly exceeds requirements

Analysis

Critical Capabilities Use-Case Graphics

Vendors’ Product Scores for WAN for the Small Branches Use Case

Vendors’ Product Scores for the Large Hybrid WAN Use Case

Vendors’ Product Scores for the On-Premises Security-Sensitive WAN Use Case

Vendors’ Product Scores for the Cloud-First WAN Use Case

Vendors’ Product Scores for the SD-WAN With Partner-Integrated Cloud Security Use Case

Vendors

Barracuda

Barracuda’s CloudGen Firewall includes hardware, virtual appliances and software licensing with orchestration and management. CloudGen Firewall has been its traditional offering, with SecureEdge a newer solution that supports the transition to SASE. Based on customer adoption, the CloudGen Firewall was assessed, and Gartner estimates that Barracuda has over 4,000 enterprise SD-WAN customers using the offering. With this product, the vendor tends to focus on smaller enterprises and small and midsize businesses (SMBs) in selected verticals.

During the past year, Barracuda has integrated its SD-WAN product to the SASE solution and added SD-WAN cloud onramp capabilities. While investment continued in the newer SecureEdge Platform to evolve toward single vendor SASE, CloudGen Firewall still lacks integration with third-party SSE vendors for Dual Vendor SASE which is a fundamental limitation when addressing larger customers.

Barracuda’s CloudGen Firewall was only scored in four of the five use cases because the vendor doesn’t focus on the SD-WAN with partner-integrated cloud security scenarios. The product scores as excellent for the on-premises security sensitive use case and good for the remaining use cases. The vendor’s product scores as excellent in on-premises security with its next-generation firewall (NGFW) functionality and as fair for the cloud onramp capabilities based on lack of cloud provider integrations. In general, Barracuda focuses on native security functionality and not as much on more complex networking needs.

Broadcom (VMware)

Broadcom’s offering is VMware VeloCloud SD-WAN, which includes virtual and physical edge appliances, software licensing, optional gateway points of presence (POPs) and a cloud-based orchestrator. Gartner estimates that Broadcom has approximately 21,000 SD-WAN enterprise customers. The vendor serves organizations of all sizes and in all vertical industries with a particular focus on cloud adoption use cases.

During the past year, Broadcom delivered URL filtering to the existing IDS/IPS firewall. It also enhanced its cloud gateway capabilities which allows customers to use a global network of gateways, improve uptime by hitless migration from one gateway to another and achieve higher throughput on VPN tunnels. Furthermore, Broadcom has been focused on integrating VMware VeloCloud with its Symantec cloud security offering as part of a SASE offering. Still, it lacks native WAN optimization capabilities needed for some on-premises workloads.

Broadcom scores as excellent for all five use cases. It scores as excellent for scalability, cloud onramp and operations capabilities and as good for the performance optimization capability. Its scores are driven by its deployment of large networks, integration with cloud service providers and ease of use. In general, the vendor focuses on more cloud integration and broader connectivity needs.

Cisco (Catalyst SD-WAN)

Cisco’s Catalyst SD-WAN includes physical and virtual routers including the Catalyst 8000 series and ISR1000 series, and their associated DNA software; and Catalyst SD-WAN Manager, which provides automation, analytics and insights. Gartner estimates that Cisco’s Catalyst SD-WAN has approximately 15,000 SD-WAN enterprise customers. With this product, Cisco tends to address larger organizations or those with larger locations and primarily focuses on more complex use cases.

During the past year, Cisco has added a software update to increase end-user VPN and throughput when full security features are enabled. The vendor also delivered an interconnect capability to integrate Catalyst SD-WAN and Meraki SD-WAN into a common fabric to simplify support for different form factors although domain specific product orchestration is still handled within each specific product. It also has enhanced its third party SSE integrations. Still, customers express concern with Catalyst SD-WAN’s level of complexity, noting that ease of use can be improved.

Cisco’s Catalyst SD-WAN was only scored in four of the five use cases because the vendor doesn’t lead with it for the WAN for small branches scenario; see Cisco (Meraki SD-WAN) for this use case. The product scores as excellent for all use cases where it was assessed. The vendor’s product scores as excellent in the on-premises security, scalability and deployment flexibility capabilities and as good in the cloud onramp, performance optimization and partner-integrated cloud security capabilities. Its scores are driven by NGFW functionality, large network deployments, and various virtual and physical deployment options. In general, with this product, Cisco focuses on more complex networking needs for larger networks and larger locations, but not as much on smaller locations and smaller networks that require more simplicity.

Cisco (Meraki SD-WAN)

Cisco’s Meraki SD-WAN includes physical and virtual MX appliances, licensed software, and the cloud-based Meraki dashboard for management, visibility and analytics. Gartner estimates that Cisco Meraki SD-WAN has approximately 40,000 SD-WAN enterprise customers. With this product, Cisco tends to address smaller organizations or those with smaller locations, and primarily focuses on ease of use and SD-branch.

