What Security Features Does BT SD-WAN Have to Offer?
We've compared the Security Capabilities of each BT SD-WAN vendor
Whilst all BT SD-WAN implementations offer core security services, some vendors are more security focused than others. For example, Fortinet and Palo Alto are arguably the most security-driven, closely followed by Versa Networks, however in this article Netify have gone through every vendor and their individual security features.
In this guide we'll explore how Fortinet, Cisco (Catalyst and Meraki), Arista VeloCloud, Palo Alto Networks, Nokia Nuage and Versa Networks implement security alongside BT's managed service.
Build your SD-WAN RFP in minutes with AI assistance, invite 30+ curated vendors, receive structured responses aligned to each requirement, request connectivity pricing across every site, and message vendors directly - all inside Netify.
It's worth noting that, regardless of the underlying SD-WAN vendor that BT partners with, all platforms within BT's portfolio provide essential security features - including the likes of firewalls, intrusion prevention, web filtering, malware protection and IPsec VPN encryption. However, as to be expected with so many vendors, their implementation approaches and strengths vary considerably.
Regardless of the differences outside of core functionality, one of the key benefits of leveraging BT's managed services is that BT themselves also offer their Security Operations Centres (SOCs) which provide 24/7 monitoring across all platforms, with standardised incident response procedures adapted to each vendor's specific telemetry and alerting mechanisms. Forming part of BT's wider managed service offerings, their universal security features include unified threat intelligence correlation, where security events from all vendor platforms feed into BT's centralised security analytics platform to ensure that all platforms are equally serviced against new threats, enabling cross-vendor threat detection and coordinated response that individual vendor deployments cannot achieve.
Fortinet's approach centres on purpose-built security processors that maintain network performance even under heavy inspection loads. Their next-generation firewalls sit directly on edge devices, controlling traffic based on what applications are actually doing rather than just looking at ports and protocols.
Security intelligence draws from both FortiGuard Labs and BT's own research teams, with BT managing when updates get rolled out to balance staying current against maintaining network stability. The intrusion prevention system works through both signature-based detection and behavioural analysis, whilst BT's Security Operations Centre pulls in telemetry from across your sites to spot coordinated attacks targeting multiple locations.
Web content filtering works against a database covering billions of domains across 80 categories. SSL/TLS inspection lets you see into encrypted sessions, with BT handling the certificate trust configuration through standardised templates. Integration with BT's Secure Web Gateway provides layered protection - basic threats get filtered at the edge whilst deeper analysis happens in BT's cloud infrastructure.
BT's service includes automated firmware updates during maintenance windows you define, proactive capacity monitoring, and direct escalation to Fortinet's technical account managers through BT's vendor relationship. Performance baselines get established during deployment, with BT's NOC watching for changes that might indicate security issues or configuration problems.
Cisco Catalyst SD-WAN
Key Strengths:
Enterprise routing capabilities, cloud integration, comprehensive remote access, established ecosystem, mature BT-Cisco partnership with dedicated support channels.
Cisco's enterprise-focused platform (formerly Viptela) implements Zero Trust security principles, which means continuous verification regardless of where users are connecting from. The architecture provides end-to-end segmentation from branches through to data centres and clouds, preventing threats from moving laterally across isolated virtual networks.
Application-aware firewall capabilities inspect traffic across multiple layers, with policies supporting controls based on users, applications, timing and security posture. Integration with Cisco Talos provides continuous threat intelligence updates, managed by BT to ensure policy consistency across multi-site deployments. Zone-based firewall capabilities simplify policy management for complex network layouts, with BT's network architects providing design patterns proven across their customer base.
Cloud OnRamp capabilities automate secure connectivity to AWS, Azure and Google Cloud, with service chaining letting traffic flow through cloud-based security services or BT's regional security gateways. The platform supports integration with third-party SASE providers including Zscaler and Palo Alto Prisma Access, with BT managing the configurations and monitoring service health across vendors.
Remote access through AnyConnect VPN includes split tunnelling, certificate-based authentication and posture assessment checking device security before granting access. BT manages the AnyConnect profile distribution and certificate lifecycle, integrating with customer identity providers through BT's standard authentication frameworks. Analytics use machine learning to identify unusual patterns, with BT's SOC analysts investigating flagged events and coordinating response with customer security teams.
BT provides customers with access to Cisco's vManage orchestrator through role-based access controls, letting your administrators view configurations and analytics whilst BT maintains control over changes. This balances visibility with operational consistency.
