Palo Alto Networks SD-WAN-Engineer Exam Questions Instant Access

Question 1

A network installer is attempting to claim a new ION device using the "Claim Code" method. The device is connected to the internet, but the status in the portal remains stuck at "Claimed" and does not transition to "Online". The installer connects a laptop to the LAN port of the ION and can successfully browse the internet, confirming the uplink is active.

What is the most likely cause of the device failing to reach the "Online" state?

AThe device is missing the 'Site' assignment in the portal.

BThe upstream firewall is blocking outbound TCP port 443 or UDP port 123 (NTP).

CThe device has not yet downloaded the latest software image.

DThe 'Circuit Label' has not been applied to the WAN interface.

Answer : B

Comprehensive and Detailed Explanation

The transition from 'Claimed' to 'Online' depends entirely on the ION device's ability to establish a secure, persistent management tunnel to the Prisma SD-WAN Controller.

Connectivity Requirements: The ION device initiates an outbound connection to the controller on TCP Port 443 (HTTPS). It also requires accurate time synchronization to validate SSL certificates, necessitating access to NTP (UDP Port 123).

Scenario Analysis: Since the installer can browse the internet from the LAN, we know the physical link and basic routing/NAT are functional. The issue is specific to the management plane traffic.

Root Cause: If an upstream firewall (e.g., a corporate edge firewall or ISP filter) is inspecting SSL traffic or blocking specific FQDNs/Ports required by the ION, the device cannot complete the handshake. Consequently, it remains 'Claimed' (registered in the database) but cannot go 'Online' (active management session). Options A, C, and D prevent provisioning (configuration push) but generally do not prevent the device from initially checking in and going 'Online' if the pipe is open.

Question 2

A network engineer is troubleshooting a user complaint regarding "slow application performance" for an internal web application. While viewing the Flow Browser in the Prisma SD-WAN portal, the engineer notices that the Server Response Time (SRT) is consistently high (over 500ms), while the Network Transfer Time (NTT) and Round Trip Time (RTT) are low (under 50ms).

What does this data indicate about the root cause of the issue?

AThe issue is likely caused by congestion on the WAN circuit, requiring a QoS policy adjustment.

BThe issue is likely on the application server itself (e.g., high CPU, slow database query), not the network.

CThe issue is caused by a high packet loss rate on the internet path.

DThe issue is due to a misconfigured DNS server at the branch.

Answer : B

Comprehensive and Detailed Explanation

The Flow Browser and App Response Time metrics in Prisma SD-WAN are critical tools for isolating the fault domain---determining whether a problem lies in the 'Network' or the 'Application.'

Network Transfer Time (NTT) / Round Trip Time (RTT): These metrics measure the time it takes for packets to traverse the network (WAN/LAN) and for acknowledgments to return. A low NTT (e.g., <50ms) confirms that the network pipes (SD-WAN overlay, Underlay circuits) are healthy and transporting packets quickly.

Server Response Time (SRT): This metric specifically measures the time between the server receiving a request and the server sending the first byte of the response. It essentially measures the 'processing time' of the backend server.

In the scenario described, the network metrics (NTT/RTT) are excellent, effectively ruling out WAN congestion, packet loss, or latency (Option A and C). However, the Server Response Time (SRT) is very high (500ms). This signature is a definitive indicator that the network delivered the request instantly, but the application server took a long time to process it. This points the troubleshooting effort toward the server infrastructure (e.g., a slow SQL query, an overloaded web server, or lack of compute resources) rather than the SD-WAN environment.

Question 3

Network segmentation is required due to overlapping IP address space and M&A scenarios. Which Prisma SD-WAN feature will achieve the desired segmentation and end-to-end connectivity in this use case?

AVirtual Routing and Forwarding (VRF) profiles with proper site bindings to achieve desired isolation across the underlay

BVirtual Routing and Forwarding (VRF) profiles with proper site bindings to achieve desired isolation locally and across the secure fabric

CMultiple contexts with interface segmentation to achieve desired isolation across the underlay

DMultiple virtual routers with interface segmentation to achieve desired isolation across the secure fabric

Answer : B

In modern enterprise environments, particularly those undergoing Mergers and Acquisitions (M&A), engineers often face the challenge of overlapping IP address space.4 Prisma SD-WAN addresses this by utilizing Virtual Routing and Forwarding (VRF) profiles.5 A VRF creates a separate routing table instance within the ION device, allowing multiple networks to coexist on the same physical hardware even if they use the same IP ranges.