During the past year, the vendor delivered an interconnect capability to integrate Meraki SD-WAN and Catalyst SD-WAN into a common fabric to simplify support for different form factors, although domain-specific product orchestration is still handled within each specific product. Additionally, Cisco delivered new headend data center Cisco Meraki SD-WAN hardware models with increased throughput. Furthermore, Cisco has focused its single-vendor SASE offering, Cisco Secure Connect, on the Meraki SD-WAN solution. Still, Meraki SD-WAN still has limitations with routing and traffic-steering functionality and performance optimization.

Cisco’s Meraki SD-WAN was only scored in three of the five use cases because the vendor doesn’t lead with it for the large hybrid WAN or partner-integrated cloud security use cases; see Cisco (Catalyst) for these two use cases. The product scores as excellent for the WAN for small branches and on-premises security sensitive use cases and as good for the cloud-first WAN use case. The vendor’s product scores as excellent in the on-premises security and small platform flexibility capabilities, and as fair in the performance optimization and partner-integrated cloud security capabilities. Its scores are driven by its NGFW and SD-branch capabilities along with limitations in WAN and SaaS optimization. In general, with this product, Cisco focuses on more simplicity needs and not as much on more complex networking capabilities.

Ericsson (Cradlepoint)

Ericsson’s offerings under its Cradlepoint division (Ericsson Enterprise Wireless Solutions as of 12 September 2024) are the Ericsson NetCloud service, Ericsson Cradlepoint E Series SD-WAN routers and Ericsson NetCloud Exchange Service Gateway, and licensed software focusing on cellular wireless WAN use cases. Gartner estimates that Ericsson has approximately 7,500 enterprise SD-WAN customers. The vendor focuses primarily on cellular wireless WAN use cases in specific verticals such as retail, transportation and public safety.

During the past year, Ericsson delivered link bonding across cellular and satellite networks. It also delivered a unified policy engine as part of single-vendor SASE, incorporating its April 2023 Ericom Software acquisition and AIOps/virtual expert functionality for cellular wireless. Still, Ericsson has limitations with performance optimization, cloud onramp and partner-integrated security capabilities.

Ericsson was scored in four of the five use cases, as it doesn’t position the product in the cloud-first WAN use case. It scores as good in all use cases in which it was assessed. The vendor’s product scores as excellent in the small platform flexibility capability and as fair in the performance optimization capability. Its scores are driven by its ability to support integrated 5G and Wi-Fi 6 along with limitations in WAN and SaaS optimization. In general, Ericsson focuses on cellular wireless WAN capabilities and not on more complex wireline networking needs.

Fortinet

Fortinet’s offering is the Fortinet Secure SD-WAN product, which includes FortiGate physical and virtual appliances with on-premises security software license managed with the FortiManager Orchestrator. Gartner estimates that Fortinet has approximately 40,000 SD-WAN enterprise customers. The vendor focuses on organizations of all sizes and all verticals, primarily where security and/or SD-branch are major drivers.

During the past year, Fortinet updated its full mesh technology, integrated generative AI capabilities to simplify Day 0, Day 1 and Day 2 operations, and delivered a ruggedized form factor with dual 5G integrated modems. While Fortinet has focused on a single-vendor SASE strategy, it has limited integrations with third-party SSE vendors to support a dual-vendor SASE architecture.

Fortinet was only scored in four of the five use cases because the vendor doesn’t position its product for the SD-WAN with partner-integrated cloud security use case. It scores as excellent for all the use cases in which it was assessed. The vendor’s product scores as excellent in the on-premises security, small platform flexibility, scalability and deployment flexibility capabilities, and as fair in the partner-integrated cloud security capability. Its scores are driven by its NGFW, large network deployments and SD-branch capabilities along with limitations in supporting dual-vendor SASE solutions. In general, Fortinet focuses on native security functionality and branch simplicity needs.

HPE (Aruba Networking EdgeConnect SD-Branch)

Hewlett Packard Enterprise (HPE) Aruba Networking EdgeConnect SD-Branch provides physical and virtual 7000 and 9000 gateway appliances, licensed software, and orchestration through the Aruba Networking Central platform. Gartner estimates that HPE has approximately 2,000 SD-WAN enterprise customers using the Aruba EdgeConnect SD-Branch platform. With this product, HPE (Aruba) tends to address smaller organizations or those with smaller locations and primarily focuses on ease of use and SD-branch.

During the past year, HPE added secure web gateway (SWG) as an additional licensed option on top of the EdgeConnect SD-Branch solution. Furthermore, broader Axis Security integration has taken place in the evolution to single-vendor SASE. Still, the EdgeConnect SD-Branch solution has limitations with routing and application steering as well as performance optimization that can be improved.

