BT SD-WAN licence tiers control which security and networking features are active on each appliance. The tier you select affects what the device can do at the branch: basic SD-WAN overlay and routing at the lower tiers through to full NGFW, IPS, sandboxing and SASE integration at the higher tiers. Fortinet and Cisco Meraki are the two most commonly deployed vendors through BT and each uses a different tier structure. Selecting the wrong tier means either paying for features you do not use or lacking security capabilities you actually need.
Use our pricing calculator to compare licence tier costs for Fortinet and Meraki.
Open the BT SD-WAN Pricing Calculator →
Fortinet Licence Tiers
Fortinet uses two main licence tiers for its FortiGate SD-WAN appliances. Both tiers include SD-WAN overlay functionality. The difference is in the security services bundled with the licence.
| Feature | Standard | Advanced |
|---|---|---|
| SD-WAN overlay and path selection | Yes | Yes |
| NGFW (stateful firewall) | Yes | Yes |
| Application control | Basic | Full (FortiGuard database) |
| IPS (Intrusion Prevention System) | No | Yes |
| Antivirus | No | Yes (FortiGuard AV) |
| Web filtering | No | Yes (URL and category-based) |
| DNS filtering | No | Yes |
| Sandboxing | No | Yes (FortiSandbox Cloud) |
| SSL/TLS inspection | No | Yes |
| Anti-spam | No | Yes |
| FortiGuard threat intelligence feeds | No | Yes |
What Fortinet Standard Includes
Standard tier provides the SD-WAN fabric (overlay tunnels, path selection, application-aware routing) plus a basic stateful firewall. It does not include any of the FortiGuard security subscription services. This tier is appropriate when the FortiGate is being used purely for SD-WAN connectivity and a separate security solution handles threat prevention. Typical scenarios include sites with an existing Zscaler, Cloudflare or Palo Alto cloud security deployment.
What Fortinet Advanced Adds
Advanced tier adds the full FortiGuard security bundle: IPS, antivirus, web filtering, DNS filtering, sandboxing and SSL inspection. This turns the FortiGate into a Unified Threat Management (UTM) device that handles both SD-WAN and branch security in one box. This is the right choice when the SD-WAN appliance will be the primary (or only) security device at the branch.
Meraki Licence Tiers
Cisco Meraki uses three licence tiers for its MX series SD-WAN appliances. All Meraki licences are per-device and cloud-managed through the Meraki Dashboard.
| Feature | Enterprise | Advanced Security | Secure SD-WAN Plus |
|---|---|---|---|
| SD-WAN and path selection | Yes | Yes | Yes |
| Stateful firewall | Yes | Yes | Yes |
| Content filtering | Yes | Yes | Yes |
| Site-to-site VPN | Yes | Yes | Yes |
| Client VPN | Yes | Yes | Yes |
| AMP (Advanced Malware Protection) | No | Yes | Yes |
| IPS (Intrusion Prevention) | No | Yes (Snort-based) | Yes |
| Cisco Umbrella integration | No | No | Yes |
| Cisco Secure Connect (SASE) | No | No | Yes |
| Cloud-hosted security gateway | No | No | Yes |
When to Use Enterprise Tier
Enterprise is the base Meraki licence. It provides SD-WAN connectivity, site-to-site VPN, basic firewall and content filtering. It does not include any advanced threat protection. Choose this tier if you handle security through a separate cloud security service or centralised firewall and only need Meraki for SD-WAN transport.
When to Use Advanced Security Tier
Advanced Security adds Cisco AMP for malware detection and Snort-based IPS. This is the right tier for organisations that want the Meraki MX to serve as the primary security device at the branch without needing cloud-delivered SASE services.
When to Use Secure SD-WAN Plus Tier
Secure SD-WAN Plus is the top tier and adds Cisco Umbrella DNS-layer security and Cisco Secure Connect (SASE). This tier routes branch internet traffic through Cisco’s cloud security platform for additional protection. Choose this tier if your organisation is adopting a SASE architecture and wants DNS security, SWG and ZTNA capabilities managed through the Meraki dashboard.
Fortinet vs Meraki: Licence Tier Comparison
| Capability | Fortinet Equivalent | Meraki Equivalent |
|---|---|---|
| SD-WAN only (no security) | Standard | Enterprise |
| SD-WAN + full branch security | Advanced | Advanced Security |
| SD-WAN + security + SASE | Advanced + FortiSASE (separate) | Secure SD-WAN Plus |
Cost Considerations
- Higher licence tiers increase the per-site monthly cost. The difference between Fortinet Standard and Advanced is typically 20-40% depending on the appliance model.
- Meraki licences are per-device and billed for the full contract term upfront or rolled into the BT managed service monthly fee.
- You can mix licence tiers across sites within the same SD-WAN deployment. Not every branch needs the highest tier.
- Sites that already have a separate firewall (physical or cloud-based) can use the lower tier and avoid paying for duplicate security features.
- Upgrading the licence tier mid-contract is possible but may require a contract amendment with BT.
- Fortinet Advanced includes all FortiGuard subscriptions in one bundle. There is no option to select individual services (e.g. IPS without web filtering).
Recommendations by Site Type
| Site Type | Recommended Fortinet Tier | Recommended Meraki Tier |
|---|---|---|
| Small branch (under 20 users, low risk) | Standard | Enterprise |
| Medium office (20-100 users) | Advanced | Advanced Security |
| HQ or data centre | Advanced | Advanced Security or Plus |
| Remote/home workers (SASE required) | Advanced + FortiSASE | Secure SD-WAN Plus |
| Site with existing cloud security (Zscaler etc.) | Standard | Enterprise |
How Licence Tiers Affect Throughput
Enabling security features on the SD-WAN appliance reduces the effective throughput of the device. The more features active on the licence the more processing power is consumed. This is particularly relevant for Fortinet appliances where NGFW throughput is significantly lower than raw firewall throughput.
| Fortinet Model | Firewall Throughput (Standard) | NGFW Throughput (Advanced) | Threat Protection Throughput (Advanced) |
|---|---|---|---|
| FortiGate 40F | 5 Gbps | 800 Mbps | 600 Mbps |
| FortiGate 60F | 10 Gbps | 1 Gbps | 700 Mbps |
| FortiGate 100F | 20 Gbps | 1.6 Gbps | 1 Gbps |
| FortiGate 200F | 27 Gbps | 3 Gbps | 2 Gbps |
When running the Advanced licence tier ensure the appliance model is sized for NGFW or Threat Protection throughput rather than raw firewall throughput. An undersized appliance running full UTM features will bottleneck the WAN circuit.
Licence Renewal and Mid-Contract Changes
- Fortinet and Meraki licences are tied to the BT contract term (typically 36 or 60 months). Renewal is handled at contract renewal.
- Upgrading from a lower to higher tier mid-contract is possible but requires a contract amendment with BT. There may be additional charges.
- Downgrading mid-contract is generally not permitted as the lower tier fee is built into the overall commercial model.
- If a Meraki licence expires the device loses cloud management access and eventually stops passing traffic after a grace period. BT’s managed service prevents this by managing licence renewals centrally.
- Fortinet FortiGuard subscriptions within the Advanced tier auto-renew as part of the BT contract. Individual FortiGuard services cannot be added or removed separately.
