Free Practice Questions for Paloalto Networks SD-WAN-Engineer Exam

In a Data Center (DC) deployment, the ION device typically peers with a core router via Border Gateway Protocol (BGP) to exchange reachability information between the SD-WAN fabric and the legacy corporate network.2 When the ION is configured to learn only a default route ($0.0.0.0/0$) from the core, the entire SD-WAN fabric relies on this single BGP-learned route to reach internal resources not directly connected to the ION.

The primary risk in this design is network isolation caused by a BGP misconfiguration or a "soft failure" on the core router. If the BGP session stays "Up" but the core router stops advertising the default route due to a configuration error, the ION device will remove the route from its routing table. Without a valid path to the core, the branch sites connected to the DC ION will lose connectivity to all data center resources.

To mitigate this, the recommended best practice is to add a static default route with a higher Administrative Distance (AD) pointing to the core peer IPs.3 This acts as a "floating static route." Under normal operations, the BGP-learned default route (typically with an AD of 20 for eBGP) remains active in the routing table. If the BGP advertisement fails, the static route with the higher AD (e.g., 250) becomes active. This ensures that the ION device maintains a persistent gateway toward the core infrastructure, preventing total fabric isolation and providing a fail-safe mechanism while the BGP peering issue is remediated. While BFD (Option A) helps with fast peer failure detection, it does not solve the issue of a missing prefix advertisement. Static route redundancy provides the necessary architectural "safety net" for the data center's reachability.

Comprehensive and Detailed Explanation

In Prisma SD-WAN (CloudGenix), Path Policies control how application traffic is steered across WAN links. To ensure that traffic is automatically shifted from a saturated circuit to another circuit with available bandwidth, both circuits must be configured as Active Paths within the policy rule.

When multiple paths are designated as "Active," the ION device treats them as a shared pool of available resources. The system continuously monitors the bandwidth utilization (capacity) and health (latency, jitter, loss) of all active links. If "Circuit A" (500 Mbps) becomes saturated or approaches its defined bandwidth limit, the ION's intelligent scheduler will automatically direct new application flows to "Circuit B" (100 Mbps) because it is a valid, healthy Active path with available capacity. This achieves effective load balancing and bandwidth aggregation.

In contrast, configuring "Circuit B" as a Backup Path (Option A or B) creates a strict priority relationship. Traffic would only move to the Backup path if the Active path completely failed or violated its configured SLA (Path Quality Profile) significantly enough to be considered "down." Mere bandwidth saturation might not trigger an SLA failure immediately, potentially leading to dropped packets on the saturated link while the backup link remains idle. Therefore, placing Both circuits under active path is the correct configuration for dynamic capacity management.

In the Prisma SD-WAN ecosystem, the centralized cloud controller provides a robust multi-layered visibility framework to ensure network reliability. To effectively detect critical events like site outages or application performance issues (SLA violations), the controller aggregates several types of operational data. Incidents are the primary mechanism for high-level alerting; they are automatically generated when the system detects significant state changes, such as an ION device going offline (site outage) or a path failing to meet the required performance metrics.

While Incidents provide the "what" and "where," Alerts offer granular notifications for specific events that may not yet have escalated to a full-scale incident. To provide deep context, the controller also utilizes Statistics, which include real-time and historical telemetry regarding bandwidth, latency, jitter, and packet loss. These statistics allow administrators to visualize the specific SLA violation as it occurs. Furthermore, Audit logs are essential for tracking configuration changes or administrative actions that might have preceded an outage, helping engineers correlate human intervention with network behavior.

By combining these four elements—Incidents for major events, Alerts for specific notifications, Statistics for performance validation, and Audit logs for change tracking—a network administrator gains a 360-degree view of the fabric. This comprehensive approach moves beyond simple "up/down" monitoring, allowing for "Day 2" operational excellence where performance degradation is identified and remediated before it impacts the end-user experience.

Comprehensive and Detailed Explanation

Prisma SD-WAN (formerly CloudGenix) defines three distinct Operational Modes for a branch site, which determine how the ION device processes traffic and interacts with the network.

Analytics Mode (Monitor): In this mode, the ION device is typically deployed inline or in a "promiscuous" monitor state to gain visibility into network traffic without actively enforcing path selection policies.1 It "learns" applications, bandwidth usage, and network characteristics (auditing) but does not steer traffic or block flows.2 This is often used during Proof of Concepts (POVs) or the initial "burn-in" phase of a deployment to generate reports without risking network disruption.

Control Mode: This is the full production state. In Control Mode, the ION device actively enforces Path Policies, QoS Policies, and Security Policies. It builds Secure Fabric VPN tunnels, steers traffic based on application SLAs (e.g., sending voice over MPLS and bulk data over Broadband), and handles failover events.3 This is the required mode for a fully functional SD-WAN site.

Disabled Mode: This mode effectively shuts down the site's SD-WAN functionality from the controller's perspective. It is an administrative state used when a site is being decommissioned, provisioned but not yet live, or isolated for troubleshooting. In this state, the device does not participate in the fabric.

Comprehensive and Detailed Explanation

The Flow Browser and App Response Time metrics in Prisma SD-WAN are critical tools for isolating the fault domain—determining whether a problem lies in the "Network" or the "Application."

Network Transfer Time (NTT) / Round Trip Time (RTT): These metrics measure the time it takes for packets to traverse the network (WAN/LAN) and for acknowledgments to return. A low NTT (e.g., <50ms) confirms that the network pipes (SD-WAN overlay, Underlay circuits) are healthy and transporting packets quickly.

