Site connectivity · routing · Bremen & northern Germany
Reliable networking for distributed locations End expensive, inflexible MPLS circuits.SD-WAN for mid-market companies – intelligently managed, resilient and stable.
Independent expertise without system house overhead. For companies with multiple sites or branch offices, I translate the frustration of slow cloud applications, overpriced carrier lines, and expensive outages into a clean architecture. Through intelligent application routing via Prisma SD-WAN – for maximum availability without performance compromises.
Free initial consultation (30 minutes)
Is your site connectivity slowing your business down?
Four business-critical questions for your network infrastructure. If you recognise weaknesses here, your current architecture is costing you money and productivity every day.
Do your branch offices grind to a halt if a single provider link goes down?
Every outage immediately costs money. If your infrastructure cannot compensate for line disruptions within milliseconds via automatic failover, you are unnecessarily making your sites dependent on your internet provider's repair time.
Are there frequent complaints about dropping Teams calls or a slow ERP system?
Prisma SD-WAN continuously measures the real performance of every line. If a link degrades (brownout), the traffic of business-critical applications is seamlessly shifted to the best available path without a noticeable disconnection – regardless of whether that is fibre, DSL, or mobile.
Are you still paying high monthly fees for rigid MPLS circuits?
Traditional MPLS networks are expensive, bandwidth-limited, and often the bottleneck for cloud applications. A modern architecture intelligently bundles cost-effective broadband and mobile connections without compromising reliability.
Do you have a clear security concept for direct cloud breakout at branch offices?
Not every site requires its own expensive Next-Gen Firewall on-site. We analyse precisely where local internet breakout makes sense, where traffic should be backhaul to HQ, or where modern cloud security (SSE) such as Prisma Access or Zscaler is the cleanest solution.
Inadequate connectivity is a hidden cost driver
Historically grown VPN tunnels and bandwidth-limited legacy connections often seem like the easiest solution – until the first line disruption. The true costs arise from invisible productivity losses.
Production & logistics standstill
A failed WAN link at a production or logistics site often means the immediate halt of processes. Without dynamic failover in milliseconds, your employees wait for manual troubleshooting while supply chains break down.
Employee frustration due to latency
When Microsoft 365, cloud ERPs, or video conferences are consistently slow or stuttering, productivity drops. The infrastructure should be an invisible enabler, not a daily obstacle in day-to-day operations.
Lack of control during incidents
It is often unclear why connections drop. Without granular application visibility, IT always reacts after the user complaint – with hours of troubleshooting between the provider, firewall, and local network.
How I guarantee performance and stability
I resolve the typical WAN bottlenecks through a modern, software-defined network architecture based on Prisma SD-WAN.
Sub-Second Failover (Resilient Paths)
Backup links · Link Quality Metrics (LQM)
The system continuously monitors the quality of your lines. If a connection degrades or fails completely, traffic is shifted to the second available path within sub-seconds. Only the result matters: stable operations, completely independent of your internet provider's repair time.
Application-aware routing (L7)
App-ID · Direct Internet Access (DIA)
Routing is based on applications at Layer 7 rather than blindly by IP address. Known cloud services and real-time applications (such as Microsoft 365 or Teams) are allowed to break out securely via Direct Internet Access directly at the site, while internal traffic is steered deliberately through the WAN fabric.
Live Metrics & Performance Policies
LQM · Real-Time Analytics
We use the native live metrics of the cloud controller. Via Link Quality Metrics (LQM) and performance policies, you can see the real line quality and application response times immediately. Network errors become visible and analysable before users notice any degradation.
Flexible Edge Security & CloudBlades
CloudBlades · SSE Interface · NGFW
Site security follows your strategy, not hardware dictates: for larger setups, we seamlessly integrate modern cloud security (SSE) such as Prisma Access or Zscaler via CloudBlades. For leaner environments, we pragmatically assess whether a local Next-Gen Firewall or efficient backhauling to HQ is the better solution.