EdgeConnect SD-Branch was only scored in three of the five use cases because the vendor doesn’t address the large hybrid WAN or SD-WAN with partner-integrated cloud security scenarios with this product; see HPE (Aruba Networking EdgeConnect SD-WAN) for these two use cases. For the use cases assessed, it scores as excellent for the WAN for small branches and as good for the cloud-first WAN and on-premises security sensitive WAN. EdgeConnect SD-Branch scores as excellent with the small platform flexibility and operations capabilities and as fair for the performance optimization capability. Its scores are driven by its SD-branch capabilities along with limitations in WAN optimization. In general, with this product, HPE focuses on simplicity and ease-of-use deployments and not as much on complex networking needs.

On 9 January 2024, HPE announced its intention to acquire Juniper Networks. At the time of this evaluation, however, HPE and Juniper operate as separate entities. Gartner will provide further insight as more detail becomes available.

HPE (Aruba Networking EdgeConnect SD-WAN)

HPE Aruba Networking EdgeConnect SD-WAN (with optional WAN optimization) provides physical and virtual SD-WAN gateway appliances, licensed software, and orchestration managed through the HPE Aruba Networking Central orchestration platform. Gartner estimates that HPE (Aruba) has approximately 4,000 SD-WAN enterprise customers for its Aruba EdgeConnect SD-WAN offering. With this product, HPE tends to address larger organizations or those with larger locations and primarily focuses on more complex and performance optimization use cases.

During the past year, HPE added SWG as an additional licensed option on top of the EdgeConnect SD-WAN solution. Additionally, the vendor delivered on the integration of EdgeConnect SD-WAN with Aruba Central Routing and Tunneling Orchestration. Furthermore, broader Axis Security integration is a work in progress in the evolution to single vendor SASE. Still, the Aruba EdgeConnect SD-WAN offering has limited small platform flexibility capabilities.

EdgeConnect SD-WAN was only scored in four of the five use cases because the vendor doesn’t position it for the WAN for small branches scenario; see HPE (Aruba Networking EdgeConnect SD-Branch) for this use case. The product scores as excellent for all the use cases in which it was assessed. EdgeConnect SD-WAN scores as excellent with the performance optimization, cloud onramp, partner-integrated cloud security and operational capabilities, and as fair for the small platform capability. Its scores are driven by its WAN and SaaS optimization, cloud integrations and breadth and depth of SSE vendor integration capabilities along with limitations with integrated Wi-Fi and cellular wireless. In general, with this product, HPE focuses on more complex networking deployments where performance optimization is a requirement, rather than smaller location branch simplicity.

On 9 January 2024, HPE announced its intention to acquire Juniper Networks. At the time of this evaluation, however, HPE and Juniper operate as separate entities. Gartner will provide further insight as more detail becomes available.

Huawei

Huawei’s lead offering is the Huawei SD-WAN solution, which includes the NetEngine AR series with both physical and virtual routers and accompanying software license, as well as the iMaster NCE-Campus controller. Although we didn’t assess it because it has a narrow focus, Huawei also has the USG firewall offering that primarily addresses security use cases. Gartner estimates that Huawei has approximately 28,000 SD-WAN enterprise customers using its SD-WAN solution. The vendor serves customers of all sizes and verticals with a particular focus on SD-branch opportunities.

During the past year, Huawei delivered SD-WAN AI policy recommendations, easy provisioning of LAN and WAN convergence and public cloud SaaS Cloud onramp. Furthermore, the vendor has focused on delivering a single-vendor SASE solution. Still, it lacks broader third-party SSE integrations and cloud onramp capabilities for leading global hyperscale cloud providers.

Huawei scores as excellent for the WAN for small branches and on-premises security sensitive use cases. It scores as good for the other three use cases. Huawei scores as excellent for the small platform flexibility, on-premises security and routing and application steering capabilities and as fair for partner integrated cloud security and cloud onramp capabilities. Its scores are driven by its SD-branch, NGFW and routing and path selection capabilities along with limitations in integrating with leading global hyperscale cloud providers. In general, with this product, Huawei focuses on native security and branch consolidation needs rather than broader cloud onramp requirements.

Juniper Networks

Juniper Networks’ offering is Juniper AI-Driven SD-WAN, which includes the Session Smart Routers, Session Smart Networking software, WAN Assurance and Marvis Virtual Network Assistant. Gartner estimates Juniper has approximately 4,000 SD-WAN enterprise customers using its offering. The vendor serves customers of all sizes and verticals with a particular focus on SD-branch opportunities.

During the past year, Juniper delivered application path insights with dynamic packet capture to simplify troubleshooting, and proactive WAN link monitoring with Marvis Minis digital twins to help proactively identify network issues. Still, Juniper has limited cloud onramp and WAN optimization functionality.

Juniper scores as excellent for the WAN for small branches, large hybrid WAN and on-premises security-sensitive use cases. It scores as good for the other two use cases. Juniper scores as excellent for the routing and traffic steering, operational and small platform capabilities, and as good for the cloud onramp capability and partner-integrated security. Its scores are driven by its path selection capabilities, AI networking and SD-branch capabilities. In general, Juniper focuses on broader branch consolidation and AI networking functionality.

