Deploy Bravely — Secure your AI transformation with Prisma AIRS
Table of contents

What Is the Role of a Firewall in SD-WAN Architecture?

6 min. read
Table of contents
How Are Firewalls and SD-WAN Related?

The role of a firewall in SD-WAN architecture is to inspect and control network traffic that passes through the SD-WAN fabric according to defined security policies.

It identifies applications, users, and content to enforce segmentation and prevent unauthorized access.

By integrating these functions into the SD-WAN data plane, the firewall ensures secure, consistent traffic handling across branches, data centers, and cloud connections.

 

The distinct functions of firewalls and SD-WAN

SD-WAN and firewalls both manage traffic. They just do it in different ways.

SD-WAN uses software to decide how data moves across the network.

Diagram labeled 'SD-WAN architecture' showing six branch office icons, three on each side, connected to a central data center box at the bottom. The branches and data center also connect upward to a box labeled 'Internet' that contains cloud service logos including AWS, Azure, Google Cloud, Dropbox, Salesforce, and Workday. Green lines represent MPLS, purple lines represent cellular, and blue lines represent broadband, all shown in the key at the bottom.

It builds virtual overlays that sit on top of physical connections—like MPLS, broadband, or LTE—and steers traffic based on application type, performance, or policy. In other words, it controls where data goes and how it gets there.

Diagram titled 'SD-WAN dynamic path selection and traffic steering' showing a branch office at the top connected to two pathways. On the left, application thresholds lead to SD-WAN traffic steering, which includes session load distribution, path quality profile, and traffic distribution profile. These link to a VPN virtual interface labeled IPSec interfaces in red, with arrows pointing through a private network to headquarters. On the right, a DIA virtual interface labeled Ethernet interfaces in blue connects through a private network and the public internet to Internet/SaaS. Labels note metrics such as path latency, jitter, and packet loss, with top down priority indicated in the flow.

The goal is simple: maintain speed, reliability, and efficiency across every branch and cloud path.

A firewall focuses on what moves through those paths.

It inspects packets at multiple layers, from basic network information to the application itself. It checks identities, matches sessions to policies, and blocks anything that violates rules or appears unsafe. That includes enforcing segmentation so users and systems only access what they should.

Diagram titled 'How firewall rules evaluate traffic' shows a flowchart beginning with an incoming packet entering a firewall. The first decision point is 'Check IP address rules.' If there is no match, the packet is blocked and a security event is logged. If there is a match, the process continues to 'Check port rules.' Again, if there is no match, the packet is blocked and a security event is logged. If there is a match, the packet moves to 'Check protocol rules.' If this also matches, the packet is allowed and logged as allowed traffic. Red arrows indicate blocked traffic paths and are labeled 'No match' with actions to 'Block packet' and 'Log security event.' Green arrows indicate matched traffic paths with actions to 'Allow traffic' and 'Log allowed traffic.' Each step is visually represented by icons: document icons for rule checks, an 'X' icon for blocked packets, and a checkmark icon for allowed traffic.

When these functions meet inside one architecture, SD-WAN provides intelligent routing while the firewall enforces security within each path. Together, they create a network that's both optimized and protected—where traffic decisions and security policies operate in sync rather than in isolation.

| Further reading: What Is SD-WAN Architecture? Components, Types, & Impacts

 

How firewalls and SD-WAN evolved to overlap

Not long ago, routing and security lived on different planes.

A router decided how to reach a destination. A firewall decided whether that destination was allowed. Both were critical. But both operated in isolation.

In the traditional WAN era, this made sense.

Traffic flowed through centralized data centers. Firewalls sat at the perimeter inspecting every packet that entered or left the network. This model worked when applications and users stayed on-premises. But it couldn't keep up with distributed users, cloud services, and direct internet access.

That shift drove the first stage of convergence.

As organizations adopted SD-WAN, edge devices began handling not just routing but also basic security. Early SD-WAN appliances added simple next-generation firewall capabilities—like stateful inspection and URL filtering—to reduce the need for separate branch firewalls. The goal was to secure new direct-to-internet connections without backhauling traffic to the data center.

Modern architectures take that further.

Today's platforms merge routing and security into one system. The SD-WAN control plane manages path selection and policy distribution, while the data plane runs embedded firewalls that inspect sessions in real time. These firewalls perform deep inspection, segmentation, and threat prevention using on-box or containerized engines.

And now, the boundary is disappearing altogether.