Fast Onboarding in Analytics Mode
ZTP · Zero-Touch Deployment
Commissioning new branch offices is radically simplified – whether via an ISP transfer network or classic assignments. The ION appliances come online quickly, initially running in pure Analytics Mode, enabling a risk-free assessment of real traffic before actively switching over.
Centralised cloud management
Strata Cloud Manager · Central Controller
No decentralised chaos: the entire infrastructure is managed centrally via the cloud-based controller in the Strata Cloud Manager. Routing profiles, network settings, and global policies are maintained consistently via templates – fully transparent, error-free, and without manual CLI configuration on-site.
For complex site connectivity: Palo Alto Networks Prisma SD-WAN
For the implementation of your infrastructure, I rely on the platform that industry analysts have rated as a leader for years. Prisma SD-WAN offers a software-defined architecture that flawlessly combines application-based routing and centralised control.
Technologies I work with
Certified Palo Alto Networks Expert
Certified knowledge, no sales pressure
I bring deep Palo Alto Networks expertise to your project – completely free from system house sales pressure. You purchase ION appliances and licenses transparently directly from the distributor or your existing supplier. We develop the routing design together at eye level.
Application-level path control
The ION appliances identify applications on Layer 7 and steer each session over the currently best-performing path. Unlike traditional packet-based routers, the system makes routing decisions based on measured application performance – not blindly by IP address.
Real Application Visibility
Via Link Quality Metrics (LQM) and performance policies, the system monitors line quality in real time. Performance issues can be precisely isolated before users open a ticket – you see immediately whether the cause lies with the ISP, the local network, or the cloud provider.
Central Platform Logic via CloudBlades
Via the Strata Cloud Manager, we manage the entire topology consistently using templates. Thanks to the flexible CloudBlades architecture, security logic can be seamlessly integrated – regardless of whether traffic is filtered locally, routed back to HQ, or passed directly to SSE services like Zscaler or Prisma Access.
Prisma SD-WAN is my well-founded technical recommendation for growing site networks. However, in every project I pragmatically evaluate whether this enterprise solution delivers the best ROI for your current use case, or whether leaner setups are sufficient.
Secure migration from underlay to overlay
The move to SD-WAN often fails in practice due to a poorly planned coexistence phase. My process guarantees a smooth transition without jeopardising your production or logistics during the changeover.
WAN Audit & Baseline Assessment
We analyse your existing provider contracts, transfer networks, routing protocols (BGP/OSPF), and current IPsec tunnels. This thorough technical assessment forms the risk-free foundation for the entire migration architecture.
Routing Profile & Pilot Design
We design the application-based Layer 7 routing profile and test it at a defined pilot site. Here we validate application performance and path behaviour under real conditions before the global rollout begins.
Staging & Risk-Free Coexistence
The new ION appliances are integrated at the site and initially run in pure Analytics Mode: full visibility and performance measurement, without active intervention in traffic. Only after validation do we switch to Control Mode, while legacy connections are replaced step by step.
Cut-over & MPLS Decommissioning
After successful validation, we swing productive traffic completely over to the Prisma SD-WAN fabric. The final cut-over takes place during planned off-peak hours. Expensive MPLS lines can subsequently be decommissioned successively and in a commercially sound manner.
Corporate architectures without overhead
I bring proven enterprise networking standards to mid-sized companies – specialised, transparent, and without the inertia of an anonymous IT system house.
Experience from the enterprise
In my main job, I manage complex network infrastructures in the European aerospace sector under the highest stability and availability requirements. I bring this uncompromising engineering standard to your project.
Independent, no margins
I earn exclusively from consulting, architecture design, and the build. Hardware and licenses are purchased without mark-up directly from the distributor or your existing supplier.
Certified knowledge
As a vendor-certified expert, I have deep knowledge of Prisma SD-WAN architectures, overlay routing, and application-based path control. My specialisation is a well-founded technical decision for your performance.
Audit-proof handover
After project completion, it is comprehensively documented which traffic flows over which path: performance policies, routing decisions at the application level, and failover scenarios. Your internal team can seamlessly take over Day-2 operations immediately.
