Secure SD-WAN / SASE technology vendor
Fortinet
Official sources position Fortinet Secure SD-WAN as converged networking/security and FortiSASE as cloud-delivered SSE/SASE.
Netify profile
Fortinet in depth
Platform and architecture
Fortinet builds SD-WAN into FortiGate, so every firewall is also an SD-WAN edge. Path selection, application steering and overlay VPN run on FortiOS with orchestration through FortiManager and analytics through FortiAnalyzer. Custom ASICs give strong price-to-performance, particularly for encrypted traffic at branch scale. Cloud on-ramps cover AWS, Azure, Google Cloud and Oracle Cloud, and edge form factors run from desktop units to chassis.
Security and SASE capability
Security is the heritage: NGFW, IPS, web filtering, sandboxing and SSL inspection are native on the same appliance, backed by FortiGuard threat intelligence. FortiSASE extends the stack to cloud-delivered SWG, ZTNA, CASB and DLP from Fortinet PoPs, with universal ZTNA spanning on-premises and cloud enforcement. For buyers wanting one OS across branch firewalling and SASE, the convergence is among the tightest available.
Service, support and channel
Fortinet is channel-led with deep UK distribution and MSP support, and is the platform behind many managed offers, including BT Managed SASE on Fortinet. FortiCare provides 24x7 support tiers with professional services for migration. DIY, co-managed and fully managed routes are all realistic, and multi-tenant tooling makes it a favourite among MSPs.
Commercials and the Netify verdict
Commercials bundle hardware with FortiCare support and FortiGuard security subscriptions; FortiSASE adds per-user licensing. Pricing is quote based but consistently aggressive against like-for-like NGFW plus SD-WAN stacks. The Netify verdict: shortlist Fortinet when security and WAN budgets are one budget, when branch performance per pound matters, or when an existing FortiGate estate makes convergence the path of least resistance.
Questions
Fortinet: common buyer questions
Is Fortinet SD-WAN really free with the firewall?
SD-WAN features ship in FortiOS on every FortiGate, so there is no separate SD-WAN licence. You still pay for FortiCare support and FortiGuard security bundles, and FortiSASE per-user licences if you add the cloud security layer.
How strong is FortiSASE against cloud-native rivals?
FortiSASE delivers ZTNA, SWG, CASB and DLP from Fortinet PoPs with one policy language across appliance and cloud. Cloud-native rivals carry larger PoP fabrics; Fortinet counters with FortiGate integration and total cost. Test from your user geographies before deciding.
Can I get Fortinet as a managed service in the UK?
Yes. BT, Vodafone and many UK MSPs offer managed Fortinet SD-WAN and SASE, including co-managed models where your team keeps policy visibility while the provider runs lifecycle and incident response.
Key differentiators
- Native convergence of networking and security on a single operating system (FortiOS) across FortiGate edge, FortiManager and FortiSASE.
- Strong story for buyers who want secure SD-WAN and SASE delivered from one vendor platform rather than assembled from partner integrations.
- Wide appliance range covering everything from small branch to large data centre, with public hardware pricing visible through resellers.
Best fit for
- Security-first buyers who want SD-WAN and SASE under a single policy and log domain.
- Mid-market and enterprise organisations that already run FortiGate firewalls and want to extend into SD-WAN and cloud-delivered security.
- Buyers comparing single-vendor SASE platforms (alongside Cato, Palo Alto, Cisco) for converged operations.
Watch-outs
- Like Cisco, managed delivery is via partners rather than Fortinet directly; underlay and field operations are not owned by the vendor.
- Buyers wanting a private global backbone will need to validate FortiSASE PoP coverage against their geographic footprint.
- Best-of-breed buyers may prefer integrating FortiGate SD-WAN with a separate SSE platform (Zscaler, Netskope) rather than adopting full FortiSASE.
40 features, 6 categories
Capability matrix
Each capability is graded against public source evidence. Hover any status grade for a definition. Where evidence is limited, the grade reflects that uncertainty rather than assuming the capability is present.