On 9 January 2024, HPE announced its intention to acquire Juniper Networks. At the time of this evaluation, however, HPE and Juniper operate as separate entities. Gartner will provide further insight as more detail becomes available.

Palo Alto Networks

Palo Alto Networks’ lead offering is Prisma SD-WAN, which includes Instant-On Network (ION) edge virtual and physical appliances, software licensing and orchestration. Although we didn’t assess it because it has a narrow focus, the vendor also has the PAN-OS branch firewall with limited SD-WAN capabilities. Gartner estimates it has approximately 4,000 SD-WAN enterprise customers using the Prisma SD-WAN offering. With this product, the vendor focuses on organizations of all sizes and all verticals, primarily where SASE is a major driver.

During the past year, Palo Alto Networks delivered Strata Cloud Manager with NetSec Co-Pilot to simplify troubleshooting and application SLA assurance to optimize end-user experience. Furthermore, the vendor has focused on evolving its offering to the single vendor SASE market. Still, the product has limited on-premises security capabilities for clients that are not looking to move their security to the cloud, and limited WAN optimization functionality.

Palo Alto Networks’ Prisma SD-WAN was only scored for four of the five use cases because the vendor doesn’t participate in the on-premises security-sensitive use case with the product evaluated. It scores as excellent for all use cases except for WAN for small branches, where it scores as good. Palo Alto Networks’ Prisma SD-WAN scores as excellent on cloud onramp and routing and application steering capabilities, and as good for the performance optimization capability. Its scores are driven by its integrations with cloud providers and path selection capabilities, along with limitations in WAN optimization. In general, with this product, Palo Alto focuses on cloud integration and SASE requirements.

Peplink

Peplink offers Balance for enterprise branch SD-WAN and MAX for industry and mobility SD-WAN requirements. Both include SpeedFusion software technology and InControl 2 orchestration for management. For this research, we assess the Balance product line as it is the vendor’s lead offering in this market. Gartner estimates it has approximately 7,000 SD-WAN enterprise customers with this product. The vendor focuses on midmarket organizations, with specific verticals targeting cellular wireless WAN use cases.

During the past year, Peplink expanded its Dynamic Weighted Bonding capability that integrates multiple 5G/Long Term Evolution (LTE)/low Earth orbit (LEO) satellite links into a single link, introduced the latest 5G modules and launched third-party eSIM provisioning over the air. Still, the vendor has limited cloud onramp and third-party SSE integration functionality.

Peplink scores as good for all use cases except the partner integrated cloud security use case, where it scored as fair. Peplink scores as excellent in the small platform flexibility capabilities and as fair for the partner-integrated cloud security and cloud onramp capabilities. Its scores are driven by support for integrated 5G and Wi-Fi 6 along with limitations in support of broader cloud security and cloud service provider integrations. In general, with this product, Peplink focuses on cellular wireless WAN capabilities and not on more complex wireline networking needs.

Versa Networks

Versa Networks’ lead offering is Secure SD-WAN, which includes Cloud Service Gateways (CSG) physical or virtual appliances, software licensing, and associated management and orchestration. Although we didn’t assess it because it has a narrow focus, the vendor also offers Versa Titan, which is delivered as a cloud-based offering for more simplified use cases. Gartner estimates that Versa Networks has approximately 18,000 SD-WAN enterprise customers using the Secure SD-WAN offering. With this product, the vendor addresses clients of all sizes and in all vertical industries, with a particular focus on security and more complex use cases.

During the past year, Versa Networks delivered the elastic services cluster, which includes two or more nodes with multiple services and the ability to add on-demand capacity, SASE on SIM for mobile operators, and Intellipath, which supports SLA-based routing. Furthermore, the vendor has focused on enhancing its single vendor SASE offering. Still, its integrations with third-party SSE vendors can be improved.

Versa Secure SD-WAN scores as excellent for all five use cases. It scores as excellent for the routing and application steering, deployment flexibility and on-premises security capabilities, and as good for the partner-integrated cloud security capability. Its scores are driven by its path selection and routing protocol, deployment of large networks and NGFW capabilities. In general, with this product, the vendor focuses on more complex networking and security needs.

Context

SD-WAN products deliver the required features/functionality to connect branches and users to other enterprise locations and cloud workloads. Two main areas that continue driving client buying decisions are how to connect or integrate to the cloud and how to deliver the appropriate security, which are reflected in the use cases and the critical capabilities that we assess.

SD-WAN solutions are increasingly combined with cloud-resident functionality for overarching policy and operational control, as well as with cloud gateways and cloud security in a SASE architecture. The result is a simpler, more streamlined branch office footprint that enables organizations to better address more dynamic and distributed traffic flows resulting from greater use of cloud and internet resources.

