• Home
  • Blogs
  • SD-WAN-Engineer Exam Study Guide Free Practice Test LAST UPDATED DATE Jun 24, 2026 [Q11-Q30]

SD-WAN-Engineer Exam Study Guide Free Practice Test LAST UPDATED DATE Jun 24, 2026 [Q11-Q30]

Share

SD-WAN-Engineer Exam Study Guide Free Practice Test LAST UPDATED DATE Jun 24, 2026

The New SD-WAN-Engineer 2026 Updated Verified Study Guides & Best Courses


Palo Alto Networks SD-WAN-Engineer Exam Syllabus Topics:

TopicDetails
Topic 1
  • Deployment and Configuration: This domain focuses on Prisma SD-WAN deployment procedures, site-specific settings, configuration templates for different locations, routing protocol tuning, and VRF implementation for network segmentation.
Topic 2
  • Troubleshooting: This domain focuses on resolving connectivity, routing, forwarding, application performance, and policy issues using co-pilot data analysis and analytics for network optimization and reporting.
Topic 3
  • Unified SASE: This domain covers Prisma SD-WAN integration with Prisma Access, ADEM configuration, IoT connectivity via Device-ID, Cloud Identity Engine integration, and User
  • Group-based policy implementation.
Topic 4
  • Planning and Design: This domain covers SD-WAN planning fundamentals including device selection, bandwidth and licensing planning, network assessment, data center and branch configurations, security requirements, high availability, and policy design for path, security, QoS, performance, and NAT.
Topic 5
  • Operations and Monitoring: This domain addresses monitoring device statistics, controller events, alerts, WAN Clarity reports, real-time network visibility tools, and SASE-related event management.

 

NEW QUESTION # 11
For how many hours are Prisma SD-WAN VPN shared secrets valid?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

Answer: D

Explanation:
In the Prisma SD-WAN architecture, security is built directly into the AppFabric using a centralized, controller-led approach to key management. Unlike traditional VPNs that rely on manual Internet Key Exchange (IKE) or static Pre-Shared Keys (PSKs) which can be administratively burdensome and security- vulnerable, Prisma SD-WAN automates the entire lifecycle of encrypted tunnels. The Prisma SD-WAN Controller acts as the central authority for identity and key distribution for all ION (Instant-On Network) devices within the tenant's fabric.
Specifically, the VPN shared secrets used to secure these tunnels are ephemeral and are valid for exactly 24 hours. This 24-hour validity period is a security best practice implemented by Palo Alto Networks to limit the
"blast radius" or window of exposure in the unlikely event that a key is compromised. The controller automatically handles the generation, distribution, and rotation of these secrets. Before the 24-hour timer expires, the controller pushes new keys to the ION devices, which then perform a hitless rollover. This ensures that the data plane remains active and encrypted without requiring manual intervention from a network administrator. If an ION device loses its control plane connection to the controller, it will maintain its existing tunnels using the current keys until they expire, at which point it must re-authenticate with the controller to receive a new set of valid secrets. This automated rotation is a core component of the Prisma SD- WAN Zero-Trust security model.


NEW QUESTION # 12
A customer wants to deploy Prisma SD-WAN ION devices at small home offices that use consumer-grade broadband routers. These routers typically use Symmetric NAT and do not allow static port forwarding.
Which standard mechanism does Prisma SD-WAN utilize to successfully establish direct Branch-to-Branch (Dynamic) VPN tunnels through these Symmetric NAT devices?

  • A. UPnP (Universal Plug and Play)
  • B. Manual GRE Tunnels
  • C. STUN (Session Traversal Utilities for NAT)
  • D. SSL VPN encapsulation

Answer: C

Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN utilizes STUN (Session Traversal Utilities for NAT) to facilitate NAT Traversal for its Secure Fabric overlay.
* Discovery: When an ION device connects to the internet behind a NAT router, it reaches out to the Prisma SD-WAN Controller. The controller acts as a STUN server, identifying the public IP address and port that the ION's traffic is originating from.
* Symmetric NAT Challenge: In Symmetric NAT, the mapping changes for every destination.
However, the Prisma SD-WAN architecture is designed to handle this by having the controller coordinate the connection attempt.
* Hole Punching: The controller shares the discovered public mapping information between two peer ION devices. They then simultaneously initiate traffic to each other's public IP/Port (a technique called
"UDP Hole Punching"). This tricks the intermediate NAT devices into allowing the inbound traffic, establishing a direct P2P IPSec tunnel without requiring manual port forwarding or static IPs at the edge.


NEW QUESTION # 13
An organization has created a custom internal application definition for "Inventory_App" on the Prisma SD-WAN controller based on its destination IP address and port (L3/L4 rule). The application server IP has just changed.
After updating the custom application definition on the controller, how is this change propagated to the branch ION devices?