Unified SD-WAN platforms use single-pass inspection and shared management to deliver both networking and security functions seamlessly. At the same time, cloud-delivered services extend those same capabilities through secure access service edge (SASE) and firewall-as-a-service (FWaaS) models.

Ultimately, what began as separate tools has become a unified framework. One that connects users efficiently while enforcing security everywhere they connect.

| Further reading: What Is an SD-WAN Appliance? | SD-WAN Hardware & Equipment

 

How does a firewall actually work within SD-WAN?

Firewalls are not just attached to SD-WAN anymore. They're built into it.

To understand how that works, it helps to look at the two planes that define SD-WAN architecture: the control plane and the data plane.

Diagram titled 'SD-WAN control plane and data plane' with two labeled sections. On the left under 'Data plane' are four stacked boxes labeled Cloud, DC, Campus, and Branch, each with a blue router icon. These connect through edge routers to three central ovals labeled MPLS, Internet, and 4G/5G. Lines extend from these ovals through green icons labeled 'Smart controllers' to three orange boxes on the right under 'Control plane' labeled Orchestration, Analytics, and Automation.

The control plane is where routing and policy decisions are made. It tells the network how to steer traffic, manage tunnels, and apply rules. The data plane is where packets actually move. It carries traffic through encrypted tunnels, applies quality of service, and enforces security policies.

Within the data plane, the firewall is responsible for inspecting and controlling each session:

  • When traffic enters an SD-WAN edge device, it's decrypted if it arrives through an IPSec or SSL tunnel.

    The system identifies the application, user, and session context. It then applies next-generation firewall policies, checking for compliance with access rules, intrusion signatures, and threat indicators.

  • If the session is permitted, the data is classified, filtered, and re-encrypted for its next hop.

    This ensures that inspection happens before the packet reenters the overlay network. In other words, security is enforced locally at the branch instead of being backhauled through a central gateway.

  • Segmentation adds another layer of control.

    Traffic is grouped into logical zones or virtual routing and forwarding (VRF) instances, so each business function or user group stays isolated. The firewall enforces policies within and between these segments, preventing lateral movement and maintaining compliance boundaries.

It's worth noting that inspection placement does depend on network design.

Some organizations perform it locally on each edge device for immediate enforcement. Others centralize inspection at regional hubs. And cloud-based models extend those same controls to remote users through firewall-as-a-service or SASE platforms.

The result is consistent policy enforcement across every connection—branch, data center, or cloud—without disrupting how SD-WAN optimizes traffic flow.

| Further reading: What Is SD-WAN Security? | SD-WAN Security Considerations

 

Where does inspection occur in the SD-WAN data path?

Inspection happens everywhere traffic crosses a boundary.

But understanding where that inspection takes place—and in what order—makes all the difference in how secure and efficient the network really is.

In most SD-WAN architectures, traffic is inspected before encryption.

When packets enter the SD-WAN edge, they're decrypted if necessary, then inspected by the firewall before being re-encapsulated into the overlay tunnel. This allows the firewall to view full packet contents, apply policies, and block threats before data is hidden by encryption.

If inspection happened only after encryption, the system couldn't analyze payloads or enforce application-level controls.

Here's why order matters.

Encrypted traffic that skips local inspection must be sent elsewhere—often to a central hub or cloud security service—for decryption and analysis. And that introduces latency. Which means decentralized inspection, closer to the user or branch, generally delivers faster performance while maintaining protection.

Topology plays a role too.

In hub-and-spoke designs, inspection often happens at the hub, where all branch traffic converges. In full mesh topologies, each branch can inspect and secure its own traffic locally. Hybrid models combine both, inspecting sensitive traffic at the hub while allowing direct, secure connections between trusted sites.

Cloud-delivered models take this one step further.

Firewall-as-a-service and SASE platforms extend inspection into the cloud itself. In this model, encrypted traffic is sent to the nearest service edge, decrypted, inspected, and re-encrypted before continuing to its destination. It unifies local and remote inspection under consistent policy enforcement.

The takeaway:

Inspection placement defines how quickly and thoroughly threats are detected. Placing it before encryption—and as close to the user as possible—keeps SD-WAN secure without sacrificing performance.

| Further reading: Types of SD-WAN Deployment Models: A Complete Guide

 

What are the main deployment models for firewalling in SD-WAN?

Firewalls can be deployed in several ways within an SD-WAN. Each approach defines where traffic is inspected and how policies are enforced.

In practice, most networks use a combination of three models: local, centralized, and cloud enforcement. Each has a clear role and distinct trade-offs.