Market Definition

Gartner defines SD-WAN as functionality primarily used to connect branch locations to other enterprise and cloud locations. SD-WAN products provide dynamic path selection based on business or application policy, routing, centralized orchestration of policy and management of appliances, virtual private network (VPN), and zero-touch configuration. SD-WAN products are WAN transport/carrier-agnostic and create secure paths across physical WAN connections.

SD-WAN products replace traditional branch routers and enable connectivity between enterprise branch locations as well as the cloud. They facilitate WAN connectivity’s evolution from Multiprotocol Label Switching (MPLS)-centric to public internet-centric in support of enterprise traffic shifts from private data centers to public cloud and SaaS.

Mandatory Features

The mandatory features for SD-WAN offerings include:

• Functionality:
• Ability to replace a branch router (e.g., support for Border Gateway Protocol [BGP])
• Application-aware dynamic path selection (e.g., Layer 7 traffic steering) across multiple physical interfaces
• Virtual private network (VPN)
• Orchestrator (on-premises or in the cloud) that provides a centralized mechanism for:
• Configuration (zero-touch configuration)
• Management
• Visibility/analytics/troubleshooting
• Reporting
• Form factor for branch, data center and cloud locations:
• Software that can be deployed on a branded hardware appliance or third-party hardware at a branch, data center or other enterprise location
• Software deployed in the public cloud as a virtual instance

Common Features

The common features for SD-WAN offerings include:

• Integrated Layer 4 firewall, intrusion detection system (IDS)/intrusion prevention system (IPS), URL/content filtering and anti-malware
• Software delivered as a virtual network function (VNF), virtual machine (VM) or container
• Branded turnkey hardware appliance
• API support
• Service chaining capabilities (including the ability to integrate with third-party SSE vendors)
• Application performance optimization capabilities (e.g., forward error correction [FEC], packet duplication and SaaS optimization)
• Orchestration and integration with cloud service providers to simplify cloud onramp
• Advanced on-premises security (e.g., Layer 7 firewalls and data loss prevention [DLP])
• Native cloud gateways for service insertion and simplified cloud onramp connectivity
• WAN backbone/enhanced internet functionality
• WAN optimization (e.g., TCP optimization, caching and deduplication)
• Extended orchestration beyond SD-WAN to include wireless LAN (WLAN)/LAN/security to form SD-Branch
• AI/GenAI networking support for configuration management, incident management and documentation access
• Software-only solution deployable on an end-user device for remote users

Product/Service Class Definition

SD-WAN solutions are used by organizations to simplify WAN connectivity to cloud workloads, on-premises workloads and connectivity to other enterprise locations. Implementing an SD-WAN solution may use MPLS and internet connectivity or solely internet connectivity as part of a rearchitecting of the WAN to route traffic directly where it needs to go (cloud, data center, colocation facility or other enterprise locations). This optimizes performance and simplifies management.

Key trends in the SD-WAN market are:

• Convergence of networking and network security to deliver SASE
• AI networking enhancements to optimize operations
• Integration of DEM functionality to deliver richer end-user performance analysis and operations
• Integration with cloud providers and cloud onramp solutions to simplify cloud connectivity
• Smaller branch footprints to reflect the move to the cloud and a distributed workforce

To incorporate these key trends and more, the critical capabilities we assess in this research are:

• Routing and application steering
• On-premises security (local)
• Partner-integrated cloud security
• Performance optimization
• Scalability
• Operational capabilities
• Deployment flexibility
• Small platform flexibility
• Cloud onramp

Critical Capabilities Definition

Routing and Application Steering

Key features include application-aware path selection and routing capabilities, as well as the ability to support various overlay and underlay functionalities.

This capability includes autorecognition of applications and application-aware path selection functionality (algorithm for failover and time for failover) across diverse WAN connections (e.g., internet or MPLS) with broad routing/architecture support.

On-Premises Security (Local)

This includes security capabilities that are delivered within the branch location, on the vendor’s on-premises SD-WAN appliance.

This capability consists of basic functionality, such as access control lists (ACLs), VPN, segmentation and Layer 3/Layer 4 firewalls. This also includes advanced functionality such as intrusion prevention system (IPS)/intrusion detection system (IDS), Layer 7 firewall, anti-malware, URL/content filtering, and data loss prevention (DLP). This capability is preferred for enterprise customers looking to limit the total number of vendors/suppliers in their environment and prefer on-premises security solutions to cloud-delivered SSE functionality.

Partner-Integrated Cloud Security

This includes the depth and breadth of security integrations an SD-WAN vendor has with independent, cloud-delivered SSE vendors.

In this capability, we assess the vendor’s breadth of cloud security partnerships and the ability to deliver turnkey orchestration from a single management console with those third parties. The functionality consists of cloud access security broker (CASB), SWG, zero-trust network access, firewall as a service, anti-malware, remote browser isolation, DLP, sandboxing and more.

Performance Optimization

Performance optimization is driven by broad WAN optimization features, SaaS optimization, quality of service (QoS) techniques and optimization for real-time traffic to improve the quality of experience across the WAN.

