The SD-WAN policy of Sangfor’s Next-Generation Firewall (NGFW) is exclusively designed for routing traffic over VPN tunnels established using Sangfor’s proprietary VPN protocol. This policy does not support routing over standard IPSec tunnels, nor does it allow IPSec tunnels to be integrated with WAN links for unified routing or load balancing. As a result, in network environments where both Sangfor VPN tunnels and standard IPSec tunnels coexist, the SD-WAN policy can only manage the traffic of Sangfor VPN tunnels, while standard IPSec tunnels must still be managed using traditional static routes or other manual policies.

The Policy-Based Routing (PBR) feature of a Next-Generation Firewall (NGFW) includes two main types: one is source-based routing, which allows traffic to be routed based on the source IP address or subnet; the other is multi-link load balancing, which distributes traffic across multiple WAN links according to defined policies. In addition, NGFW’s PBR can support application-based routing, enabling traffic from different applications to follow the optimal path. In contrast, Fortigate’s PBR primarily targets Layer 4 (transport layer) services, such as ports and protocols, and has limited support for Layer 7 (application layer) routing, meaning it cannot perform policy-based routing based on specific applications.