Anyone have experience with either/both? Would like to understand some of the pros and cons of each.
No experience with Cato but Fortinet SD-WAN is free of charge, it is included in FortiGate by default with no extra licensing.
All SD-WAN config, routing policies, shaping, SLA etc is local to each FortiGate so there are no dependencies to any broker/cloud/gateway.
Config is fairly simple, it is basically policy based routing with some features added on top like ADVPN.
SDWAN is just routing on steroids. Instead of source IP - destination IP - interface A, you have a lot more options to tell your traffic where to go. With SDWAN you can route by source/destination IP, destination application, destination port, destination URL, circuit SLAs required to be met which include jitter and packet loss, load balancing, spillover %, etc. Basically any scenario you can think of, you can create an SDWAN policy to make that routing decision.
Fortinet is the leader in SDWAN technology, period, and you get the benefit of ALL other security functionality built in as well. Not even a comparison to Cato.
Years back I did a ADVPN deployment with sdwan using fortimananger.
I needed new underwear.
Now I’m nse7 and I just kinda pet my forti appliances like kittens.
Not.much network engineers bought into these random sdwan providers to be recommending them.
Our logic is that if it’s not on the edge appliance why bother. Only do I see like architects with a big focal in general systems pitching these solutions versus the forti sdwan or palo sdwan stuff.
You have more context about your use case? What business objectives you trying to address?
SASE and swan are two different things, that you can combine if you like.
Man I love Fortinet gear, absolutely love it. But, being involved in the different environments I have, Aruba SilverPeak still wins when it comes to SD-WAN.
The granularity that you have when it comes to application based rules, the native integrations to connect to things like zScaler (which I dislike that product personally, but that’s another story), and the cloud based controller are the best I’ve seen. But man is it a pain to implement from start to finish.
If you are already used to FortiGate management, and are accepting of the limitations (which are minor) compared to the SilverPeak gear, then definitely go with Fortinet. Is it as feature rich? No, but does that truly matter for your use case?
There has been a lot of solid information given by the others who commented before me. The biggest recommendations I can make is decide why you are moving to SD-WAN. Come up with the problems it will solve, define some success criteria, and have the vendors do a POC if possible.
Or just buy the Fortinet solution.
Cato is SASE, not SDWAN. You need to compare Cato with FortiSASE.
Are you looking for business pros/cons or technical?
I’ve got quite a bit of experience with both Cato and Fortinet…
they all achieve the same general thing. A lot of it is marketing fluff. It really depends on what your goals are and threat model is. Do you care about user experience? Do you care about policy enforcement? Hostile networks? Gartner? Not risking everything running through a 3rd party network?
So what is Cato even offering?
You are right in that Fortinet is a leader in SDWAN. It actually highlights and evidences their strategy and investment into appliances and iron at the edge.
SASE is a newer term that combines Edge SDWAN and cloud Network/App Security into a single category. Fortinet is not a leader in this space. Cato is, though.
Client wants to move away from a bad Viptela deployment, looking into these two products. I am not well versed in SD-WAN but I know the following:
-
(3) TLOCs at each site (Gold, Silver, Bronze) each a DIA
-
No identification currently on applications, which seems to be a big part of wanting SD-WAN
-
VPN mesh between each TLOC at each site, as they want direct site-to-site communication allowed (way too many active VPN tunnels)
-
Essentially only using PBR for destination traffic
Again, I am not well versed in SD-WAN but hoping the community can help me get up to speed on the pros/cons of these two vendors SD-WAN offerings. I am not even seeing much of a use case for SD-WAN in their environment, but this is per their request.
In general, without a lot of leading context, Fortinet SDWAN is much more complicated to implement and manage. It also requires ongoing maintenance and patching. Assuming you’re doing S2S (ADVPN) you have to use scripts to deploy IPSec using FortiManager. VPN manager doesn’t support ADVPN. If you want the full value of last mile optimizations for Internet bound traffic you have to deploy headends in DCs and backhaul branch traffic there to take advantage of highly resilient pipes in the DC for persisting things like egress NAT, etc.
For Cato, easy button. Easy to deploy. Easy to manage and no maintenance. Cato takes care of maintenance. Because the other end of the SDWAN bookend is their Cloud, you get things like NAT persistance to internet by default. Last mile optimizations builtin in all directions. If you’re a global enterprise with a global footprint you also get the value of their backbone which delivers long haul predictability and traffic acceleration.
I honestly can’t think of technical reasons why you would want to do Fortinet over Cato for SDWAN except that if you have Fortigates already…I think it’s still free?
Again this is from the perspective of just considering SDWAN and not other use cases.
SDWAN is a sub-component of SASE.
SASE I understand even less than SD-WAN … will look into the differences of each. At a high level, can you lace me with some intel?
I would be interested to hear your take on some business pros/cons. I work for one of these two and am interested in the other.
Absolutely, is SD-WAN the first step towards SASE? Do the products work together somehow? Do you need both SD-WAN and SASE? Anything you can recall from your experience would be greatly appreciated!
I totally agree, we asked cato what the local connection box on site can do and they replied it is a layer3 device, so it is simply a stupid router. If anyone is looking for a cheap vpn solution, then check out forti or palo, there you do not pay per user on their on-prem boxes. Cato is by far not cheap, nor all the other ztna providers are.
SDWAN, FWaaS (NGFW), SWG, NGAM, IPS, CASB, DLP, EPP, XDR and Coming soon is DEM. Unique is that they have a global backbone…not just PoPs for processing packets for whatever purpose, but a backbone to address the unpredictability of the pub internet and to accelerate traffic in all directions, east/west/north/south. All 80+ PoPs are 100% symmetrical with all services and are available for all customers to use globally. You can be a single site with 30 users and still use the entirety of its global network as users travel or traverse the globe.