Although WAN optimization is mature, it still has value. WAN performance optimization includes TCP protocol optimization, HTTP and secure sockets layer (SSL) optimization, in-line compression and deduplication, caching, and latency mitigation. SaaS optimization generally involves methods to optimize various network metrics (such as packet loss, latency and jitter) across the internet for applications hosted in the cloud. QoS includes techniques from prioritization to end-to-end enforcement of class of service. Real-time voice optimization includes techniques such as forward error correction (FEC), packet duplication and protocol optimization techniques.

Operational Capabilities

SD-WAN solutions should simplify networking environments using a centralized GUI to deploy, manage, troubleshoot and support ongoing operations.

We assess the vendor’s GUI and its ability to support the required configurations that can automatically push or pull out all individual device configuration data. Also, we evaluate the ability to display application visibility, troubleshooting and network reporting. The solution must support zero-touch configuration for new branches, which entails on-site branch personnel having to make physical (i.e., cabling) changes only and administrators not having to make configuration changes to bring new branches online.

We evaluate native monitoring, analytics, workflow, automation, AI networking and ease of use in Day 0 network design, Day 1 network setup, and ongoing Day 2 management. We evaluate API integrations with external solutions such as DEM tools, orchestration with third-party solutions, and the ability to support automation tools such as Ansible and Terraform. Finally, we analyze the vendors’ support capabilities across different languages and regions both in person and remote.

Deployment Flexibility

SD-WAN solutions need to deliver a variety of form factors (both software and physical), WAN interfaces and deployment options. Hardware, software, cloud options and service chaining are important for many architectures.

The fundamental purpose is to enable connectivity between distributed locations with varying form factors, including headquarters, branches, corporate data centers, edge locations, colocation/hosting facilities and cloud providers. This means that SD-WAN solutions must support a diverse set of deployment options, including hardware appliances, software or a cloud-based service. Form factors will have different scaling requirements from low-throughput scenarios to very high throughput, as well as small networks to very large networks. Appliances should offer multiple choices for WAN connectivity, such as Ethernet, broadband, 4G/LTE and 5G.

Small-Platform Flexibility

The product needs to offer solutions that are highly automated, easy to use, and able to scale down or up depending on the number of sites.

This capability includes integrated Wi-Fi, cellular wireless, network security and breadth of cloud services support. A strong orchestration component to manage the overall solution is key.

Scalability

Offerings demonstrate the ability to deploy and manage large numbers (hundreds and even thousands) of branch locations with the vendor’s SD-WAN offering.

We evaluate both the published and supported scale of orchestration platforms and the demonstrated size of real-world customer deployments.

Cloud Onramp

Solutions demonstrate the ability to offer broad, automated, high-performing and flexible architectures to access cloud workloads (SaaS, PaaS and IaaS). This can be done with native solutions or through partnerships with tight integration and orchestration.

This includes demonstrated capabilities to automate and orchestrate overlay connectivity to cloud providers, such as Amazon Web Services (AWS) and Microsoft Azure. It also includes the ability to deploy and support SD-WAN virtual images in cloud providers. It may include native cloud gateways that offer enhanced steering, service insertion, improved application performance, and/or direct connectivity to various SaaS and IaaS providers. We assess partnerships with vendors in which technical integrations have occurred that enable simplified connectivity to SaaS and strategic cloud platform service providers (e.g., software-defined cloud interconnect and cloud hub vendors). Lastly, we evaluate turnkey support for AWS Transit Gateway and Azure vWAN.

Use Cases

WAN for Small Branches

Simple, secure branch networking is delivered to branch offices, typically of fewer than 10 people. The network can range from several branches to more than 10,000 branches.

This use case addresses the increased demand for a “cookie-cutter” style for deployments. It is representative of small-site needs that are common in distributed-enterprise (convenience stores, gas stations, retail branches, fast food restaurants, etc.) and midsize-enterprise WANs. Ease of use and automation are major drivers, due to limited IT staffing. Expense is a strong focus (that is, minimum capital and WAN expenditures) — relying heavily on the internet, and often using xDSL, Ethernet, cable, 4G LTE/5G for primary/secondary connections, as part of an active/active configuration. Increasingly, we see the demand for integrated orchestration of LAN, WLAN, SD-WAN and network security from a single vendor to simplify management.

Enterprises comprising small branches rely on less complex configurations, with an increasing reliance on SaaS applications. They need visibility and, at times, real-time traffic optimization (e.g., FEC) to improve performance of lower-priced connectivity, but not the full suite of performance optimization.

Large Hybrid WAN

This is a hybrid WAN deployment scaling to hundreds or thousands of sites across multiple geographic regions, often with specific performance and security requirements.

This use case has varying requirements based on workloads on-premises and in the cloud. Many global enterprises with large WANs span more than 100 sites across several countries in several regions. A capability to improve performance is important for geographically dispersed sites.