The direct line
Short communication channels instead of ticket queues: you speak directly with the network specialist who designs your infrastructure and implements it in the central cloud controller – no misunderstandings through intermediary sales staff or project managers.
Bremen & Remote
On-site in Bremen and northern Germany for strategic planning, remote nationwide for configuration and staging. Critical cut-over phases are scheduled flexibly outside your productive working hours.
The before-and-after comparison
The transformation from traditional line structures to an agile, application-driven network.
Site outage and immediate production halt due to a single line disruption.
Sub-second failover to broadband or mobile – no manual intervention, no noticeable downtime in day-to-day operations.
Real-time applications and Microsoft 365 stutter at branch offices due to inefficient traffic backhauling.
Layer 7 Direct Cloud Breakout – business-critical cloud applications run prioritised, performant, and lightning-fast.
No overview and hours of troubleshooting when the network at a site suddenly slows down.
Real application visibility via LQM – you see immediately whether the problem lies with the provider, the local network, or the cloud provider.
Every new site costs weeks of provider waiting time and complex manual on-site configuration.
Zero-Touch Provisioning (ZTP): the new site pulls its configuration automatically and is productive within hours.
Networking and IT security managed as two completely separate, complex silos.
Flexible edge security – the right security architecture (local NGFW, HQ backhauling, or SSE) is directly integrated.
Expensive MPLS circuits lock you into a single provider with rigid contract terms and limited bandwidth.
Provider-independent architecture – use of cheaper broadband/5G connections with full flexibility and redundancy.
What you are probably wondering
Clear answers to the most important questions about SD-WAN and site connectivity.
That depends entirely on your business risk. If processes stop at a logistics or production site as soon as a line fails, or the cloud infrastructure becomes unusably slow, automated failover via Prisma SD-WAN is worthwhile from just two sites. I honestly evaluate in the initial call whether the ROI is there for you.
Not immediately – that would be technically risky. During the migration phase, the new Prisma SD-WAN (overlay) and your existing MPLS (underlay) run in parallel. Only when the new system has been fully validated in Analytics Mode do we replace the MPLS connections step by step in a commercially sound manner.
Palo Alto Networks is my clear technical recommendation in the upper mid-market segment due to the outstanding Layer 7 App-ID control and the flexible security interfaces. Should this enterprise solution exceed your budget, I design pragmatic, high-availability VPN and routing architectures based on established standards.
No. Your existing service provider typically does an excellent job handling endpoints, servers, and day-to-day user support. I act purely as a specialised third-level engineer for complex network and security structures. We work together in close partnership on projects.
Yes. The Prisma SD-WAN is built entirely in the background in parallel operation. The new infrastructure initially runs in pure Analytics Mode (listening only), to analyse traffic without risk. We schedule the final cut-over deliberately during your off-peak hours or at the weekend.
This is one of the core strengths of modern ION appliances. Via integrated 5G/LTE modules, we securely integrate the new site into your corporate network within a very short time – even before the physical fixed-line connection is provisioned. Later, the mobile uplink then serves as an automatic fallback.
For site connectivity, I deliberately do not give a flat reference figure – not out of a lack of transparency, but because the range is determined by the network topology: two sites with a simple failover are a completely different project from five sites with a strategic cloud security integration (SSE) via CloudBlades and MPLS replacement. Additionally, you purchase the hardware (ION appliances) and licenses without mark-up directly from the distributor, separately from my consulting fee. In the initial call, I can roughly classify your use case in 30 minutes and tell you directly whether the cost-to-savings ratio makes sense for you.
All sites are connected, day-to-day operations are running. But do you really know exactly what flows back and forth between your branch offices? Or whether malware from a small branch office can march straight through to the headquarters completely unhindered?
Does the same security apply everywhere?
Site connectivity creates direct connections – and thus direct attack paths. What gets compromised at a branch reaches your headquarters without any barriers, unless a strict firewall policy applies there.
What is running internally at your sites?
The fast WAN connection is in place. But what does the network behind it look like in the branch? The reality is mostly: historically grown, undocumented, and with no strict separation between office and production.