SD-RED / local breakout webfiltering / QoS

There are basically two answers: A. Use a XGS on the peer end to do security, if needed. B. You could do security (Web etc.) on the Endpoint, if applicable. 

Basically a Firewall will answer all your requirements easily. 
SD-RED Is more likely the scenario for "You will do VPN on the other peer and do not expect such scenario". If you want to do security on the Peer, use a firewall.

I highly disagree to convert a SD-RED with there lighttouch format to a firewall. The box does only VPN. Doing Web security etc. will decrease the performance alot. 

Talking about Competition, could you name your looses and why did they not move to a firewall? Because it is actually not a weakness, instead it is a different approach to a different use case. 

LuCar Toni said:

Talking about Competition, could you name your looses and why did they not move to a firewall?

Sophos is behind pure SD-WAN vendors as well as vendors like Fortinet. I hope Sophos will get there. 

LuCar Toni said:

Because it is actually not a weakness, instead it is a different approach to a different use case. 

All I am saying with this two functionalities (which doesn't need to be full fw deployed) Sophos can be ahead of competition. Or as you are pointing out to webfiltering, Sophos can add cloud SWG to do this part. 

LuCar Toni said:

ou could do security (Web etc.) on the Endpoint

Many companies do not like this. That's is reason why they are moving towards cloud based SWG like Netskope. Sophos has nothing to compete with with these vendors. 

LuCar Toni said:

If you want to do security on the Peer, use a firewall.

Yes, we are using firewall. However,  that adds complexity. For example, if you have HQ with 2 redundant links and 60 remote offices, how many VPN tunnels you have to create on XG in order to have redundant VPN tunnels from branch to HQ?

Don't get me wrong, SD-RED is great with when you need to push a lot of services over like 1/1 or 5/5 Mbps link, then it is hard to control traffic. And yes, where I work, this is common scenario and we pay attention to every bit going over these links in order to have LOB working. 

LuCar Toni said:

Talking about Competition, could you name your looses and why did they not move to a firewall?

Sophos is behind pure SD-WAN vendors as well as vendors like Fortinet. I hope Sophos will get there. 

LuCar Toni said:

Because it is actually not a weakness, instead it is a different approach to a different use case. 

All I am saying with this two functionalities (which doesn't need to be full fw deployed) Sophos can be ahead of competition. Or as you are pointing out to webfiltering, Sophos can add cloud SWG to do this part. 

LuCar Toni said:

ou could do security (Web etc.) on the Endpoint

Many companies do not like this. That's is reason why they are moving towards cloud based SWG like Netskope. Sophos has nothing to compete with with these vendors. 

LuCar Toni said:

If you want to do security on the Peer, use a firewall.

Yes, we are using firewall. However,  that adds complexity. For example, if you have HQ with 2 redundant links and 60 remote offices, how many VPN tunnels you have to create on XG in order to have redundant VPN tunnels from branch to HQ?

Don't get me wrong, SD-RED is great with when you need to push a lot of services over like 1/1 or 5/5 Mbps link, then it is hard to control traffic. And yes, where I work, this is common scenario and we pay attention to every bit going over these links in order to have LOB working.