Most sites will have a private circuit (e.g., MPLS) and some type of internet access circuit. Some of the traffic is still destined for workloads hosted in the on-premises data center, with increasing needs to directly access workloads hosted in the cloud. These enterprises need flexible and robust network security, as well as ways to optimize access to various types of XaaS.

It is important to provide performance optimization functionality for applications hosted both on-premises and in the cloud, as well as to support complex routing and topologies. The solution needs to be manageable, yet robust enough to connect workloads in a highly distributed environment. Network teams are generally more technical and hands-on, and are looking for specific features/functionality to support complex architectures.

Security teams and cloud teams are increasingly part of the decision process for this use case to address more complicated requirements that may involve multiple vendors.

On-Premises Security-Sensitive WAN

The main focus of this use case is to provide SD-WAN integrated with native security functionality within the on-premises branch SD-WAN appliance.

Enterprises in this use case are looking for on-premises security features such as network firewall (to protect east/west traffic as well as north/south traffic), segmentation, IPS/IDS, anti-malware, URL/content filtering and DLP. The number of branch locations and size of branch locations can vary.

Networking functionality in this use case usually does not require complex routing protocols or topology requirements. Both security teams and network teams are heavily involved in this decision and influence vendor selection. In this use case, organizations prefer that SD-WAN and security are delivered via a single on-premises appliance.

Example verticals of this use case are financial services, retail, healthcare, regulated industries and government. There may be geographical preferences for this use case, especially where there is limited public cloud adoption.

Cloud-First WAN

Enterprises continue to expand the use of public cloud and SaaS services, using SD-WAN to support easy, automated, high-performing, flexible cloud access to cloud workloads.

This use case is driven by limited or no workloads in on-premises data centers or colocation facilities and more reliance on cloud workloads. This can be SaaS or IaaS in a centralized or distributed way with few or many cloud providers involved.

WAN transport is typically multiple internet links, but can be enhanced internet as well. Clients may also use WAN backbone services from the cloud providers themselves.

Clients that often describe themselves as having a “cloud-first” and/or “cloud-only” strategy generally have plans to close corporate data centers and eliminate corporate private WANs, but require cloud onramp (a connectivity solution to access cloud service providers) WANs. Flexibility in network architectures and network setup is key to this use case, as is delivering application performance (e.g., SaaS optimization) from the end user to the cloud workloads. Consequently, cloud onramp automation and orchestration capabilities and SaaS optimization are very important for this use case.

This solution often leverages cloud-delivered SSE rather than security at the edge/branch appliance.

SD-WAN With Partner-Integrated Cloud Security

This use case focuses on providing SD-WAN with security features through tight integration with SSE vendors, often as part of a strategy to implement dual-vendor SASE.

Enterprises in this use case have typically already selected a separate SSE vendor for security functionality such as CASB and SWG. Thus, they are looking to deploy an SD-WAN solution with tightly integrated SSE functionally to retain ultimate flexibility in addressing both networking and security requirements independently. This includes certified partners, validation and design guides, management console integration, policy integration, telemetry sharing, etc.

Specific networking functionality required may include SaaS optimization, automation and orchestration in connecting to the cloud, support for complex topologies or advanced operational needs. The number of branch locations can vary, but tends to be larger with more complicated requirements. Both security teams and network teams are heavily involved in this decision and influence vendor selection.

Vendors Added and Dropped

Added

• Broadcom was added as a result of its acquisition of VMware.

Dropped

• Nuage Networks was dropped as it exited the SD-WAN market.
• Forcepoint was dropped as it predominantly focuses on selling SD-WAN as part of a SASE solution.
• Sophos was dropped as it predominantly focuses on selling SD-WAN as part of its firewall solution.
• VMware has been acquired by Broadcom.

Inclusion Criteria

Critical Capabilities research identifies and analyzes the most relevant providers and their products in a market. Gartner uses, by default, an upper limit of 20 providers to support the identification of the most relevant providers in a market. On some specific occasions the upper limit may be extended where the intended research value to our clients might otherwise be diminished.

The inclusion criteria represent the specific attributes that analysts believe are necessary for inclusion in this research:

• Vendors must meet inclusion criteria for the Magic Quadrant for SD-WAN, 2024.
• Vendors must primarily lead with the product(s) assessed, meaning they position that product in at least 50% of enterprise* opportunities for that use case.
• At least 100 enterprise* customers*** with that product for each use case assessed.