To achieve end-to-end connectivity while maintaining strict segmentation, these VRF profiles must be correctly associated with site bindings.7 When a VRF is 'bound' to a site, the ION device ensures that traffic belonging to that specific segment remains isolated not only locally (on the LAN) but also across the secure SD-WAN fabric. Prisma SD-WAN achieves this by encapsulating the traffic within the overlay tunnels and tagging it with a unique VRF identifier.8 This ensures that a 'Corporate' VRF at Site A can only communicate with the 'Corporate' VRF at Site B, effectively keeping 'Guest' or 'Acquisition' traffic completely separate.

This architectural approach is superior to traditional underlay segmentation (Option A) or simple interface-based virtual routers (Option D) because it provides a centralized, software-defined method to manage multi-tenancy. By using VRF profiles, administrators can define a global security and routing posture once and push it to all relevant sites.9 This simplifies the integration of new business units with conflicting IP schemes, as the Prisma SD-WAN controller handles the complex orchestration required to maintain path selection and security policies uniquely for each VRF across the entire global network.

Question 4

When an ION device has been claimed, the cloud-based controller generates and communicates with the device by which method?

AManufacturer Installed Certificate (MIC)

BExisting customer public key infrastructure (KPI)

CSelf-signed certificate

DCustomer Installed Certificate (CIC)

Answer : A

In the Prisma SD-WAN (formerly CloudGenix) architecture, the security and authenticity of device-to-controller communication are paramount. When a new ION (Instant-On Network) device is powered on and connected to the internet, it initiates a secure 'phone home' process to the Prisma SD-WAN Cloud Controller. To ensure that the controller is communicating with a genuine Palo Alto Networks hardware or software instance, the system utilizes a Manufacturer Installed Certificate (MIC).

The MIC is a unique digital certificate burned into the hardware's Trusted Platform Module (TPM) or secure storage during the manufacturing process. This certificate acts as the device's foundational identity. When a customer 'claims' a device in the Prisma SD-WAN portal using its serial number, the controller maps that serial number to the specific MIC associated with that unit.

Once the device is claimed and attempts to connect, a mutual TLS (mTLS) handshake occurs. The ION device presents its MIC to the controller to prove its identity, and the controller validates this against its records. This method eliminates the need for manual staging, pre-configuration, or the complexity of managing a Customer Installed Certificate (CIC) or a private Public Key Infrastructure (PKI) during the initial deployment phase. By leveraging the MIC, Prisma SD-WAN achieves true Zero Touch Provisioning (ZTP), ensuring that only authorized, authentic devices can join the fabric and receive configuration policies, thereby maintaining a secure and automated onboarding workflow.

Question 5

A branch manager reports slow network performance, and the network administrator wants to use Prisma SD-WAN Copilot to quickly identify if a specific user, by source IP address, is consuming excessive bandwidth as well as which applications are contributing to this consumption. How can Copilot assist in this investigation?

AIt will automatically generate and email a ''User Bandwidth Consumption'' report for the specified branch, which the administrator can use to find the top user and the application details.

BIt can identify the top applications being used across the entire branch and can be correlated with Flow Browser to attribute specific application usage or total bandwidth consumption to individual source IPs.

CIt can directly process a natural language query such as ''Show top bandwidth source IPs at SD-WAN Branch X over last 3 hours,'' provide summarized views of the top-consuming source IPs, and view the primary applications they are using.

DIt will redirect the administrator to the WAN Clarity ''Top N: Source IPs'' report and the ''Flow Browser'' utility, suggesting correlation between these tools to determine a user's specific application usage.

Answer : C

Prisma SD-WAN Copilot is an AI-powered operational tool designed to simplify network management through Natural Language Processing (NLP). Traditionally, identifying a bandwidth 'hog' required manual navigation through multiple dashboards, such as WAN Clarity and the Flow Browser, to correlate source IP addresses with specific application flows and timestamps. Copilot transforms this workflow by allowing administrators to interact with the system using conversational queries.

