SD-WAN + NGFW: why the gap between network and security costs dearly

Integration of SD-WAN and NGFW has long been the norm among Western vendors, but in Russia, network and information security teams still often operate in different consoles. Let’s examine how costly this gap is, what their integration offers, and how we implemented SD-WAN with SLA routing in Ideco NGFW 22 Novum.

Two teams, one network, zero coordination

In a typical Russian company with a branch network, the network team is responsible for routing and communication channels, while the cybersecurity team handles the firewall, IPS, and access policies. The tools are different, the consoles are different, and the priorities are different.

On paper, this seems like a reasonable division of responsibility. In practice, it resembles a gap that incurs significant costs for solutions and time for administration.

Here’s how this manifests:

  • Network incident. Security professionals notice suspicious activity on an endpoint but do not know which channel the traffic exited through. Network engineers observe abnormal patterns but cannot determine whether it is an attack or legitimate traffic. While both teams align their understanding through tickets and calls, the attacker has already established a foothold in the infrastructure.

  • New branch. The network team sets up VPN tunnels and configures routing. The cybersecurity team separately applies policies on the firewall. Configurations become desynchronized, creating “gaps” between what is allowed at the network level and what is controlled at the security level.

  • Channel degradation. The primary provider has degraded, and traffic switched to a backup. However, the NGFW policies are configured for a topology with the primary channel (the security team may not have been informed about the connection of additional channels)—some traffic either bypasses inspection or is mistakenly blocked.

Operational losses between network and cybersecurity teams are responsible for 20-25% of the incident cost—due to detection delays, slow responses, and incomplete localization (according to IBM Cost of a Data Breach Report 2024).

Organizations with established interaction between network and cybersecurity teams detect incidents 40% faster and localize them 60% faster than companies with isolated teams.

The conclusion is simple: the separation of network management and security is not an optimal solution based on areas of responsibility, but an architectural debt.

What the SD-WAN + NGFW bundle changes

SD-WAN (Software-Defined Wide Area Network) is a software-defined layer over WAN that manages communication channels based on policies: application, user, branch, SLA parameters. Unlike a classic site-to-site VPN, where an administrator manually specifies routes and monitors the status of channels, SD-WAN automatically selects the optimal path and switches traffic in case of degradation.

When SD-WAN operates within NGFW, rather than as a separate box, everything is fundamentally easier from an operational perspective. Especially under current conditions of problematic network connectivity and internet stability in regions of Russia.

Unified policy for network and security

Instead of two consoles - one. The routing rule and the firewall rule exist in one context. If traffic switches to a backup channel, security policies are applied to it automatically - without manual adjustments and without "blind spots".

Traffic visibility without "blind spots"

The integrated solution knows not only "where the packet is going" (SD-WAN), but also "what is inside it" (DPI/IPS) and "who sent it" (user identification). For the cybersecurity team, this means a complete picture: from route selection to session content. All sessions are logged in one place and sent to SIEM without the need for additional correlation.

Reduction of TCO

A separate SD-WAN controller, a separate NGFW, a separate monitoring system - these are three licenses, three platforms for updates, and three points of failure. Integration reduces the number of devices and simplifies operation. According to Anti-Malware.ru, combining NGFW and SD-WAN reduces the total cost of ownership by cutting down on hardware and simplifying procurement.

How this is organized by Western vendors

Integrating SD-WAN into NGFW is already the standard for global leaders, but it remains "unique" for the domestic market. According to Gartner, by 2027, almost two-thirds of new SD-WAN purchases will be part of a single SASE solution from one vendor - three times more than today.

Fortinet has embedded SD-WAN directly into the FortiGate NGFW based on FortiOS. Routing, encryption, and inspection are performed on a single device with hardware acceleration through specialized processors (SPU). All FortiGate models support SD-WAN and routing without additional licenses (Fortinet).

Palo Alto Networks has taken the path of integrating Prisma SD-WAN with the PA series of hardware NGFWs. This solution eliminates the problem of disparate devices for security and SD-WAN by unifying policies into a single controller (Palo Alto Networks).

Russian context: a large gap with high demand

The situation in Russia is paradoxical. The demand for SD-WAN is growing: according to ICL Services, 25% of Russian companies are already using the technology and do not plan to abandon it, with another 15% intending to implement it within the year. The main reason for implementation is the increase in security levels (46% of companies).

