What are two potential causes when a secondary public circuit has been added to the branch site, but the Prisma SD-WAN tunnel is not forming to the data center? (Choose two.)
Answer : A, B
In a Prisma SD-WAN deployment, the formation of VPN tunnels between a branch ION device and a Data Center (DC) ION is governed by specific configuration parameters that define how an interface interacts with the WAN fabric. When a secondary public circuit is introduced, the system requires precise classification to initiate the negotiation of security associations.
The first critical factor is the Interface Role. For an ION device to attempt to build a global fabric tunnel over a public circuit, the interface must be explicitly assigned the 'Internet' role. If the role is incorrectly set (e.g., as 'LAN' or left unconfigured), the device will not treat that physical port as a viable path for the SD-WAN overlay, preventing the tunnel from initiating.
Secondly, the Circuit Label plays a vital role in the path selection and tunnel orchestration logic. Prisma SD-WAN uses labels to match local branch circuits with corresponding circuits at the data center or other branches. If a circuit label is missing or mismatched on the interface configuration, the Controller cannot properly orchestrate the 'bind' between the branch and the hub. Without a valid label, the ION device doesn't know which path group the circuit belongs to, and consequently, the automated tunnel signaling process fails to complete.
While DNS is important for management connectivity to the Controller, it is generally not the primary blocker for site-to-site tunnel formation if the Controller reachability is already established via the primary circuit. Similarly, 'Interface Scope' is more relevant to routing advertisement rather than the foundational establishment of the SD-WAN tunnel itself. Therefore, ensuring the Internet role and Circuit Label are correctly applied is the standard troubleshooting step for non-forming tunnels on new circuits.
While designing a greenfield Prisma SD-WAN solution for a retailer, the risk management group requires segmentation of the retail network to avoid one large fault domain.
The following data points are provided:
Two data centers and all sites need to access applications in both data centers
1000 retail branches with stores concentrated in multiple metropolitan areas
Data Center 1 and Data Center 2 have different sets of applications that are not replicated
Maintaining application availability is the primary goal
Which action will segment the retail network and reduce regional outages?
Answer : C
In large-scale Prisma SD-WAN deployments, such as a retail network with 1,000 branches, architectural resilience is achieved through a strategy known as Hub Clustering. A Data Center Cluster is a logical grouping of ION devices at a hub site that provides termination for branch-to-DC VPN tunnels. To prevent the creation of a massive, single fault domain, Palo Alto Networks best practices recommend segmenting the branch population across multiple clusters.
By creating more than one data center cluster in each data center and strategically assigning sites to these clusters, an administrator can effectively isolate failure events. In a metropolitan area where stores are concentrated, spreading nearby retail locations across different clusters ensures that a localized resource failure or a cluster-specific misconfiguration only impacts a subset of the stores in that region rather than causing a complete regional outage.
This design directly addresses the requirement for maintaining application availability. Since Data Center 1 and Data Center 2 host different applications, each branch site must maintain active paths to both DCs. By using multiple clusters at each DC, the risk management group's goal of avoiding a large fault domain is met through 'blast radius' containment. If Cluster A at Data Center 1 fails, the 1,000 sites are not all affected simultaneously; instead, only the specific sites bound to Cluster A lose connectivity to that hub, while their neighbors bound to Cluster B remain functional. This approach provides the highest level of regional resiliency and operational stability for high-density retail environments.
The UI triggers incident DEVICESW_CONCURRENT_FLOWLIMIT_EXCEEDED for a branch site. Based in the image below, which tool can be used to identify the host?

Answer : B
When a Prisma SD-WAN ION device triggers the DEVICESW_CONCURRENT_FLOWLIMIT_EXCEEDED incident, it indicates that the number of active sessions has reached the hardware or software-defined capacity limit of that specific appliance. In the provided graph, we can see a massive spike in concurrent TCP flows on May 13th, reaching nearly 500k, which is a clear indicator of anomalous behavior---likely a 'top talker' host, a malware outbreak, or a misconfigured application generating excessive connections.
To identify the specific host responsible for this surge, administrators should navigate to Monitor Activity Flows. This interface, commonly known as the Flow Browser, provides the most granular visibility into real-time and historical session data within the Prisma SD-WAN fabric. Unlike 'Transaction Stats,' which provide high-level summaries, or 'New Flows,' which only show the rate of session initiation, the Flows view allows an engineer to filter and sort the active session table by metadata such as Source IP, Destination IP, Application, and Site.
By utilizing the Flow Browser, an administrator can quickly group flows by 'Source IP' to pinpoint exactly which internal host is consuming the most flow table entries. This is the standard 'Day 2' operational workflow for troubleshooting performance and capacity incidents. While running a tcpdump (Option A) is a valid diagnostic for packet-level analysis, it is inefficient for identifying a single host among hundreds of thousands of flows and can further tax the device's CPU during a high-load event. The Monitor Activity Flows tool is designed specifically for this type of scale, providing the necessary visibility to remediate the flow limit exhaustion and restore normal network operations.
A branch manager reports slow network performance, and the network administrator wants to use Prisma SD-WAN Copilot to quickly identify if a specific user, by source IP address, is consuming excessive bandwidth as well as which applications are contributing to this consumption. How can Copilot assist in this investigation?