Cisco Meraki SD-WAN
Key Strengths:
Operational simplicity, rapid deployment, intuitive management, suited to distributed organisations with limited IT resources, BT's largest SD-WAN deployment base providing proven operational maturity.
Meraki targets organisations wanting simplified operations through cloud-managed infrastructure. Zero-touch provisioning means branch devices can self-configure within minutes through BT's pre-staging service, removing the need for on-site IT. BT ships pre-configured devices directly to branch locations with automated activation once they're connected. The unified threat management approach bundles firewall, intrusion prevention, content filtering and malware protection into single appliances.
Layer 7 firewall capabilities enable application-specific policies, distinguishing between business and personal versions of cloud services. The integrated IPS engine uses Snort-based detection with automatic signature updates distributed within minutes of publication. BT configures initial sensitivity settings based on your risk profile, with ongoing tuning informed by BT SOC analysis of false positive patterns across your deployment.
AutoVPN automatically establishes IPsec tunnels between sites without manual configuration, supporting both hub-and-spoke and full-mesh topologies. The Meraki cloud handles tunnel establishment and manages encryption parameters, with BT monitoring tunnel health and automatically resolving connectivity issues. BT's service desk provides first-line support for branch connectivity problems, escalating to Meraki specialists when needed.
Application visibility through deep packet inspection enables traffic shaping that allocates bandwidth based on business priority. Meraki Insight provides application performance monitoring, measuring response times and identifying what's causing slowdowns. BT's NOC monitors these metrics continuously, addressing performance issues before they impact customers and providing monthly reporting on application trends and capacity use.
BT's Meraki service includes access to the Meraki dashboard with customised permissions, letting you view topology, monitor alerts and generate reports whilst BT retains configuration control. This ensures consistency across your network whilst providing visibility.
Arista VeloCloud SD-WAN
Key Strengths:
Application performance optimisation, flexible security service integration, cloud service connectivity, backed by Arista's global logistics and AI networking expertise, BT's established operational procedures from extensive VeloCloud deployment experience.
VeloCloud (acquired by Arista Networks in July 2025) emphasises application performance alongside security through its Enhanced Firewall Service, embedding advanced capabilities directly into edge appliances. The platform supports both on-premises security processing and cloud-delivered services, with BT advising on the optimal architecture based on your data residency requirements and security policies.
The stateful firewall provides Layer 2-7 inspection with application awareness, letting you define policies based on application identity. Zone-based capabilities segment networks into trust zones, whilst object groups enable centralised definition of addresses and services referenced across multiple rules. BT maintains a library of pre-defined security zones and object groups aligned to common customer requirements, speeding up deployment and ensuring consistency.
Intrusion prevention includes IP reputation filtering that blocks traffic from known malicious sources, with protocol anomaly detection identifying violations of specifications. Custom signature support lets organisations develop environment-specific detection rules, with BT's security architects helping develop signatures for specialised applications or threats identified through BT SOC analysis.
Integration with cloud security services lets organisations use Zscaler, Palo Alto Prisma Access, Netskope and other security platforms. BT manages the automated tunnel provisioning and traffic steering policies, testing failover scenarios during implementation and conducting periodic validation exercises. BT's multi-vendor expertise ensures optimal configuration regardless of which security stack you've chosen.
Dynamic Multipath Optimisation continuously monitors available paths, steering traffic based on application requirements with sub-second failover. BT provisions diverse connectivity options (MPLS, internet, 4G/5G) optimised for your resilience requirements, with the VeloCloud orchestrator automatically selecting optimal paths. Whilst primarily a performance feature, this provides security benefits by reducing reliance on single network paths, which BT's SOC monitors for potential targeted attacks.
BT provides customers with view-only access to the VeloCloud Orchestrator, with full configuration management performed by BT's certified VeloCloud engineers. Monthly service reviews include VeloCloud-specific performance analytics and capacity planning recommendations.
Palo Alto implements a security-first approach, positioning SD-WAN as the connectivity foundation for their unified SASE platform. Zero Trust principles require explicit verification for all access requests, with identity-based controls and continuous posture assessment managed through BT's integration frameworks.
Next-generation firewall capabilities provide application-aware inspection with user and group-based policies using Active Directory or SAML identity providers. BT integrates Prisma SD-WAN with customer identity systems, managing the ongoing synchronisation and troubleshooting authentication issues. Advanced threat prevention uses inline machine learning to analyse files and traffic patterns in real-time, identifying malicious characteristics without needing known signatures.
