Palo Alto Networks SD-WAN-Engineer Exam Questions Instant Access

Question 1

When configuring a Path Policy rule for a "Real-Time Video" application, the administrator wants to ensure the traffic uses the path with the lowest packet loss.

How does the Prisma SD-WAN ION determine the "Packet Loss" metric for a given path when there is no active user traffic flowing on that link?

AIt sends Active Probes (synthetic UDP packets) across the Secure Fabric to measure path quality continuously.

BIt relies solely on Passive Monitoring of TCP retransmissions from other user traffic on that link.

CIt queries the ISP's router via SNMP to retrieve interface error counters.

DIt defaults to a static value of 0% loss until user traffic begins.

Answer : A

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes Link Quality Monitoring (LQM) to maintain a real-time health score for every WAN path.

To ensure the system knows the quality of a path before sending critical user traffic onto it, the ION device uses Active Probing.

Mechanism: The ION sends synthetic probe packets (typically UDP) across the Secure Fabric (VPN tunnels) and Direct Internet paths to its peers. These probes measure Latency, Jitter, and Packet Loss.

Active vs. Passive: While the system does use Passive Monitoring (observing actual user flows) when traffic is present to reduce overhead, Active Probes are essential for idle links or backup paths. Without active probing, the ION would have no data to make an intelligent steering decision for the first packet of a new video call. This ensures that 'Real-Time' policies always have up-to-date metrics to select the best path immediately.

Question 2

An administrator wants to configure a Path Policy that routes all "Guest Wi-Fi" traffic directly to the internet using the local broadband interface, bypassing all VPN tunnels.

Which Service & DC Group setting should be selected in the policy rule to achieve this "Direct Internet Access" (DIA) behavior?

AStandard VPN

BDirect

CAny-Private

DDefault-Cluster

Answer : B

Comprehensive and Detailed Explanation

In Prisma SD-WAN Path Policies, the Service & DC Group (Destination) field determines where the traffic is sent.

Direct: This is the specific keyword/object used to instruct the ION to route traffic directly out to the local WAN interface (Local Breakout) towards the Internet, without encapsulation in a VPN tunnel. This is the correct setting for Guest Wi-Fi, SaaS applications (like Office 365), or any public web browsing that does not need to be backhauled.

Standard VPN / Default-Cluster: These options direct traffic into an IPSec overlay tunnel destined for a Data Center or another ION. Selecting these would 'backhaul' the guest traffic, which contradicts the requirement for DIA.

When 'Direct' is selected, the ION uses its available 'Internet' category links. The policy can further specify which internet link to use (e.g., 'Use Broadband, avoid LTE') via the path preference list, but the Destination type must be 'Direct'.

Question 3

A network installer is attempting to claim a new ION device using the "Claim Code" method. The device is connected to the internet, but the status in the portal remains stuck at "Claimed" and does not transition to "Online". The installer connects a laptop to the LAN port of the ION and can successfully browse the internet, confirming the uplink is active.

What is the most likely cause of the device failing to reach the "Online" state?

AThe device is missing the 'Site' assignment in the portal.

BThe upstream firewall is blocking outbound TCP port 443 or UDP port 123 (NTP).

CThe device has not yet downloaded the latest software image.

DThe 'Circuit Label' has not been applied to the WAN interface.

Answer : B

Comprehensive and Detailed Explanation

The transition from 'Claimed' to 'Online' depends entirely on the ION device's ability to establish a secure, persistent management tunnel to the Prisma SD-WAN Controller.

Connectivity Requirements: The ION device initiates an outbound connection to the controller on TCP Port 443 (HTTPS). It also requires accurate time synchronization to validate SSL certificates, necessitating access to NTP (UDP Port 123).

Scenario Analysis: Since the installer can browse the internet from the LAN, we know the physical link and basic routing/NAT are functional. The issue is specific to the management plane traffic.

Root Cause: If an upstream firewall (e.g., a corporate edge firewall or ISP filter) is inspecting SSL traffic or blocking specific FQDNs/Ports required by the ION, the device cannot complete the handshake. Consequently, it remains 'Claimed' (registered in the database) but cannot go 'Online' (active management session). Options A, C, and D prevent provisioning (configuration push) but generally do not prevent the device from initially checking in and going 'Online' if the pipe is open.

Question 4

A network engineer is able to ping and traceroute from SD-WAN branch IP 192.168.1.123 to servers in primary data center -- DC1, but is unable to ping or traceroute to a server 10.2.2.22 in the newly configured secondary data center, DC2.

The DC2 ION device is advertising the branch IP subnet 192.168.1.0/24 to the DC2 core via eBGP Core Peer. The DC2 data center site has site prefix 10.2.2.0/23 configured.

Which configuration will resolve the issue in this scenario?

AThe default 0.0.0.0/0 static route to the DC2 ION pointing to the DC2 next hop.

BReconfigure eBGP Core Peer to iBGP Core Peer.

CReconfigure eBGP Core Peer as Edge Peer type.

DRemove site prefix 10.2.2.0/23 from DC2 site configuration.

Answer : A

Comprehensive and Detailed Explanation at least 150 to 250 words each from Palo Alto Networks SD-WAN Engineer documents:

In a Prisma SD-WAN deployment, the routing of traffic between branches and Data Centers (DCs) relies on the proper synchronization between the AppFabric (the overlay) and the local routing protocols (the underlay/LAN side). In this scenario, the branch can successfully reach DC1, indicating the branch ION is correctly participating in the fabric. However, traffic to DC2 (10.2.2.22) is failing.