  • A. The change will only take effect after the daily "App-ID" scheduled update.
  • B. The controller automatically pushes the updated Application Definition (App-Def) to all ION devices immediately.
  • C. The administrator must reboot the ION devices for the new object to load.
  • D. The administrator must manually "Push" the policy to all sites.

Answer: B

Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN, Custom Applications are global policy objects managed centrally on the controller.
Immediate Propagation: When an administrator creates or modifies a Custom Application definition (e.g., updating the IP subnet or port for an internal app), the Prisma SD-WAN controller automatically pushes this update to all connected ION devices in the tenant.
No Manual Push: Unlike some legacy firewall management paradigms (like Panorama "Commit and Push"), the Prisma SD-WAN architecture is "intent-based" and continuously synchronized. A change to a global object like an App Definition is considered a live configuration change and is distributed immediately via the secure control channel.
No Reboot: The ION data plane updates its classification engine dynamically without interrupting traffic or requiring a reboot. This ensures that policy enforcement (steering "Inventory_App" to the correct path) remains accurate in real-time.


NEW QUESTION # 14
A remote branch site is reporting intermittent connectivity to the Data Center. The administrator checks the System > Alarms page and sees a "VPN_DOWN" alarm for the tunnel to the DC. However, the internet circuit status is "Up".
Which specific log file or diagnostic tool in the Prisma SD-WAN portal would provide the IKE (Internet Key Exchange) error codes (e.g., "NO_PROPOSAL_CHOSEN" or "AUTH_FAILED") to pinpoint the cause of the tunnel failure?

  • A. Link Quality Graphs
  • B. Flow Browser
  • C. Site Summary > Topology
  • D. Event Logs > System

Answer: D

Explanation:
Comprehensive and Detailed Explanation
To diagnose specific VPN negotiation failures (Phase 1 or Phase 2 IPSec issues), the Event Logs (specifically filtered for System or VPN events) are the correct resource.
Event Logs: This section records the control plane signaling messages. If a VPN tunnel fails to establish, the Event Log will generate an entry containing the specific IKE failure reason sent by the peer or generated locally. Common errors found here include INVALID_COOKIE, NO_PROPOSAL_CHOSEN (mismatch in encryption algorithms), or PRE_SHARED_KEY_MISMATCH.
Flow Browser (A): This shows user traffic (TCP/UDP sessions). If the VPN is down, user traffic won't even enter the tunnel, so the Flow Browser will just show dropped flows or blackholes, but it won't explain why the tunnel itself is broken.
Link Quality (D): This shows latency/loss graphs for established tunnels. It cannot diagnose why a tunnel failed to form in the first place.


NEW QUESTION # 15
In a Data Center deployment, what is the key functional difference between configuring a BGP neighbor as a "Core Peer" versus an "Edge Peer"?

  • A. A Core Peer is used for connecting to the internet, while an Edge Peer connects to the MPLS provider.
  • B. A Core Peer supports eBGP only, while an Edge Peer supports iBGP only.
  • C. A Core Peer automatically redistributes learned routes into the SD-WAN fabric, whereas an Edge Peer does not.
  • D. A Core Peer is used for LAN-side routing to learn DC prefixes, while an Edge Peer is used for WAN-side routing to the Service Provider.

Answer: D

Explanation:
Comprehensive and Detailed Explanation
In the Prisma SD-WAN Data Center (DC) model, the terminology for BGP peers defines their role in the topology and how the system generates route maps.
Core Peer: This peer type is designated for the LAN-side connection (facing the DC Core Switch or internal Routers). Its primary purpose is to learn the subnets/prefixes hosted in the data center so the ION can advertise them to the remote branches. The system automatically creates route maps to facilitate this redistribution into the fabric.
Edge Peer: This peer type is designated for the WAN-side connection (facing the Edge Router or MPLS PE). Its primary purpose is to provide reachability to the underlay network.
Distinction: Selecting the correct type affects the default Route Maps and Prefix Lists generated by the controller. Configuring a Core Peer correctly ensures that the DC's internal subnets are properly learned and propagated to the overlay, whereas an Edge Peer configuration focuses on WAN next-hop reachability.


NEW QUESTION # 16
When deploying a branch gateway, secure fabric VPN tunnels are automatically established between which two site types? (Choose two.)

