BT offers SD-WAN through five vendor platforms: Fortinet, Cisco Meraki, Cisco vManage (Catalyst SD-WAN), VMware VeloCloud and Palo Alto Prisma. Each vendor takes a different approach to security, management and network architecture. The platform you select affects hardware at the branch, the management portal your team uses day-to-day, which security features are built in versus bolted on, and how the solution integrates with cloud and SASE services. This page provides a detailed technical comparison to help you evaluate each option.
Use our pricing calculator to build a quote based on your vendor, circuit and licence requirements.
Open the BT SD-WAN Pricing Calculator →
Vendor Platforms Available Through BT
| Vendor | Platform | Security Approach | Best For |
|---|---|---|---|
| Fortinet | FortiGate (FortiOS) | Built-in NGFW, IPS, antivirus, web filtering, sandboxing | Organisations needing integrated security at the branch |
| Cisco Meraki | MX Series (Meraki Dashboard) | Cloud-managed firewall, content filtering, AMP | Multi-site deployments needing simple cloud management |
| Cisco vManage | Catalyst SD-WAN (vManage controller) | Separate security stack; integrates with Umbrella and Snort IPS | Large enterprises with existing Cisco routing infrastructure |
| VMware | VeloCloud SD-WAN | Service chaining to third-party firewalls | Organisations prioritising application performance and WAN optimisation |
| Palo Alto | Prisma SD-WAN (CloudGenix) | Integrated with Prisma Access SASE platform | Zero-trust and SASE-first network strategies |
Management and Orchestration
Each vendor uses a different management platform. This determines how your team (or BT’s managed service team) configures policies, monitors traffic and troubleshoots issues.
| Vendor | Management Portal | Deployment | Co-Managed Access |
|---|---|---|---|
| Fortinet | FortiManager + FortiAnalyzer | On-prem or cloud-hosted | Yes (read-write with role-based access) |
| Cisco Meraki | Meraki Cloud Dashboard | Cloud-only (SaaS) | Yes (org-level admin accounts) |
| Cisco vManage | vManage Controller | On-prem or Cisco-hosted | Yes (template-based access) |
| VMware | VeloCloud Orchestrator (VCO) | Cloud-hosted | Yes (partner/customer portal split) |
| Palo Alto | Prisma SD-WAN Portal | Cloud-hosted | Yes (role-based) |
Feature Comparison
| Feature | Fortinet | Meraki | Cisco vManage | VMware | Palo Alto |
|---|---|---|---|---|---|
| Built-in NGFW | Yes | Yes (basic) | No (service chain) | No (service chain) | Yes (via Prisma) |
| IPS / IDS | Yes (FortiGuard) | Yes (Snort-based) | Yes (Snort) | No | Yes |
| Sandboxing | Yes (FortiSandbox) | No | No | No | Yes (WildFire) |
| SSL/TLS Inspection | Yes | Limited | Via Umbrella | No | Yes |
| Zero-touch Provisioning | Yes | Yes | Yes | Yes | Yes |
| Application-aware Routing | Yes | Yes | Yes | Yes (strong) | Yes |
| WAN Optimisation | Basic | No | Yes (AppQoE) | Yes (built-in) | Basic |
| SASE Integration | FortiSASE | Cisco+ Secure Connect | Umbrella / Secure Connect | VMware SASE | Prisma Access |
| Licence Model | Tiered (Standard / Advanced) | Tiered (Enterprise / Advanced / Plus) | DNA licence tiers | Per-edge bandwidth tiers | Per-site subscription |
Hardware at the Branch
BT supplies the SD-WAN appliance as part of the managed service. Hardware is included in the monthly cost and replaced under SLA if it fails. The appliance model depends on the number of users and throughput required at each site.
