SD-WAN / SASE technology vendor
Palo Alto Networks
Official sources describe Prisma SASE as converging cloud security, SD-WAN and digital experience management.
Netify profile
Palo Alto Networks in depth
Platform and architecture
Palo Alto Networks delivers SASE as Prisma SASE: Prisma SD-WAN (formerly CloudGenix) ION appliances at the edge and Prisma Access providing cloud-delivered security from compute in 100+ locations on Google Cloud and AWS. Prisma SD-WAN is application-defined, using app-level SLAs rather than tunnel-centric routing, with Strata Cloud Manager unifying management. AIOps for SASE provides predictive monitoring across the stack.
Security and SASE capability
Security depth is the headline: ZTNA 2.0 with continuous inspection, SWG, CASB, DLP and FWaaS inherit two decades of Palo Alto firewall and threat research, with Precision AI applied across detection. Policy follows the user across branch, remote and data centre via one security model. For security-led procurement, capability per feature is consistently at the top of the market.
Service, support and channel
Direct enterprise sales plus a strong partner bench; managed Prisma SASE is available through global carriers including Orange, Verizon and NTT and UK security MSPs. Professional services and Unit 42 incident expertise back deployment. Operating the platform DIY suits mature security teams; many UK mid-market buyers take it via an MSP wrapper.
Commercials and the Netify verdict
Licensing is per user for Prisma Access plus appliance subscriptions for Prisma SD-WAN, quote based and at premium positioning. The Netify verdict: shortlist Palo Alto when security architecture leads the decision, when ZTNA depth and DLP capability carry board weight, or when consolidating onto an existing Strata or Cortex estate. Budget-led, network-first projects often find better value elsewhere.
Questions
Palo Alto Networks: common buyer questions
What makes Prisma SD-WAN different from tunnel-based SD-WAN?
ION appliances make forwarding decisions per application against app-level SLAs rather than per tunnel, which simplifies policy for SaaS-heavy estates and feeds clean telemetry into AIOps. The trade-off is a smaller routing feature set than router-heritage rivals, so validate complex topologies.
Is Prisma Access a true ZTNA solution?
Yes. ZTNA 2.0 applies continuous trust verification and deep inspection after connection, not just at connect time, covering private apps, SaaS and web from one policy. It is among the strongest ZTNA implementations on the market.
Can Prisma SASE be consumed as a managed service?
Yes, through global providers such as Orange Business, Verizon and NTT, and through UK security MSPs. Managed routes suit buyers who want Palo Alto capability without operating Strata Cloud Manager in-house.
Key differentiators
- Prisma SASE converges SD-WAN, cloud-delivered security, and digital experience management (ADEM) under a single platform identity.
- Strong threat intelligence and security capability inheritance from the wider Palo Alto Networks portfolio.
- Often selected by buyers consolidating from multiple security vendors onto a single SASE platform.
Best fit for
- Enterprises with mature security operations that want SASE built around a leading security platform rather than a security layer on top of an SD-WAN platform.
- Buyers consolidating CASB, SWG, ZTNA and FWaaS onto one vendor for unified policy.
- Organisations with global SaaS-heavy traffic patterns that benefit from Prisma Access PoP coverage.
Watch-outs
- Premium pricing relative to firewall-led SD-WAN vendors; commercial model requires careful scoping by users, bandwidth, locations and term.
- Managed delivery is via partners (Orange Business, NTT, others); first-party managed service is not the primary model.
- Private global backbone is not vendor-owned; cloud transport uses internet and Prisma Access PoPs.
40 features, 6 categories
Capability matrix
Each capability is graded against public source evidence. Hover any status grade for a definition. Where evidence is limited, the grade reflects that uncertainty rather than assuming the capability is present.