Let's take a closer look at each:

Local enforcement

Local enforcement means the firewall runs directly on the SD-WAN edge device. It could be a built-in function, a virtualized container, or an NGFW.

When traffic enters or leaves a branch, it's decrypted, inspected, and re-encrypted right there on-site. This keeps decisions close to the user, minimizing latency and maintaining session context.

It's ideal for sites that need real-time performance or handle sensitive applications locally.

The trade-off is potential operational complexity.

Distributed inspection requires consistent policy management across multiple devices. That's why centralized orchestration is key. So every branch enforces the same standards without manual upkeep.

Note:
Local enforcement is best for organizations that prioritize low latency and complete on-site control. It's common in manufacturing, healthcare, and retail environments where uptime and immediate policy enforcement are critical at the branch.

Centralized enforcement

In centralized models, inspection happens at a data center or regional hub. All branch traffic flows through these aggregation points for decryption, inspection, and policy control.

This setup simplifies operations. Security teams can manage fewer inspection points and maintain tighter policy oversight. It also works well for traffic that must pass through core systems or comply with regulatory inspection requirements.

However, backhauling traffic adds latency and increases dependency on hub availability. It's effective for some workloads but less efficient for high-volume, latency-sensitive traffic such as SaaS or video.

Note:
Centralized enforcement fits enterprises with strong data center dependencies or strict compliance oversight. It's effective when traffic must pass through predefined control points for auditing, logging, or regulatory reasons.

Cloud enforcement

Cloud-based enforcement moves inspection into a distributed security service. Traffic is routed to the nearest service edge, where FWaaS or SASE applies the same inspection as an on-prem firewall.

This model scales easily.

It extends consistent policy enforcement to remote users, unmanaged devices, and branch sites without deploying hardware. And it's especially useful for organizations shifting to direct internet access and cloud-hosted applications.

The main consideration is dependency on provider proximity and bandwidth. Performance varies based on where the nearest inspection point resides.

Note:
Cloud enforcement is ideal for distributed workforces and cloud-first architectures. It delivers consistent policy coverage for remote users and branch offices while simplifying management through provider-hosted inspection.

In short:

  • Local enforcement favors performance.
  • Centralized enforcement favors control.
  • Cloud enforcement favors scalability.

Choosing the right mix ensures SD-WAN remains secure, consistent, and efficient wherever traffic originates.

 

How centralized management ties firewall and SD-WAN policies together

Modern SD-WAN depends on centralized management. It's what allows routing and security to operate as one system instead of two separate layers.

In practice, centralized management platforms form the shared control plane for the entire network. They distribute routing rules, enforce firewall policies, and provide unified visibility into traffic flows.

The diagram illustrates centralized management in SD-WAN. It shows an SD-WAN controller at the center, managing data flows between the MPLS network, the internet, and cloud services. On the left, a branch office connects to the SD-WAN controller through traditional WAN routers. The middle section displays various types of connectivity, including fiber, dedicated internet access, MPLS, and 4G, all managed by the SD-WAN controller. On the right, the HQ/DC/DR is also connected via traditional WAN routers. Control plane data paths are indicated by yellow dashed lines, while data plane paths are shown as solid red lines.

Administrators use these platforms to define intent—like how applications should route, or what types of traffic should be inspected—and then push those configurations across all devices at once.

This is where routing and security truly converge.

Instead of managing them through different interfaces, both functions live in the same policy framework. Routing policies decide the best path based on performance metrics, while firewall policies determine whether that traffic is allowed or blocked.

Because they're coordinated through the same control plane, the SD-WAN can steer and secure traffic in a single, consistent process.

The benefits are significant:

  • Policy consistency reduces the risk of misconfiguration, one of the most common causes of network vulnerabilities.
  • It also simplifies compliance since all enforcement points follow identical security baselines.
  • And when routing and firewall policies are visible in one dashboard, operations teams can diagnose performance and security events together instead of switching between tools.
  • Centralized management also makes scale practical. A new branch or user can inherit existing policies immediately without manual configuration. Updates roll out network-wide with version control and audit tracking, keeping governance intact.
  • Automation extends this even further, applying policies dynamically as network conditions change.

Essentially centralized management turns SD-WAN from a set of distributed nodes into a unified system of control. It ensures that routing, security, and visibility evolve together, reducing risk while maintaining performance and agility.

| Further reading: How Does SD-WAN Automation Simplify Network Operations?

 

When is a standalone firewall still needed?

Even as SD-WAN integrates advanced security, standalone firewalls still play a critical role. They provide capabilities that extend beyond what's practical, or efficient, to embed directly into the SD-WAN edge.