Server Response Time (SRT): This metric specifically measures the time between the server receiving a request and the server sending the first byte of the response. It essentially measures the "processing time" of the backend server.

In the scenario described, the network metrics (NTT/RTT) are excellent, effectively ruling out WAN congestion, packet loss, or latency (Option A and C). However, the Server Response Time (SRT) is very high (500ms). This signature is a definitive indicator that the network delivered the request instantly, but the application server took a long time to process it. This points the troubleshooting effort toward the server infrastructure (e.g., a slow SQL query, an overloaded web server, or lack of compute resources) rather than the SD-WAN environment.

Comprehensive and Detailed Explanation

In the Prisma SD-WAN (CloudGenix) Zero Touch Provisioning (ZTP) lifecycle, the device status transitions through specific stages that indicate its readiness and connectivity.

When an administrator enters the Claim Code (or Serial Number/Claim Code pair) into the portal, the device status immediately updates to "Claimed".

This status confirms that the portal has registered the device's unique identity and associated it with the customer's tenant. However, "Claimed" does not necessarily mean the device is fully operational or passing traffic yet. It simply signifies that the ownership is verified.

Once the physical device at the site successfully connects to the internet and reaches the Prisma SD-WAN Controller (using the call-home function), it will authenticate using its installed certificate. Upon successful authentication and the establishment of the secure control channel, the status will transition from "Claimed" to "Online".

Only after the device is "Online" can the controller push the specific site configuration (Device Shell), policies, and IP addressing required for the device to become "Provisioned" and eventually "Active" in the data path. If the device remains in the "Claimed" state for an extended period, it indicates that the hardware has not yet successfully contacted the controller, which prompts troubleshooting of the physical internet circuit or firewall rules upstream.

In Prisma SD-WAN, application performance is monitored through distinct metrics that separate network health from application health. The provided graph displays Network Transfer Time (NTT) in blue and Server Response Time (SRT) in orange. NTT measures the round-trip time of packets traversing the WAN fabric, while SRT measures the time elapsed from when the server receives a request to when it sends the first response packet.

Analysis of the telemetry data shows that the NTT (blue line) remains consistently low and stable, generally staying below 100 milliseconds throughout the capture period. This indicates that the SD-WAN path and underlying network circuits are not the source of the latency. Conversely, the SRT (orange line) exhibits significant and erratic spikes, reaching as high as 450 to 475 milliseconds. These spikes occur while the network latency (NTT) remains flat.

Because the latency increases are isolated to the SRT metric, the root cause is confirmed to be on the Application Server side. This pattern typically suggests that the server is struggling with resource exhaustion, high CPU utilization, or database query delays during peak processing times. For a real-time application, these SRT spikes translate directly to jitter and "lag" for the end-user. By distinguishing between these two metrics, Prisma SD-WAN allows network administrators to prove that the network is performing within SLA and shift the troubleshooting focus to the application or server management teams, significantly reducing mean time to innocence (MTTI).

In a Prisma SD-WAN deployment, the formation of VPN tunnels between a branch ION device and a Data Center (DC) ION is governed by specific configuration parameters that define how an interface interacts with the WAN fabric. When a secondary public circuit is introduced, the system requires precise classification to initiate the negotiation of security associations.

The first critical factor is the Interface Role. For an ION device to attempt to build a global fabric tunnel over a public circuit, the interface must be explicitly assigned the "Internet" role. If the role is incorrectly set (e.g., as "LAN" or left unconfigured), the device will not treat that physical port as a viable path for the SD-WAN overlay, preventing the tunnel from initiating.

Secondly, the Circuit Label plays a vital role in the path selection and tunnel orchestration logic. Prisma SD-WAN uses labels to match local branch circuits with corresponding circuits at the data center or other branches. If a circuit label is missing or mismatched on the interface configuration, the Controller cannot properly orchestrate the "bind" between the branch and the hub. Without a valid label, the ION device doesn't know which path group the circuit belongs to, and consequently, the automated tunnel signaling process fails to complete.

While DNS is important for management connectivity to the Controller, it is generally not the primary blocker for site-to-site tunnel formation if the Controller reachability is already established via the primary circuit. Similarly, "Interface Scope" is more relevant to routing advertisement rather than the foundational establishment of the SD-WAN tunnel itself. Therefore, ensuring the Internet role and Circuit Label are correctly applied is the standard troubleshooting step for non-forming tunnels on new circuits.

Comprehensive and Detailed Explanation

When deploying Prisma Access for Remote Networks (connecting branch offices), the licensing and throughput model is based on aggregate bandwidth allocated to specific compute locations (regions).

Bandwidth Allocation (Option D): Administrators must purchase and allocate a specific amount of bandwidth (e.g., 500 Mbps, 1 Gbps) to a Prisma Access "Compute Location" (e.g., US West, Europe Central). This allocated bandwidth is then shared as a pool among all the branch sites (Remote Networks) that onboard and terminate their IPSec tunnels at that specific location. The system does not allocate bandwidth on a strict per-site basis but rather enforces the limit on the aggregate throughput of the compute node itself.

Policy Enforcement (Option A): Security policies for Prisma Access are enforced in the cloud (at the Prisma Access Service Processing Node), not pushed down to the branch ION devices for local enforcement. The ION device handles local segmentation (ZBFW) and traffic steering, but the "Remote Network" security stack resides in the cloud.

Path Usage (Option C): Prisma SD-WAN is designed to utilize Active/Active paths. When a branch has multiple internet circuits connected to Prisma Access, the CloudBlade and ION automatically build tunnels on all compatible paths and can load-balance traffic across them based on application performance (SLA), rather than defaulting to a strict Active/Standby model for internet traffic.