WildFire cloud-based sandboxing executes unknown files in isolated environments, observing behaviours including process creation and network communications. BT's SOC monitors WildFire verdicts, investigating high-severity detections and coordinating containment with customer security teams. DNS security protects against threats delivered through DNS, blocking resolution of malicious domains before connections establish, with BT providing regular reporting on blocked threats and trending attack vectors.
IoT security capabilities distinguish Palo Alto's offering. The platform identifies IoT devices through passive fingerprinting and protocol analysis, building comprehensive inventories without needing agents. BT conducts initial IoT discovery during deployment, working with you to classify devices and establish appropriate segmentation policies. Behavioural analysis establishes baselines for normal device behaviour, triggering alerts on deviations that might indicate compromise. BT's SOC investigates IoT anomalies, particularly important for retail, manufacturing and healthcare customers with large IoT deployments.
Autonomous Digital Experience Management provides AI-powered monitoring across branch edges, cloud POPs and remote devices. Synthetic monitoring validates application accessibility, whilst real user monitoring measures actual performance. Root cause analysis pinpoints specific causes of issues rather than just alerting on symptoms. BT's NOC uses this telemetry for proactive incident management, often resolving issues before you notice any impact.
BT provides managed Prisma Access cloud security services as an integrated offering with Prisma SD-WAN, delivering comprehensive SASE capabilities with single-vendor simplicity and unified BT support. This bundled approach simplifies procurement and removes integration complexity.
Nokia Nuage Networks (Agile Connect)
Key Strengths:
End-to-end governance, segmentation capabilities, automation, flexible third-party integration, deepest BT integration with unified provisioning and support, preferred solution for customers requiring extensive BT network services.
Nokia's SD-WAN 2.0 architecture extends security governance beyond branches to cover data centres, public clouds and SaaS providers. BT's Agile Connect service is built on the Nuage platform, representing BT's deepest integration of any SD-WAN vendor into BT's network infrastructure. Policy-driven automation means security rules follow workloads rather than being tied to specific locations, supporting dynamic cloud environments.
Embedded security capabilities including next-generation firewall, threat prevention and intrusion prevention operate natively within the platform rather than needing separate appliances. Micro-segmentation provides isolation at multiple levels from broad network segmentation through to application-level separation, with BT's security architects designing segmentation strategies aligned to your data classification and compliance requirements.
Policy-driven segmentation automatically assigns traffic to appropriate segments based on user identity, application type or destination. Intent-based overlay creation lets administrators define desired outcomes rather than configuring technical parameters, with the system automatically translating high-level requirements into specific configurations. BT manages this translation, ensuring consistent policy implementation across your network and conducting quarterly policy reviews to identify optimisation opportunities.
Integration with third-party security providers including Fortinet, Check Point and Zscaler lets organisations use best-of-breed services whilst maintaining Nuage for connectivity. BT's multi-vendor capability ensures seamless service chaining, with standardised integration patterns developed from extensive deployment experience. Service chaining supports defence-in-depth strategies with traffic moving through multiple security layers, all orchestrated through BT's management plane.
Mobile device integration through Asavie enables smartphones and tablets to connect securely without traditional VPN clients, with centralised policy management extending to mobile and IoT devices. BT provisions Asavie connectivity as part of the Agile Connect service, managing the SIM lifecycle for customers requiring mobile connectivity.
Agile Connect customers benefit from direct integration with BT's global MPLS network, regional internet breakouts and cloud on-ramps, all provisioned through BT's unified portal. This deep integration provides performance and troubleshooting advantages unavailable with overlay-only vendor solutions.
Versa Networks Secure SD-WAN
Key Strengths:
Comprehensive integrated security, DLP and CASB capabilities, multi-tenancy support, NFV flexibility, strong fit for BT's service provider and large enterprise customers requiring extensive security functionality.
Versa integrates networking and security from the ground up rather than layering security on top of networking infrastructure. The single software stack delivers security functionality spanning firewall, unified threat management, secure web gateway and advanced threat protection, removing the need for multiple appliances. BT manages the Versa software lifecycle, conducting controlled upgrades during maintenance windows and maintaining rollback capabilities.
Next-generation firewall provides application identification recognising thousands of applications with user and group integration using Active Directory or SAML providers. BT integrates Versa with customer identity systems using proven integration templates. The platform supports multiple policy models including zone-based, address-based and application-based approaches, letting organisations select models aligning with their security philosophy. BT's security architects guide policy model selection based on your requirements and operational capabilities.
