SD-WAN is a loaded marketing term, with many people using it to mean different things. The main two are:
- Automatically choosing between multiple WAN interfaces based on which one has lower packet loss and jitter (important for VOIP and video calls) and/or more advanced assignment of data across multiple WANs. The point of this is to allow a business to use commodity internet connections, instead of more expensive connections with SLAs.
- Managing site to site connectivity between branch locations, including over multiple internet connections. The point of this is to not require MPLS, dark fiber, Metro-Ethernet, or other expensive methods of connecting branches together.
You’ll notice that neither of these has anything to do with security. SD-WAN is all about reducing cost by using regular internet connections instead of more expensive guaranteed ones.
PFSense is solid and reliable, and noone would scoff at its basic security. Whether it is right for you largely depends on whether there are reports you are required to run that it can’t provide, or if you are required to run IPS (this is a requirement for example if you process credit cards internally, but I have no idea about the government requirements you mentioned).
I am confused about the separation between the main Untangle firewall operating system, and their SD-WAN operating system. The SD-WAN one definitely has features specific to that use case which aren’t present in the main Untangle system. But all of the NGFW/UTM features of Untangle are missing in their SD-WAN OS.
RouterOS is not going to fulfill your requirements, it doesn’t go beyond regular firewall inspection. It is really designed for no-nonsense routing at low cost.
Tomato is only worthwhile as an upgrade for a SOHO router, and is not intended for your use case. Same goes for OpenWRT/LEDE.
Zabbix can be used for monitoring anything.