For example, high-throughput data centers rely on dedicated firewalls to handle massive session volumes and specialized traffic inspection. These environments often need more granular control and hardware acceleration than a distributed SD-WAN appliance can deliver.

The same applies to large-scale cloud interconnects or carrier-grade deployments where throughput and resiliency take precedence over edge simplicity.

In regulated industries, segmentation requirements can also drive the need for separate firewalls. Financial, healthcare, and government networks often maintain physically distinct security zones to meet compliance frameworks such as PCI DSS or HIPAA. In those cases, an independent firewall remains the authoritative enforcement point between zones or enclaves.

Standalone firewalls are also necessary for assets that fall outside SD-WAN coverage. That includes legacy infrastructure, industrial systems, or third-party services that connect through different transport methods. These environments depend on traditional perimeter or virtualized firewalls to maintain visibility and policy control.

The key is integration, not replacement.

Secure SD-WAN connects seamlessly with perimeter and cloud-based firewalls, extending policy and telemetry across both. This layered approach preserves centralized management while maintaining the depth of protection large enterprises still require.

Here's the takeaway:

Standalone firewalls remain vital where scale, regulation, or architectural isolation demand them. They complement SD-WAN rather than compete with it, ensuring every layer of the network is secured at the right place and scale.

| Further reading: What Is Secure SD-WAN? | What It Is and How It Works

 

How SD-WAN and firewall convergence lays the groundwork for SASE

The convergence of SD-WAN and firewalling is what makes SASE and zero trust possible in practice. By combining distributed networking with built-in security enforcement, the network itself becomes the delivery mechanism for consistent, identity-based control.

Here's how it fits together.

SD-WAN provides the distributed data plane that connects users and locations. Integrated firewalls bring inspection and segmentation directly to those connection points.

When policies follow the user instead of the network segment—and access is continuously verified—the result aligns with the core principles of zero trust architecture.

That model is now being extended through SASE. Centralized policy orchestration pushes identity, application, and threat prevention rules to every edge, whether physical or cloud-delivered.

Traffic is steered and inspected based on who the user is, what device they're on, and what they're trying to access. Not just where they connect.

So: SD-WAN creates the path. The firewall enforces trust.

And together, they form the foundation of a network that's adaptive, policy-driven, and ready for SASE's full vision of cloud-based security.

| Further reading: How Zero Trust and SASE Can Work Together

eBook: Why Next-Gen SD-WAN Is the Solution for You
Discover how integrated next-gen SD-WAN improves user experience, control, and visibility.

Download eBook

 

SD-WAN firewall FAQs

An SD-WAN firewall is a next-generation firewall integrated into the SD-WAN data plane. It inspects and controls traffic based on application, user, and content. By enforcing security policies within the SD-WAN fabric, it provides consistent protection across branches, data centers, and cloud environments.
Yes. SD-WAN optimizes connectivity, while the firewall secures it. Many SD-WAN platforms include built-in firewall capabilities, but standalone or cloud firewalls may still be required for high-throughput, compliance, or non-SD-WAN-connected systems. Together, they provide performance and security as part of one architecture.
Not entirely. SD-WAN integrates advanced firewalling but isn’t a full substitute in all environments. Large data centers, regulated zones, or legacy networks may still require standalone firewalls for specialized inspection or segmentation. SD-WAN and firewalls complement each other within a layered security framework.
They’re managed through a shared control plane. Centralized orchestration platforms distribute routing, segmentation, and firewall policies across all sites. This unified management ensures consistent enforcement, reduces configuration errors, and simplifies visibility for both network and security operations.
SD-WAN supports zero trust by combining identity-based policies with distributed enforcement. Integrated firewalls verify every session, segment traffic, and apply least-privilege access across users and locations. When centrally managed, these controls align with zero trust architecture principles and form the foundation for SASE.
Related content
1 Podcast: Packet Pushers | Why SD-WAN is the Secret to SASE Success
Hear why SD-WAN is the foundational component of a SASE solution.
Podcast: Packet Pushers | Can SD-WAN Solve Latency Issues for Modern Applications?
Get the facts on how application acceleration helps deliver SaaS & cloud apps with the highest level of performance.
eBook: Zero Trust Branch with SD-WAN
Learn how SD-WAN architecture extends to branch security and SASE.
eBook: The Branch of the Future, Today
Find out how to securely enable branch modernization with Prisma SD-WAN.

Get the latest news, invites to events, and threat alerts