Abstract

Broadcom commissioned Tolly to examine the VeloCloud Secure Access Service Edge portfolio, with the main focus on documenting how VeloCloud SASE aligns with the industry definition of SASE architecture while also extending beyond the baseline framework. The report evaluates both the WAN edge and Security Service Edge portions of SASE and emphasizes that Broadcom’s approach allows customers to adopt SASE at their own pace while integrating with existing third-party solutions rather than requiring a closed, single-vendor environment.  

The analysis concludes that VeloCloud SASE covers all of the generally accepted SASE functional categories. On the SSE side, Symantec SSE for VeloCloud provides Secure Web Gateway, real-time URL threat prevention and classification, advanced content analysis with malware sandboxing, CASB, firewall-as-a-service, high-risk browser isolation, SSL inspection, and data loss prevention. According to the summary table on page 1, these functions are complemented by VeloCloud SD-Access for zero-trust remote access and VeloCloud SD-WAN for WAN connectivity, branch firewall services, and simplified management. Tolly notes that this combination provides both the core SASE elements and additional data-awareness capabilities beyond the basic industry definition.  

A major technical theme in the report is integration between cloud-delivered security and application-aware WAN optimization. Symantec SSE for VeloCloud uses Secure Web Gateway proxying, granular URL classification across about 80 categories including 12 security categories, cloud-based sandboxing for suspicious files, and CASB visibility across more than 45,000 cloud applications. Data protection is strengthened through integrated DLP capabilities with templates for PII, PCI, and HIPAA, plus support for custom policies. High Risk Isolation can remotely execute risky websites and deliver only safe rendered content to the endpoint, while selective SSL/TLS decryption enables inspection of encrypted traffic within privacy-policy limits.  

On the WAN edge side, VeloCloud SD-WAN provides Dynamic Multi-Path Optimization across MPLS, broadband, satellite, and dedicated links, plus recognition of more than 4,300 business applications for automatic traffic steering and improved quality of experience under loss, latency, and jitter. VeloCloud SD-Access applies zero-trust principles beyond user credentials to include device posture, geolocation, time of day, operating system, and other contextual signals. The platform also includes built-in branch enhanced firewall services such as IDS, IPS, URL filtering, and malicious IP filtering, eliminating the need for separate branch security appliances. Centralized orchestration through VeloCloud Orchestrator supports zero-touch provisioning, automated tunnels from branch edges to Symantec SSE, and AI- and ML-assisted visibility into user and device experience. Overall, the report presents VeloCloud SASE as a full-stack, open, and flexible SASE architecture that combines cloud security, zero-trust access, application-aware SD-WAN, and centralized management in one portfolio.