  • A. Branch gateway to data center
  • B. Branch to branch gateway (different domain)
  • C. Branch gateway to branch gateway
  • D. Branch to branch gateway (same domain)

Answer: A,C

Explanation:
In the Prisma SD-WAN (Instant-On Network) architecture, the "Secure Fabric" is a key feature that simplifies VPN orchestration through automation. When an ION device is deployed at a site and associated with a specific role, the Prisma SD-WAN Controller automatically manages the establishment of encrypted VPN tunnels without requiring manual IPsec configuration.
The most fundamental tunnel type is Branch gateway to data center (Option B). By default, the system follows a hub-and-spoke model where every branch ION device automatically attempts to build secure tunnels to all available Data Center clusters within its domain. This ensures that branch locations have immediate, redundant connectivity to centralized corporate resources and applications as soon as they are brought online.
Additionally, Prisma SD-WAN supports automated Branch gateway to branch gateway connectivity (Option C). Unlike traditional architectures that backhaul all traffic through a central hub, the Prisma SD- WAN fabric can dynamically establish "spoke-to-spoke" tunnels between branch gateways to facilitate direct communication. This is particularly useful for latency-sensitive applications like Voice over IP (VoIP) or video conferencing. While this can be configured as a "full mesh" where all sites build tunnels to all other sites, the controller intelligently manages these connections based on the defined site roles and domain configurations to optimize resource usage and performance. Options A and D are incorrect because the fabric orchestration logic is primarily focused on the functional roles of the gateways (Branch vs. Data Center) rather than "domains" in the context of tunnel initiation.


NEW QUESTION # 17
A network installer is attempting to claim a new ION device using the "Claim Code" method. The device is connected to the internet, but the status in the portal remains stuck at "Claimed" and does not transition to
"Online". The installer connects a laptop to the LAN port of the ION and can successfully browse the internet, confirming the uplink is active.
What is the most likely cause of the device failing to reach the "Online" state?

  • A. The device is missing the "Site" assignment in the portal.
  • B. The upstream firewall is blocking outbound TCP port 443 or UDP port 123 (NTP).
  • C. The "Circuit Label" has not been applied to the WAN interface.
  • D. The device has not yet downloaded the latest software image.

Answer: B

Explanation:
Comprehensive and Detailed Explanation
The transition from "Claimed" to "Online" depends entirely on the ION device's ability to establish a secure, persistent management tunnel to the Prisma SD-WAN Controller.
* Connectivity Requirements: The ION device initiates an outbound connection to the controller on TCP Port 443 (HTTPS). It also requires accurate time synchronization to validate SSL certificates, necessitating access to NTP (UDP Port 123).
* Scenario Analysis: Since the installer can browse the internet from the LAN, we know the physical link and basic routing/NAT are functional. The issue is specific to the management plane traffic.
* Root Cause: If an upstream firewall (e.g., a corporate edge firewall or ISP filter) is inspecting SSL traffic or blocking specific FQDNs/Ports required by the ION, the device cannot complete the handshake. Consequently, it remains "Claimed" (registered in the database) but cannot go "Online" (active management session). Options A, C, and D prevent provisioning (configuration push) but generally do not prevent the device from initially checking in and going "Online" if the pipe is open.


NEW QUESTION # 18
While designing a greenfield Prisma SD-WAN solution for a retailer, the risk management group requires segmentation of the retail network to avoid one large fault domain.
The following data points are provided:
* Two data centers and all sites need to access applications in both data centers
* 1000 retail branches with stores concentrated in multiple metropolitan areas
* Data Center 1 and Data Center 2 have different sets of applications that are not replicated
* Maintaining application availability is the primary goal
Which action will segment the retail network and reduce regional outages?

  • A. Implement a single, large data center cluster spanning both data centers to centralize management and optimize resource use.
  • B. Create more than one data center cluster in each data center and assign sites to clusters so nearby retail locations can be spread on separate clusters.
  • C. Create more than one data center cluster for a larger pool of resources and resiliency.
  • D. Add more data center aggregation devices within the same cluster to enhance the scalability and resilience.

Answer: B

Explanation:
In large-scale Prisma SD-WAN deployments, such as a retail network with 1,000 branches, architectural resilience is achieved through a strategy known as Hub Clustering. A Data Center Cluster is a logical grouping of ION devices at a hub site that provides termination for branch-to-DC VPN tunnels. To prevent the creation of a massive, single fault domain, Palo Alto Networks best practices recommend segmenting the branch population across multiple clusters.
By creating more than one data center cluster in each data center and strategically assigning sites to these clusters, an administrator can effectively isolate failure events. In a metropolitan area where stores are concentrated, spreading nearby retail locations across different clusters ensures that a localized resource failure or a cluster-specific misconfiguration only impacts a subset of the stores in that region rather than causing a complete regional outage.
This design directly addresses the requirement for maintaining application availability. Since Data Center 1 and Data Center 2 host different applications, each branch site must maintain active paths to both DCs. By using multiple clusters at each DC, the risk management group's goal of avoiding a large fault domain is met through "blast radius" containment. If Cluster A at Data Center 1 fails, the 1,000 sites are not all affected simultaneously; instead, only the specific sites bound to Cluster A lose connectivity to that hub, while their neighbors bound to Cluster B remain functional. This approach provides the highest level of regional resiliency and operational stability for high-density retail environments.