Service delivery and operating model
| # | Capability | Status | Definition |
|---|---|---|---|
| F01 | Fully managed service | Partner / integrated | Provider designs, deploys, monitors, changes, supports and reports on the service. |
| F02 | DIY / self-managed model | Yes | Customer operates SD-WAN controller, policies, updates and incident response. |
| F03 | Co-managed service | Partner / integrated | Provider runs platform/support while customer retains selected policy or change rights. |
| F04 | Multi-tenant MSP / white-label support | Partner / integrated | Tenant isolation, delegated administration, branded portals, templates and service-provider scale. |
| F05 | Professional services and migration support | Partner / integrated | Discovery, design, pilot, staging, migration runbooks, rollback and training. |
| F06 | Last-mile circuit management | Partner / integrated | Sourcing, monitoring and support for broadband, DIA, LTE/5G, MPLS and cross-connects. |
| F07 | Lifecycle management | Partner / integrated | Hardware replacement, firmware upgrades, patching, renewals and EoL planning. |
| F08 | Flexible commercial model | Yes | Per-site, per-bandwidth, per-user, per-device, consumption, NaaS or bundled pricing. |
Network architecture and transport
| # | Capability | Status | Definition |
|---|---|---|---|
| F09 | Encrypted overlay fabric | Yes | Secure tunnels across broadband, DIA, MPLS, LTE/5G, satellite or private WAN. |
| F10 | Dynamic path selection | Yes | Real-time routing based on latency, jitter, packet loss, brownouts, MOS and policy. |
| F11 | Active-active link utilisation | Yes | Use multiple links concurrently rather than passive backup only. |
| F12 | Application-aware routing | Yes | Identification and routing for SaaS, UCaaS, ERP and custom applications. |
| F13 | QoS and traffic shaping | Yes | Per-application and per-class prioritisation, reservation and policing. |
| F14 | Packet loss remediation | Yes | FEC, packet duplication, jitter buffering, TCP optimisation and WAN optimisation. |
| F15 | Local internet breakout | Yes | Secure direct internet access from branch sites. |
| F16 | MPLS coexistence and migration | Yes | Hybrid MPLS/internet/cellular during transition. |
| F17 | Cellular and 5G support | Partial | Integrated/external modem, SIM management, signal monitoring and failover. |
| F18 | Cloud on-ramp | Yes | Automated/simplified connectivity to AWS, Azure, Google Cloud, Oracle, Equinix, Megaport and SaaS. |
Gateway, PoP and backbone design
| # | Capability | Status | Definition |
|---|---|---|---|
| F19 | Public cloud gateways | Yes | Vendor-operated gateways/PoPs for SaaS optimisation, remote access or security enforcement. |
| F20 | Private PoPs / dedicated PoPs | Unknown | Customer-hosted, dedicated or sovereign PoP options. |
| F21 | Private global backbone | Unknown | Vendor-owned or controlled backbone between PoPs. |
| F22 | Regional breakout and data residency | Yes | Pin traffic to countries, regions or approved inspection locations. |
| F23 | Multi-cloud transit fabric | Yes | Branch-to-cloud, cloud-to-cloud and user-to-cloud connectivity under common policy. |
| F24 | Flexible edge form factors | Yes | Physical, virtual, cloud marketplace, container or uCPE. |
| F25 | High availability design | Yes | Dual appliances, dual circuits, dual power, HA clustering and gateway redundancy. |
| F26 | SLA-backed service fabric | Partner / integrated | SLA for uptime, response, change handling and possibly latency/jitter/loss. |
Security and SASE capability
| # | Capability | Status | Definition |
|---|---|---|---|
| F27 | Integrated next-generation firewall | Yes | Stateful firewall, app control, IPS/IDS, malware inspection and URL filtering. |
| F28 | Full SASE platform | Yes | SD-WAN plus SWG, CASB, ZTNA, FWaaS, DLP, RBI, DNS security and threat prevention. |
| F29 | SSE ecosystem integration | Yes | Interoperation with Zscaler, Netskope, Palo Alto Prisma Access, Cisco Secure Access, Cloudflare etc. |
| F30 | Zero Trust Network Access | Yes | Identity and posture-based access to private applications. |
| F31 | Secure web gateway | Yes | URL filtering, SSL inspection, malware scanning and acceptable-use controls. |
| F32 | CASB capability | Yes | SaaS discovery, sanctioned/unsanctioned app control and SaaS policy enforcement. |
| F33 | Data loss prevention | Yes | Data classification, inspection, blocking, alerting and exception workflow. |
| F34 | Remote user access | Yes | Client or clientless access for remote workers, contractors and mobile users. |
| F35 | SOC/SIEM/SOAR integration | Yes | Syslog, APIs, event export, threat intelligence and workflow integration. |
Operations, assurance and automation
| # | Capability | Status | Definition |
|---|---|---|---|
| F36 | Centralised orchestration | Yes | Templates, intent-based policy, zero-touch provisioning and configuration compliance. |
| F37 | Customer portal and RBAC | Yes | Real-time status, role-based access, reporting, tickets and change requests. |
| F38 | Observability and digital experience monitoring | Yes | App experience, user experience, device health, SaaS telemetry and path analytics. |
| F39 | APIs and automation | Yes | REST APIs, Terraform, webhooks, event streaming and ITSM integration. |
| F40 | Managed service assurance | Partner / integrated | 24/7 NOC/SOC, proactive monitoring, incident ownership, RCA, service reviews and change governance. |
Commercial
Cost model and pricing visibility
Public pricing visibility
Quote-based. No complete public enterprise price was found in reviewed sources.
Cost model
Quote-based subscriptions; appliance/ION and Prisma Access/SASE licensing typically priced by users, bandwidth, locations and term.
Evidence
Primary sources
Every capability grade traces back to one of these sources. Reviewed 2026-05-22.
Verification notes
Capability matrix sourced from Netify internal vendor research (May 2026). Status grades reflect public source evidence only. Confirm via RFP. Qualitative fields (differentiators, best fit, watch-outs) are Netify editorial synthesis based on the evidence summary and capability profile; review before publishing. Extended dimensions (regions, clouds, AI, resilience, deployment speed, sectors, organisation fit, identity, platforms, support, logging) are indicative desk research grades from June 2026; confirm via RFP.