Why Palo Alto Networks Acquired CloudGenix and Jumped Into SASE

eWEEK NEWS ANALYSIS: As strong as the PAN security platform vision was, the WAN portion was missing. That's what CloudGenix brings to the table.


On March 31, network security provider Palo Alto Networks (PAN) announced its intent to acquire software-defined wide-area network (SD-WAN) pioneer CloudGenix for about $420 million in cash. This is a healthy, albeit fair, premium for a company that has an estimated revenue of $45 million with about 250 customers. 

For context, VMware paid roughly the same for VeloCloud in 2017. The CloudGenix customer base comprises many Fortune 1000 companies with strengths in health care, retail, manufacturing, finance, tech and hospitality. 

The addition of CloudGenix brings SD-WAN into the PAN portfolio. As I pointed out in this post, security is shifting away from point products to platforms, and PAN has one of the best platform stories in the industry. 

Palo Alto Networks Had Everything but WAN

However, as strong as the PAN security platform vision was, the WAN portion was missing. Last year, it jumped on the move to SASE through its Prisma Access, which offered cloud-native security and a thin-edge SD-WAN. Prisma Access has delivered IPSec and SSL VPN for many years, but did not have the full feature set that CloudGenix has. CloudGenix adds this component, giving Palo Alto Networks a full SASE offering. 

Gartner’s definition of SASE is built around the concept of integrated network and security that’s cloud-delivered. Most of the SASE vendors are strong in networking and partner in the areas of security, which isn’t really SASE, but PAN will now have native network and security capabilities. 

CloudGenix has a very lightweight appliance, also available in a virtual form factor, that will let Palo Alto extend its security fabric all the way to the branch. The zero-touch provision endpoint makes it fast and easy to on board remote locations, retail stores and, in the future, internet of things (IoT) endpoints. 

One of the byproducts of COVID-19 is that it exposed how deficient most organizations are at scaling their remote access infrastructure. I believe that Corona will act as a catalyst for change and shift more applications out of corporate data centers and permanently shift many people to work from home. 

Businesses Need Employees to Access Any Application From Any Location

As the transition to SaaS happens and users become more distributed, IT organizations will struggle to connect employees to applications. The current remote access, built of legacy VPNs are expensive, slow, complex and insecure. To support the modern workforce, businesses need the ability to access any application from all locations. The cloud-native network approach improves reliability and performance.

CloudGenix also has an interesting platform it calls CloudBlades, which enables API integration with a number of best of breed partners in the area of security, collaboration, multi-cloud and IT operations. It’s unlikely that Palo Alto will continue to partner with some of the security vendors, such as ZScaler and Check Point, but I would expect the others to remain and eventually be rolled into the Palo Alto Partner Program. 

The integration of CloudGenix will significantly bolster PAN’s Cortex XDR security platform. In my previous post, I pointed out the three pillars of XDR are cloud, endpoint and the network. PAN is best of breed in the areas of cloud and endpoint, and SD-WAN will give it significantly more data to analyze. This will enable Cortex XDR to find threats and respond faster than before. Palo Alto has been an 800-pound gorilla in the area of network security, and now it will add network transport to its core competency. 

The acquisition has some interesting industry ramifications. Many SD-WAN providers partnered with Palo Alto Networks because it is considered a top-tier security vendor. I don’t anticipate any changes in the short term with its SD-WAN partners, but over time, PAN won’t need most of them. There are some SD-WAN vendors, such as VMware VeloCloud, that are more complementary than competitive, and I would expect both companies to keep the partnership in place because it’s good for customers.

Versa Networks: 'Last Pure-Play Person Standing'

This also leaves Versa Networks as the “last person standing” of the original wave of SD-WAN pure plays. VeloCloud, Viptela and now CloudGenix are off the board, so where does Versa go? There are a couple of big vendors that might have some interest, such as HPE or Arista, but Versa has built a nice base of service providers and enterprises.

In some ways, the evolution of SD-WANs reminds me of the application delivery controller (ADC) market, where most of the vendors were acquired but F5 stuck around and has been independent ever since. It’s possible, if not likely, that Versa eventually goes public and becomes the F5 of the SD-WAN space—although F5 could acquire it, and then Versa would literally be the F5. 

In any case, PAN’s acquisition of CloudGenix is good for its customers and for the industry because it gives the SASE industry a strong player that will push everyone else. 

Zeus Kerravala is an eWEEK regular contributor and the founder and principal analyst with ZK Research. He spent 10 years at Yankee Group and prior to that held a number of corporate IT positions.