| Vendor | Small Branch (up to 50 users) | Medium Branch (50-200 users) | Large Branch / HQ (200+ users) |
|---|---|---|---|
| Fortinet | FortiGate 40F / 60F | FortiGate 100F / 200F | FortiGate 600F+ |
| Cisco Meraki | MX67 / MX68 | MX85 / MX105 | MX250 / MX450 |
| Cisco vManage | C1111 / C1117 | C1121 / C1131 | C8300 / ASR1001-X |
| VMware | Edge 510 / 520 | Edge 540 / 620 | Edge 640 / 840 |
| Palo Alto | ION 1200 | ION 2000 | ION 3200 / 9000 |
SASE and Cloud Integration
If your organisation is moving towards a Secure Access Service Edge (SASE) architecture then vendor selection matters. Each platform connects to its own SASE ecosystem differently.
- Fortinet uses FortiSASE which bundles ZTNA, SWG and CASB. FortiGate appliances connect natively to FortiSASE points of presence.
- Meraki integrates with Cisco+ Secure Connect for DNS-layer security and SWG. The Secure SD-WAN Plus licence tier is required.
- Cisco vManage routes traffic to Cisco Umbrella for cloud security. Deeper integration available through Cisco Secure Connect.
- VMware VeloCloud connects to VMware SASE (now Broadcom) for cloud-delivered security. Third-party firewall service chaining is also supported.
- Palo Alto Prisma SD-WAN has the tightest SASE integration since Prisma Access and Prisma SD-WAN are part of the same platform. Policy is unified across branch and remote users.
Contract and Commercial Considerations
- BT contracts for SD-WAN typically run 36 or 60 months. Hardware is included in the monthly managed service fee.
- Switching vendor mid-contract requires a hardware swap at every site. This is disruptive and usually only done at renewal.
- Fortinet and Meraki are the most commonly deployed through BT. These have the most mature support processes within BT’s managed service operations.
- Cisco vManage and Palo Alto are available but may have longer lead times for provisioning and fewer BT engineers with deep platform expertise.
- VMware VeloCloud availability through BT may be affected by the Broadcom acquisition. Check current status at the time of ordering.
Choosing the Right Vendor
- Choose Fortinet if you want the strongest built-in security at the branch with NGFW, IPS, antivirus and sandboxing in one appliance. Good for organisations that want to consolidate branch security and SD-WAN into a single device.
- Choose Meraki if simplicity of management is the priority. The Meraki Dashboard is the easiest to use but offers less granular control. Suits organisations with many small sites and limited network engineering resource.
- Choose Cisco vManage if you already run Cisco ISR/ASR routers and want to keep the same hardware family. Suits large enterprises with Cisco-trained network teams.
- Choose VMware VeloCloud if application performance and WAN optimisation matter more than built-in security. You will need a separate firewall or cloud security service at each site.
- Choose Palo Alto if you are building a SASE-first architecture and want unified policy across SD-WAN and remote access. Best for organisations already using Palo Alto firewalls or Prisma Access.
Vendor Market Position and BT Deployment Volume
Fortinet and Cisco Meraki account for the majority of BT SD-WAN deployments in the UK. Both vendors have large install bases within BT’s managed service operations and benefit from established provisioning workflows, trained engineering teams and proven support processes. Cisco vManage (Catalyst SD-WAN) is available but tends to be selected by larger enterprises with existing Cisco routing estates. VMware VeloCloud and Palo Alto Prisma SD-WAN are niche options through BT with smaller deployment volumes. This does not mean they are inferior products but it does mean lead times may be longer and fewer BT engineers will have hands-on experience with the platform.
Switching Vendor After Deployment
Changing SD-WAN vendor after deployment is a significant undertaking. It requires replacing hardware at every site, rebuilding all policies and templates on the new platform, and retraining operations staff. In practice most organisations only consider a vendor switch at contract renewal (typically after 36 or 60 months). If you are unsure which vendor to choose then starting with Fortinet or Meraki carries the lowest risk due to their maturity within BT’s managed service.