Answer : C
Prisma SD-WAN Copilot is an AI-powered operational tool designed to simplify network management through Natural Language Processing (NLP). Traditionally, identifying a bandwidth 'hog' required manual navigation through multiple dashboards, such as WAN Clarity and the Flow Browser, to correlate source IP addresses with specific application flows and timestamps. Copilot transforms this workflow by allowing administrators to interact with the system using conversational queries.
When an administrator inputs a query like ''Show top bandwidth source IPs at SD-WAN Branch X over last 3 hours,'' Copilot leverages its underlying machine learning models and integrated data lake to aggregate telemetry across the entire fabric. It instantly identifies the specific source IPs responsible for the highest throughput and correlates that data with application visibility. Instead of providing a static report or redirecting the user to other tools, Copilot presents an interactive, summarized view directly within the interface. This view highlights the top-consuming users and breaks down their consumption by application, such as YouTube, Netflix, or business-critical SaaS tools.
This capability significantly reduces the Mean Time to Resolution (MTTR) for performance issues. By bypassing the need for manual data correlation, Copilot provides immediate 'Day 2' operational insights. It effectively acts as a virtual assistant that understands the context of the network topology, site names, and time ranges, allowing the administrator to quickly determine if a branch's slow performance is due to an individual user's behavior or a broader infrastructure issue.
When using the CloudBlade to integrate Prisma SD-WAN with Prisma Access, how does the system ensure that the IPSec tunnels between the branch ION and the Prisma Access Security Processing Node (SPN) are kept alive during periods of no user traffic?
Answer : C
Comprehensive and Detailed Explanation
The stability of VPN tunnels in the Prisma SD-WAN + Prisma Access integration relies on standard IPSec mechanisms.
Dead Peer Detection (DPD): The CloudBlade configuration automatically enables DPD on the IPSec tunnels it provisions.
Mechanism: DPD is a standard keepalive mechanism where the ION device sends periodic 'R-U-THERE' messages to the Prisma Access gateway (and vice versa). If no acknowledgment is received after a specific count/timer, the ION marks the tunnel as down and attempts to re-key or switch to a backup path.
Synthetic Probes (B): While Synthetic Probes (part of ADEM or Path Quality monitoring) can be configured to measure latency/loss, the fundamental mechanism that keeps the IPSec security association (SA) active and detects link failure is DPD, not an application-layer probe.
A network engineer is troubleshooting a user complaint regarding "slow application performance" for an internal web application. While viewing the Flow Browser in the Prisma SD-WAN portal, the engineer notices that the Server Response Time (SRT) is consistently high (over 500ms), while the Network Transfer Time (NTT) and Round Trip Time (RTT) are low (under 50ms).
What does this data indicate about the root cause of the issue?
Answer : B
Comprehensive and Detailed Explanation
The Flow Browser and App Response Time metrics in Prisma SD-WAN are critical tools for isolating the fault domain---determining whether a problem lies in the 'Network' or the 'Application.'
Network Transfer Time (NTT) / Round Trip Time (RTT): These metrics measure the time it takes for packets to traverse the network (WAN/LAN) and for acknowledgments to return. A low NTT (e.g., <50ms) confirms that the network pipes (SD-WAN overlay, Underlay circuits) are healthy and transporting packets quickly.
Server Response Time (SRT): This metric specifically measures the time between the server receiving a request and the server sending the first byte of the response. It essentially measures the 'processing time' of the backend server.
In the scenario described, the network metrics (NTT/RTT) are excellent, effectively ruling out WAN congestion, packet loss, or latency (Option A and C). However, the Server Response Time (SRT) is very high (500ms). This signature is a definitive indicator that the network delivered the request instantly, but the application server took a long time to process it. This points the troubleshooting effort toward the server infrastructure (e.g., a slow SQL query, an overloaded web server, or lack of compute resources) rather than the SD-WAN environment.
When troubleshooting an issue at a site that is running on two cellular links from two carriers, the operations team shared some evidence shown in the graph below:
(SNR Graph showing Carrier-1 in blue dropping to near 0 dB and Carrier-2 in green staying relatively stable between 4.5 dB and 6.5 dB)

For the time duration shown in the graph, what are two inferences about the site's traffic that can be made? (Choose two.)
Answer : A, D
In Prisma SD-WAN, the Signal-to-Noise Ratio (SNR) is a critical metric used to monitor the health and performance of cellular WAN interfaces. SNR measures the strength of the desired signal relative to the background noise level; higher values indicate a cleaner signal, while lower values suggest that noise is overwhelming the signal, typically leading to increased packet loss, high latency, and reduced throughput.
Analyzing the provided graph, Carrier-1 (blue line) shows a severe drop in SNR, plummeting from approximately 4.5 dB to nearly 0.3 dB between 15:00 and 23:00. An SNR value this low is indicative of a failing or highly unstable link that cannot reliably sustain data traffic, directly supporting Inference A---that Carrier-1 experienced significant performance degradation. In contrast, Carrier-2 (green line) maintains a much higher and more consistent SNR throughout the same period.
Prisma SD-WAN's AppFabric uses application-based path selection and SLA monitoring to ensure the best possible user experience. When the system detects that a primary path (like Carrier-1) has degraded below acceptable thresholds---often triggered by high loss or latency resulting from poor signal quality---it will dynamically steer application flows to an alternative healthy path. Therefore, Inference D is correct: because Carrier-1's quality became untenable while Carrier-2 remained stable, the ION device would have likely initiated a path switchover to move traffic from the degraded Carrier-1 to the healthier Carrier-2.