However, most Russian NGFWs still focus on performance and filtering. As noted by Anti-Malware.ru, when choosing an NGFW, the main attention is paid to reliability and performance, while integration with SD-WAN remains peripheral (as a "second-tier" task). The Russian SD-WAN market is represented by two groups:

  • Specialized SD-WAN platforms (Kaspersky SD-WAN, “BULAT,” etc.) - require a separate NGFW/cryptographic protection system to ensure security.

  • NGFWs with elements of SD-WAN - usually limited to basic channel balancing without SLA management.

As a result, the customer is faced with a choice: either a “zoo” of an SD-WAN controller and a separate firewall, or an NGFW with primitive WAN balancing without real SD-WAN.

Zero-touch provisioning: branches without business trips

For distributed companies, the speed of connecting new sites is a critical factor. In the classic scheme, connecting one branch looks like this:

  1. Ordering a channel from the provider - up to 2 weeks.

  2. A business trip for a network engineer to configure the equipment.

  3. Manual configuration of VPN tunnels and routing.

  4. Separate configuration of security policies by the information security team.

  5. Testing and commissioning.

Total: from 3 to 6 weeks for one location. Every day of downtime means direct financial losses.

SD-WAN with Zero-touch provisioning (ZTP) radically changes the approach. The CPE device (Customer Premises Equipment) arrives at the branch, and an on-site employee connects the power and internet cable. Everything else—tunnel configuration, routing, security policies—is applied automatically from the central console.

A real example: a retail company transitioned 1600 stores to SD-WAN. At the project start, they planned to transition 4 stores per night, but thanks to ZTP, the speed increased to 15-20 stores per night. The company completely abandoned expensive MPLS channels, increased WAN capacity by 26 times, and saved $20 million over three years (New-Retail.ru).

Scenario 1: retail with 50+ sales points

Typical situation: a network of stores, each with POS terminals, loyalty systems, guest Wi-Fi, and video surveillance. Communication channels range from fiber optics in shopping centers to LTE in individual locations.

Problems without SD-WAN + NGFW:

  • Different providers in different locations, configurations diverge.

  • One typo in routing—bank transactions at the registers fail.

  • Security is inconsistent: some places have a firewall, others only NAT.

  • When the channel degrades, registers "crawl," and terminals freeze.

What SD-WAN + NGFW provides:

  • Unified security policies for all locations from a central console. No need to configure each store separately.

  • Traffic prioritization: POS transactions and processing go through the channel with minimal latency (at the current moment!), guest Wi-Fi uses the "cheaper" internet channel.

  • Automatic failover: if the primary channel degrades, critical traffic instantly switches to the LTE backup. Registers do not stop.

  • Segmentation: IoT cameras are isolated from payment traffic, guest Wi-Fi is in a separate segment. Compromising one segment does not affect others.

The Circle K gas station network began using LTE modems as backup channels after implementing SD-WAN and significantly reduced downtime during payment processing (New-Retail.ru).

Scenario 2: distributed manufacturing

The factory has several sites, warehouses, and remote facilities. At the sites - SCADA systems, IoT sensors, ERP traffic between sites, video conferences between engineers.

Problems without SD-WAN + NGFW:

  • MPLS channels are expensive and inflexible. Adding a new site involves lengthy agreements with the operator.

  • IoT traffic from sensors and SCADA goes through the same channels as video conferences. There is no prioritization.

  • The security of the OT segment (operational technologies) is provided "as best as possible" - separate firewalls at the sites are not synchronized with the central policy.

What the combination of SD-WAN + NGFW provides:

  • Hybrid WAN: MPLS for critical ERP and SCADA, LTE for everything else.

  • Segmentation of OT and IT: IoT sensors in a separate segment, corporate network - in its own. NGFW policies apply to both, but isolation rules prevent "horizontal" spread of threats.

  • SLA routing: ERP traffic between sites travels only over channels with latency below a threshold value. If the channel degrades - automatic switching.

  • Centralized management: one console for all sites. Policy changes are applied to all nodes simultaneously.

SD-WAN in Ideco NGFW Novum 22: what's inside

Ideco NGFW was initially built as an NGFW with an advanced network stack: WAN balancing, dynamic routing (BGP, OSPF), PBR, IPSec with VTI and GRE over IPSec. This is a fundamental difference from many Russian NGFW solutions, which are primarily focused on traffic filtering rather than creating complex distributed networks.