Service delivery and operating model
| # | Capability | Status | Definition |
|---|---|---|---|
| F01 | Fully managed service | Partner / integrated | Provider designs, deploys, monitors, changes, supports and reports on the service. |
| F02 | DIY / self-managed model | Yes | Customer operates SD-WAN controller, policies, updates and incident response. |
| F03 | Co-managed service | Partner / integrated | Provider runs platform/support while customer retains selected policy or change rights. |
| F04 | Multi-tenant MSP / white-label support | Yes | Tenant isolation, delegated administration, branded portals, templates and service-provider scale. |
| F05 | Professional services and migration support | Partner / integrated | Discovery, design, pilot, staging, migration runbooks, rollback and training. |
| F06 | Last-mile circuit management | Partner / integrated | Sourcing, monitoring and support for broadband, DIA, LTE/5G, MPLS and cross-connects. |
| F07 | Lifecycle management | Partner / integrated | Hardware replacement, firmware upgrades, patching, renewals and EoL planning. |
| F08 | Flexible commercial model | Yes | Per-site, per-bandwidth, per-user, per-device, consumption, NaaS or bundled pricing. |
Network architecture and transport
| # | Capability | Status | Definition |
|---|---|---|---|
| F09 | Encrypted overlay fabric | Yes | Secure tunnels across broadband, DIA, MPLS, LTE/5G, satellite or private WAN. |
| F10 | Dynamic path selection | Yes | Real-time routing based on latency, jitter, packet loss, brownouts, MOS and policy. |
| F11 | Active-active link utilisation | Yes | Use multiple links concurrently rather than passive backup only. |
| F12 | Application-aware routing | Yes | Identification and routing for SaaS, UCaaS, ERP and custom applications. |
| F13 | QoS and traffic shaping | Yes | Per-application and per-class prioritisation, reservation and policing. |
| F14 | Packet loss remediation | Yes | FEC, packet duplication, jitter buffering, TCP optimisation and WAN optimisation. |
| F15 | Local internet breakout | Yes | Secure direct internet access from branch sites. |
| F16 | MPLS coexistence and migration | Yes | Hybrid MPLS/internet/cellular during transition. |
| F17 | Cellular and 5G support | Partial | Integrated/external modem, SIM management, signal monitoring and failover. |
| F18 | Cloud on-ramp | Yes | Automated/simplified connectivity to AWS, Azure, Google Cloud, Oracle, Equinix, Megaport and SaaS. |
Gateway, PoP and backbone design
| # | Capability | Status | Definition |
|---|---|---|---|
| F19 | Public cloud gateways | Yes | Vendor-operated gateways/PoPs for SaaS optimisation, remote access or security enforcement. |
| F20 | Private PoPs / dedicated PoPs | Unknown | Customer-hosted, dedicated or sovereign PoP options. |
| F21 | Private global backbone | Unknown | Vendor-owned or controlled backbone between PoPs. |
| F22 | Regional breakout and data residency | Yes | Pin traffic to countries, regions or approved inspection locations. |
| F23 | Multi-cloud transit fabric | Yes | Branch-to-cloud, cloud-to-cloud and user-to-cloud connectivity under common policy. |
| F24 | Flexible edge form factors | Yes | Physical, virtual, cloud marketplace, container or uCPE. |
| F25 | High availability design | Yes | Dual appliances, dual circuits, dual power, HA clustering and gateway redundancy. |
| F26 | SLA-backed service fabric | Partner / integrated | SLA for uptime, response, change handling and possibly latency/jitter/loss. |
Security and SASE capability
| # | Capability | Status | Definition |
|---|---|---|---|
| F27 | Integrated next-generation firewall | Yes | Stateful firewall, app control, IPS/IDS, malware inspection and URL filtering. |
| F28 | Full SASE platform | Yes | SD-WAN plus SWG, CASB, ZTNA, FWaaS, DLP, RBI, DNS security and threat prevention. |
| F29 | SSE ecosystem integration | Yes | Interoperation with Zscaler, Netskope, Palo Alto Prisma Access, Cisco Secure Access, Cloudflare etc. |
| F30 | Zero Trust Network Access | Yes | Identity and posture-based access to private applications. |
| F31 | Secure web gateway | Yes | URL filtering, SSL inspection, malware scanning and acceptable-use controls. |
| F32 | CASB capability | Yes | SaaS discovery, sanctioned/unsanctioned app control and SaaS policy enforcement. |
| F33 | Data loss prevention | Partial | Data classification, inspection, blocking, alerting and exception workflow. |
| F34 | Remote user access | Yes | Client or clientless access for remote workers, contractors and mobile users. |
| F35 | SOC/SIEM/SOAR integration | Yes | Syslog, APIs, event export, threat intelligence and workflow integration. |
Operations, assurance and automation
| # | Capability | Status | Definition |
|---|---|---|---|
| F36 | Centralised orchestration | Yes | Templates, intent-based policy, zero-touch provisioning and configuration compliance. |
| F37 | Customer portal and RBAC | Yes | Real-time status, role-based access, reporting, tickets and change requests. |
| F38 | Observability and digital experience monitoring | Yes | App experience, user experience, device health, SaaS telemetry and path analytics. |
| F39 | APIs and automation | Yes | REST APIs, Terraform, webhooks, event streaming and ITSM integration. |
| F40 | Managed service assurance | Partner / integrated | 24/7 NOC/SOC, proactive monitoring, incident ownership, RCA, service reviews and change governance. |
Commercial
Cost model and pricing visibility
Public pricing visibility
Quote-based. No complete public enterprise price was found in reviewed sources.
Cost model
Quote-based appliances/subscriptions/support; public reseller pricing exists for hardware but enterprise managed/SASE bundles require quote.
Evidence
Primary sources
Every capability grade traces back to one of these sources. Reviewed 2026-05-22.
Verification notes
Capability matrix sourced from Netify internal vendor research (May 2026). Status grades reflect public source evidence only. Confirm via RFP. Qualitative fields (differentiators, best fit, watch-outs) are Netify editorial synthesis based on the evidence summary and capability profile; review before publishing. Extended dimensions (regions, clouds, AI, resilience, deployment speed, sectors, organisation fit, identity, platforms, support, logging) are indicative desk research grades from June 2026; confirm via RFP.