Advanced Threat Protection uses AI and machine learning, with local file analytics examining characteristics at the network edge. Cloud-based sandboxing executes unknown files in isolated environments, whilst threat intelligence integration incorporates commercial and open-source feeds. BT curates threat intelligence sources, supplementing Versa's native feeds with BT SOC intelligence derived from cross-customer analysis. Behavioural analytics establish baselines for normal behaviour, flagging deviations suggesting compromise, with BT SOC analysts investigating anomalies.
Secure Web Gateway capabilities include URL filtering against comprehensive category databases, SSL/TLS inspection and content inspection examining web pages and downloads for threats. BT manages SSL inspection certificates through its PKI services. Data Loss Prevention inspects traffic for sensitive data patterns with document fingerprinting detecting files even when modified. CASB capabilities extend DLP to sanctioned and unsanctioned cloud applications. BT configures DLP policies based on your data classification frameworks and regulatory requirements, with quarterly policy effectiveness reviews.
Multi-cloud connectivity provides native integration with AWS, Azure, Google Cloud and Oracle Cloud with automated provisioning and consistent policy enforcement. BT manages cloud interconnections through its Cloud Connect services, providing optimised routing and integrated billing. NFV-based architecture enables flexible deployment of services through software-defined service chaining, with BT hosting Versa virtual appliances in its data centres for customers requiring centralised security processing.
Versa's multi-tenancy capabilities make it BT's preferred platform for managed service provider customers requiring isolated customer environments with delegated administration. BT operates Versa in both single-tenant and multi-tenant modes depending on customer requirements.
Management and Operations
For businesses most interested in cloud-managed solutions and zero-touch provisioning, we'd recommend either Meraki or VeloCloud, whilst Cisco Catalyst, Palo Alto and Versa offer significantly more granular control suited to enterprises with more complex requirements.
However, one of the major advantages of working with BT is that their managed service delivery minimises these vendor differences considerably. Regardless of which vendor's platform is leveraged, BT provides consistent operational support with standardised service levels across the board. Whilst we've already mentioned how their SOCs provide unified threat intelligence, BT also provides customers with their service portal providing cross-vendor capabilities - covering everything from ticket management and change requests through to reporting. On top of that, BT offer monthly service reviews, making it easier to assess performance consistently across vendors, and BT will recommend platform migrations when your requirements grow beyond what your current vendor can reasonably deliver - which includes security features.
💡
Across all BT SD-WAN services, proactive monitoring/patching, service reviews, annual health checks and access to BT's security advisory services are included as standard.
Selection Considerations
With so many vendors available through BT's SD-WAN portfolio, selecting the right platform depends on understanding where each vendor's strengths align with your organisation's specific requirements.
Fortinet is particularly well-suited to organisations prioritising security inspection performance and threat intelligence integration, especially those with existing Fortinet deployments where BT can provide unified management across your infrastructure.
Cisco Catalyst SD-WAN fits complex global networks requiring advanced routing capabilities alongside security and cloud integration - ideal for customers leveraging BT's global MPLS network and requiring sophisticated traffic engineering.
For organisations that want more basic security capabilities but are looking for operational simplicity and quicker deployment across distributed sites with limited IT resources, Cisco Meraki arguably represents BT's easiest deployment option, with typical site activation in under 30 minutes.
Arista VeloCloud balances application performance optimisation with embedded security, making it suitable for organisations prioritising user experience and benefiting from Arista's AI networking capabilities - particularly well-suited to customers with voice and video applications requiring dynamic path optimisation.
Further Reading: Comparing Cisco Catalyst and Cisco Meraki
Palo Alto Prisma SD-WAN serves organisations requiring advanced threat prevention, IoT security and SASE integrations with zero trust architecture. It's optimal for customers seeking BT's managed SASE bundle combining Prisma SD-WAN with Prisma Access.
Nokia Nuage (Agile Connect) supports organisations needing end-to-end governance across hybrid environments with segmentation and automation.
Versa Networks provides more integrated security with DLP and CASB capabilities, making it appropriate for service provider deployments and enterprises requiring extensive security functionality - particularly suitable for customers in regulated industries requiring on-premises data inspection.
As an Authorised Parter of BT, Netify are well-positioned to provide you with the relevant insights and assistance when it comes to choosing a BT SD-WAN vendor.
Build your SD-WAN RFP in minutes with AI assistance, invite 30+ curated vendors, receive structured responses aligned to each requirement, request connectivity pricing across every site, and message vendors directly - all inside Netify.
Robert Sturt
Robert Sturt