The DC2 site has the site prefix 10.2.2.0/23 configured. In Prisma SD-WAN, defining a site prefix informs the Controller that this specific subnet 'belongs' to that site, causing the Controller to advertise reachability for this prefix to all other ION devices in the fabric. Consequently, when the branch ION (192.168.1.123) attempts to reach 10.2.2.22, it correctly identifies DC2 as the destination and encapsulates the traffic toward the DC2 ION.

The bottleneck occurs once the packet arrives at the DC2 ION. While the ION is advertising the branch subnet (192.168.1.0/24) to the DC Core (ensuring the return path), the ION itself must know how to forward the incoming traffic from the branch to the internal DC network. If the DC2 ION does not have a specific route in its local routing table for the 10.2.2.0/23 subnet pointing to the DC Core's internal interface, the packet will be dropped.

According to Palo Alto Networks best practices for Data Center ION deployment, a static default route (0.0.0.0/0) should be configured on the ION device pointing toward the DC Core's next-hop IP address. This ensures that any traffic received from the AppFabric destined for internal DC resources---which are not directly connected to the ION---is successfully handed off to the core switching fabric for final delivery. Adding this default route (Option A) resolves the reachability issue by providing the 'last-hop' routing instruction within the DC.

Question 5

By default, how many days will Prisma SD-WAN VPNs stay operational before the keys expire when an ION device loses connection with the controller?

Answer : B

Comprehensive and Detailed Explanation

The Prisma SD-WAN (CloudGenix) solution is designed with a separation of the control plane (Controller) and the data plane (ION devices).1 In the event that an ION device loses connectivity to the Cloud Controller (often referred to as running in 'headless mode'), the device continues to forward traffic and maintain existing VPN tunnels using the keys it currently holds.2

However, for security purposes, the VPN session keys (shared secrets) used for the Secure Fabric have a finite validity period. The system is designed such that these keys are rotated regularly.3 If the controller is unreachable, the ION device can continue to rotate keys locally and maintain the VPNs for a maximum default period of 72 hours (exactly 3 days).4

If the connection to the controller is not restored within this 72-hour window, the keys will eventually expire, and the ION will be unable to retrieve new authorized key material from the controller.5 Consequently, the VPN tunnels will go down, and the 'out of shared secret key' error will be observed in the VPN status logs. This mechanism ensures that a permanently compromised or stolen device cannot maintain network access indefinitely without central authorization.

Question 6

In a data center (DC) with two ION devices, all of the remote branch Prisma SD-WAN VPNs are active only on DC ION-1.

Why are no VPNs active on DC ION-2?

AThe BGP core peer is down.

BThe static route to core as a next hop is missing.

CThe ION device is behind a NAT.

DThe DC and branches are in a different domain.

Answer : A

Comprehensive and Detailed Explanation

In a Prisma SD-WAN Data Center deployment, the operational state of the Secure Fabric VPNs (overlay tunnels) is directly tied to the health of the BGP Core Peer configuration.4

Core Peer Dependency: DC ION devices typically peer with the data center core switch (Core Router) via BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller monitors this BGP peering status.5

Controller Logic: If the BGP Core Peer on a DC ION goes down (or is not established), the controller automatically marks the VPN tunnels terminating at that specific ION as 'Inactive'.6 This is a fail-safe mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost conne7ctivity to the internal data center network (and thus the applications).

Scenario Analysis: In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is successfully advertising reachability. DC ION-2 has no active VPNs, which strongly indicates that its BGP Core Peer is down.8 Because the controller sees the peer is down, it suppresses the tunnel establishment or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).

Question 7

What are two potential causes when a secondary public circuit has been added to the branch site, but the Prisma SD-WAN tunnel is not forming to the data center? (Choose two.)

AInterface role is not selected as ''internet.''

BCircuit label is missing from interface type.

CDNS is not configured.

DInterface scope is set to ''local.''

Answer : A, D

Comprehensive and Detailed Explanation

In Prisma SD-WAN (formerly CloudGenix), the establishment of Secure Fabric (VPN) tunnels is automated but relies heavily on the correct definition of the Network Context for each interface. If a tunnel fails to form on a newly added s2econdary circuit, it is typically due to a misconfiguration in how the interface is defined in the ION portal.

1. Interface Scope (Statement D):

The Scope setting on an interface determines its function in the network topology.

Global Scope: This defines the interface as a WAN-facing port. The ION device will only attempt to build VPN tunnels (overlay) on interfaces configured with Global scope.

Local Scope: This defines the interface as a LAN-facing port (for users, switches, or APs). If the administrator mistakenly sets the scope to 'Local' for the new internet line, the ION treats it as a private LAN segment and will not initiate any tunnel negotiation or WAN signaling on that port.

2. Interface Role/Circuit Category (Statement A):

Prisma SD-WAN uses Circuit Categories (often referred to as Interface Roles in general networking terms, or specifically 'Circuit Category' in the ION UI) to determine peering logic.

To form a tunnel over a public internet link to a Data Center, the circuit attached to the interface must be categorized as 'Internet'.

The controller uses this category to match compatible endpoints. It knows that a 'Private WAN' (MPLS) link cannot directly tunnel to an 'Internet' link without a gateway. If the new circuit is not correctly selected/categorized as 'Internet' (e.g., left undefined or set to a different category), the system will not attempt to build the standard IPSec overlay to the Data Center's public IP address.

Palo Alto Networks SD-WAN Engineer SD-WAN-Engineer Exam Questions