In version 22 Novum (release on April 30, 2026, with the full-featured version available today), we added a full-fledged SD-WAN module that turns the NGFW into a platform of NGFW + SD-WAN class.

SLA routing

The key feature is traffic routing based on SLA profiles. The administrator sets threshold values for three parameters:

  • Delay (latency)

  • Jitter (jitter)

  • Packet loss (packet loss)

The logic works on an OR principle: if at least one parameter is exceeded, the channel is considered non-compliant with SLA. Traffic is automatically switched to a backup path.

Next Hops and Groups

Named Next Hops are created - outgoing interfaces or gateways tied to specific channels. Next Hops are grouped into two modes:

  • Failover - traffic goes through the primary Next Hop, and if it does not meet the SLA, it switches to the next highest priority.

  • Load Balancing - traffic is distributed among Next Hops with stable session binding.

Monitoring via ping and BFD

SLA profiles are checked by periodic ping requests to specified IP addresses. To quickly detect outages, BFD (Bidirectional Forwarding Detection) is supported - a protocol that detects loss of connectivity in milliseconds, rather than tens of seconds, like ping.

Settings include: check interval, unavailability threshold (the number of consecutive failures to switch), availability threshold (the number of successful checks to revert), and minimum uptime.

Integration with Routing

SLA groups of Next Hops are used in:

  • Static Routing - the gateway can be not only an IP address but also a group of Next Hops with an SLA profile.

  • PBR (Policy-Based Routing) - routing based on source, destination, and ports through SLA groups.

  • BGP - IPSec tunnels are selected as Next Hops, allowing the construction of overlay networks with BGP over encrypted channels.

Switching Log

Each channel switch is recorded in a log: when it occurred, which SLA parameter was involved, where the traffic switched from and to. This is important for auditing: it allows for a substantiated explanation of why at a specific moment traffic took an alternative route.

Autonomy of the Solution

An important architectural principle: each NGFW makes decisions about switching channels independently, without referring to an external controller. This ensures operability even in the event of a loss of connection to the control center.

Comparison of Approaches

Criterion

Site-to-site VPN

NGFW without SD-WAN

Ideco NGFW 22 + SD-WAN

WAN channel management

Manual route configuration

Basic load balancing/failover

Next Hops groups, SLA profiles, adaptive routes

Quality monitoring

Only up/down

Simple availability check

SLA for latency/jitter/loss, ping + BFD

VPN and routing integration

Static

Limited dynamic

BGP/OSPF over VTI and GRE-IPSec, PBR

Security

Separate firewall

NGFW without WAN control

Unified policies NGFW + SD-WAN

Switching on degradation

Manual or coarse failover

Interface availability check

Automatic by SLA profile with logging

What's next: SD-WAN roadmap in Ideco

SD-WAN in Ideco NGFW is not a one-time addition of functionality, but a strategic direction for development. Here’s what is planned for 2026:

When

What will appear

August 2026

QoS - traffic prioritization by classes and priorities; BFD for BGP; templating of network interfaces, routing, and SD-WAN in Ideco Center (foundation for ZTP)

December 2026

Centralized management of IPSec tunnels via certificates through Ideco Center (automatic tunnel setup when adding a branch); template inheritance; policy templates

Templating in Ideco Center is a step towards full Zero-touch provisioning for branch networks. The administrator creates a template with interface settings, routing, and SD-WAN profiles, and the new node receives the configuration automatically upon first connection.

Conclusion

The gap between network management and security is an architectural debt that everyone pays for: network engineers with night shifts, security teams with blind spots, and businesses with downtimes and incidents.

SD-WAN + NGFW on a single platform closes this gap. One PAC, one console, one policy, and automatic switching by SLA means fewer errors, faster response, and lower total cost of ownership.

Ideco NGFW Novum 22 with SD-WAN is not a marketing checkbox for comparing NGFWs, but a real working tool for creating and maintaining complex distributed networks. By the end of 2026, it will also include QoS, templating, and centralized tunnel management – a powerful SD-WAN solution enhanced with security features.

If you manage a distributed network and are tired of being torn between routing and security - test Ideco NGFW and see how SD-WAN works inside the firewall, not next to it. We would appreciate your feedback and will work together to make the solution even better.

Comments

    Also read