To qualify for inclusion, providers need vendors to show relevance to Gartner clients by:

• Provide products/services that address the enterprise SD-WAN requirements outlined in the Market Definition/Description section.
• Produce and release enterprise SD-WAN products for general availability as of June 14, 2024. All components must be publicly available, be shipping and be included on the vendors’ published price list as of this date. Products shipping after this date, and any publicly available marketing information may only have an influence on the Completeness of Vision axis.
• Provide commercial support and maintenance for their enterprise SD-WAN products (24/7) to support deployments on multiple continents. This includes hardware/software support, access to software upgrades, security patches, and troubleshooting and technical assistance

Product Capabilities

Vendors must have generally available products that support all of the following capabilities:

• The ability to operate as the branch office router (including eBGP, OSPF, support hub and spoke, full mesh, and partial mesh topologies with automation for a minimum of a 250-site network) with traffic shaping and/or QoS
• Centralized management/orchestration and automation for devices (with GUI), including reporting, troubleshooting, configuration changes and software upgrades
• Zero-touch configuration
• IPsec VPN (Advanced Encryption Standard [AES] 256-bit encryption) with integrated firewall
• Application-aware path selection based on business or application policy (not limited to only DiffServ Code Point [DSCP]/ports, IPs/circuits or 5tuple) that responds to network conditions (e.g., changes in packet loss, latency, jitter, etc.) in an active/active configuration
• Autodiscover at least 200 well-known application profiles
• Visibility of application performance data of traffic delivered across the WAN (e.g., packet loss, latency, jitter, etc.)
• Demonstrated integration with at least one third-party cloud security solution (third-party SSE vendor)
• Ability to completely support a do-it-yourself (DIY) customer by exposing full granular management and administration capabilities
• Software that can be deployed in at least two cloud providers (such as AWS and Azure)

Business/Financial Performance

Vendors must show relevance to Gartner’s enterprise clients by meeting the following with their SD-WAN solution(s) that meet the product capabilities inclusion criteria (from above):

• Must have a product assessed in at least three of the five use cases identified in this research.
• Meet either of the following criteria:
• At least 60,000 SD-WAN enterprise* sites** deployed and under active support contracts.
• At least 1,200 SD-WAN enterprise* customers*** deployed and under active support contracts.
• Demonstrate baseline scalability and customer adoption by servicing at least 60 enterprise* customers*** with active support contracts that have at least 100 sites each.
• Show relevance to Gartner’s enterprise* clients on a global basis with at least 150 SD-WAN enterprise* customers*** under active support contracts and headquartered in three or more of the following geographic regions: North America, South America, EMEA or APAC. This means 150 enterprise* customers*** with headquarters in one region and another 150 enterprise* customers*** each with headquarters in two other different region for a total of at least 450 enterprise* customers*** between the three regions.
• Rank among the top 20 vendors in the Customer Interest Indicator (CII) defined by Gartner for the associated Magic Quadrant for SD-WAN. Data inputs used to calculate SD-WAN CII included a balanced set of measures:
• Gartner end-user inquiry volume
• Vendor mentions in Peer Insights as competitor
• Social media followers
• Gartner search
• Google Trends: search interest
• Web traffic analytics

* Enterprise is defined as an organization with at least $50 million in revenue and/or 100 employees. It can be a private for-profit organization or not-for-profit entities such as charitable organizations, government and education institutions.

** Sites are defined as organization locations of customers.

*** Customers are entities paying for an SD-WAN solution under active support contracts with features defined in the product inclusion criteria section. This excludes trials, POCs, paid pilots, “try and buys,” lab trials, etc.

Table 1: Weighting for Critical Capabilities in Use Cases

Source: Gartner (September 2024)

This methodology requires analysts to identify the critical capabilities for a class of products/services. Each capability is then weighted in terms of its relative importance for specific product/service use cases.

Critical Capabilities Rating

Each of the products/services that meet our inclusion criteria has been evaluated on the critical capabilities on a scale from 1.0 to 5.0.

Table 2: Product/Service Rating on Critical Capabilities

Source: Gartner (September 2024)

Table 3 shows the product/service scores for each use case. The scores, which are generated by multiplying the use-case weightings by the product/service ratings, summarize how well the critical capabilities are met for each use case.

Table 3: Product Score in Use Cases

Source: Gartner (September 2024)

To determine an overall score for each product/service in the use cases, multiply the ratings in Table 2 by the weightings shown in Table 1.

Evidence

• Gartner analysts conducted over 1,200 Gartner end-user client interactions on the topic of WAN between 1 June 2023 through 31 May 2024.
• Gartner analysts conducted over 1,600 Gartner end-user client inquiries on the topic of SD-WAN between 1 June 2023 through 31 May 2024.
• Gartner analysts conducted over 800 Gartner end-user client inquiries on the topic of SASE between 1 June 2023 through 31 May 2024.
• Vendors included in this research responded to an RFI created by Gartner analysts.
• Analysts reviewed Gartner Peer Insights data for this market. Gartner Peer Insights is a free peer review and ratings platform designed for enterprise software and service decision makers. Reviews go through a strict validation and moderation process in an effort to ensure they are authentic. Reviews from the SD-WAN market, submitted from 1 June 2023 through 31 May 2024, have been analyzed for the purpose of this research.
• Gartner analysts reviewed publicly available information online.
• We considered data collected by Gartner’s Branded Research Center of Excellence on customer interest in April 2024 from Gartner internal sources and external secondary sources.