When an administrator inputs a query like ''Show top bandwidth source IPs at SD-WAN Branch X over last 3 hours,'' Copilot leverages its underlying machine learning models and integrated data lake to aggregate telemetry across the entire fabric. It instantly identifies the specific source IPs responsible for the highest throughput and correlates that data with application visibility. Instead of providing a static report or redirecting the user to other tools, Copilot presents an interactive, summarized view directly within the interface. This view highlights the top-consuming users and breaks down their consumption by application, such as YouTube, Netflix, or business-critical SaaS tools.

This capability significantly reduces the Mean Time to Resolution (MTTR) for performance issues. By bypassing the need for manual data correlation, Copilot provides immediate 'Day 2' operational insights. It effectively acts as a virtual assistant that understands the context of the network topology, site names, and time ranges, allowing the administrator to quickly determine if a branch's slow performance is due to an individual user's behavior or a broader infrastructure issue.

Question 6

Which troubleshooting step should be taken when users at a branch site are experiencing a maximum throughput of 200 Mbps for Direct Internet Access (DIA) traffic on a 1 Gbps internet connection?

AEnsure QoS policy is applies to the site.

BEnsure the WAN interface is set to 1 Gbps or auto mode.

CEnsure performance policy is applied to the site.

DEnsure the circuit configuration at the site level is properly set.

Answer : D

In Prisma SD-WAN, the effective throughput for any given circuit is fundamentally dictated by the Circuit Configuration defined at the site level. When a branch experiences a 'throughput ceiling' (e.g., traffic capped at 200 Mbps on a 1 Gbps physical link), the most likely cause is that the software-defined bandwidth limit for that circuit has been set incorrectly in the Prisma SD-WAN Controller.

Prisma SD-WAN ION devices do not simply forward traffic at the maximum physical line rate by default; they rely on the administrator-defined Upstream and Downstream bandwidth values to perform traffic shaping, policing, and path selection. If a circuit is physically capable of 1 Gbps but is configured in the portal as having only 200 Mbps, the ION device will enforce this 200 Mbps limit to prevent oversubscribing the link and to ensure that Quality of Service (QoS) and path selection calculations remain accurate based on the assumed capacity.

To resolve this, an engineer must navigate to the Site Configuration, locate the specific WAN circuit, and verify that the bandwidth settings match the actual service provider's handoff. If these values are set lower than the actual link speed, the device will artificially throttle the traffic. While ensuring the WAN interface is set to the correct speed/duplex (Option B) is a valid physical layer check, and QoS/Performance policies (Options A and C) manage how that bandwidth is used, it is the Circuit Configuration that defines the total available bandwidth for the SD-WAN fabric to utilize. Correcting this configuration allows the ION device to scale its throughput to match the full 1 Gbps capability of the broadband connection.

Question 7

What does Prisma SD-WAN use for monitoring and operations to deliver flow data and application visibility?

AADEM

BIPFIX

CSNMPv3

DIP SLA

Answer : B

Prisma SD-WAN is built on an application-defined fabric that prioritizes deep visibility into network traffic and application performance.1 To deliver the high-fidelity flow data and application visibility required for modern operations, Prisma SD-WAN utilizes IPFIX (Internet Protocol Flow Information Export).2 IPFIX is a standardized protocol based on NetFlow v9 that allows for the export of IP flow information from network devices to a collector or management system.3

In the Prisma SD-WAN architecture, ION devices act as the exporters.4 Because the system is application-aware, it doesn't just export basic 5-tuple information (source/destination IP, ports, and protocol); it exports rich metadata including application IDs, performance metrics (latency, jitter, packet loss), and path information. This allows the Prisma SD-WAN Controller and the associated Analytics engine to reconstruct a complete picture of every flow in the network.

While other protocols like SNMPv3 are supported for basic device health monitoring (such as CPU or interface status) and ADEM (Autonomous Digital Experience Management) provides end-to-end visibility for mobile users or SASE-connected branches, IPFIX is the primary 'engine' for flow-level data across the SD-WAN fabric. Unlike traditional IP SLA, which relies on synthetic probes, the IPFIX-based monitoring in Prisma SD-WAN uses real-time application traffic to assess performance. This ensures that the visibility provided in the Flow Browser and Analytics dashboards accurately reflects the actual user experience, enabling granular troubleshooting and proactive capacity planning.

Palo Alto Networks SD-WAN Engineer SD-WAN-Engineer Exam Questions