NEW QUESTION # 19
An ION 3000 device at a remote branch has suffered a critical hardware failure and must be replaced via the RMA process. The administrator has received the replacement unit.
What is the correct procedure to transfer the configuration and license from the defective unit to the replacement unit to ensure minimal downtime and retention of historical data?

  • A. Backup the configuration of the old device to a USB drive and restore it to the new device using the local console.
  • B. Manually configure the new device from scratch, then open a support ticket to transfer the license.
  • C. Use the "Replace Device" workflow in the Prisma SD-WAN portal, which automatically transfers the configuration (Device Shell) and re-associates the site to the new serial number.
  • D. Delete the old device from the portal, create a new site for the replacement device, and rebuild the policies manually.

Answer: C

Explanation:
Comprehensive and Detailed Explanation
The RMA replacement process in Prisma SD-WAN is designed to be seamless, leveraging the decoupling of logical configuration from physical hardware.
Replace Device Workflow: The administrator should use the "Replace Device" (or RMA) function within the portal. This workflow allows you to select the "Defective" device (old serial) and the "Replacement" device (new serial).
Configuration Transfer: Once executed, the system automatically binds the existing Device Shell (which contains all interface configs, routing policies, and site associations) to the new hardware's serial number. The new device, once connected to the internet, will "call home," identify itself, and download the exact configuration of the previous unit.
License Transfer: While the configuration moves automatically, the Support License transfer typically requires a specific step in the Customer Support Portal (CSP) or happens automatically if processed as a formal RMA order. Options A and D are incorrect because they involve manual reconfiguration, which is unnecessary and error-prone. Option C is incorrect as the ION platform relies on cloud-based config management, not local USB backups for hardware swaps.


NEW QUESTION # 20
When configuring a Path Policy rule for a "Real-Time Video" application, the administrator wants to ensure the traffic uses the path with the lowest packet loss.
How does the Prisma SD-WAN ION determine the "Packet Loss" metric for a given path when there is no active user traffic flowing on that link?

  • A. It sends Active Probes (synthetic UDP packets) across the Secure Fabric to measure path quality continuously.
  • B. It defaults to a static value of 0% loss until user traffic begins.
  • C. It relies solely on Passive Monitoring of TCP retransmissions from other user traffic on that link.
  • D. It queries the ISP's router via SNMP to retrieve interface error counters.

Answer: A

Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN utilizes Link Quality Monitoring (LQM) to maintain a real-time health score for every WAN path.
To ensure the system knows the quality of a path before sending critical user traffic onto it, the ION device uses Active Probing.
Mechanism: The ION sends synthetic probe packets (typically UDP) across the Secure Fabric (VPN tunnels) and Direct Internet paths to its peers. These probes measure Latency, Jitter, and Packet Loss.
Active vs. Passive: While the system does use Passive Monitoring (observing actual user flows) when traffic is present to reduce overhead, Active Probes are essential for idle links or backup paths. Without active probing, the ION would have no data to make an intelligent steering decision for the first packet of a new video call. This ensures that "Real-Time" policies always have up-to-date metrics to select the best path immediately.


NEW QUESTION # 21
When troubleshooting an issue at a site that is running on two cellular links from two carriers, the operations team shared some evidence shown in the graph below:

For the time duration shown in the graph, what are two inferences about the site's traffic that can be made?
(Choose two.)

  • A. Using Carrier-1 as the WAN path may have experienced some performance degradation.
  • B. Using Carrier-2 as the WAN path may have experienced some performance degradation.
  • C. Using Carrier-1 as the WAN path may have switched over to Carrier-2.
  • D. Using Carrier-2 as the WAN path may have switched over to Carrier-1.

Answer: A,C

Explanation:
The provided graph displays the Signal-to-Noise Ratio (SNR) for two cellular carriers, Carrier-1 (blue line) and Carrier-2 (green line), over a specific period. In cellular communications, SNR is a critical metric used to determine the quality of a wireless signal. A higher SNR indicates a cleaner, stronger signal, while a lower SNR indicates that the signal is being "drowned out" by background noise or interference, which directly correlates to performance degradation, packet loss, and lower throughput.
Looking at the graph, Carrier-1 experiences a significant and sustained drop in SNR, falling from roughly
4.5 dB to nearly 0.5 dB for the majority of the time duration. This drastic reduction in signal quality strongly suggests that Carrier-1 may have experienced performance degradation (Option A). During this dip, the link quality would likely fall below the configured thresholds for business-critical application traffic.
Because Prisma SD-WAN is an application-defined fabric that continuously monitors path health, the ION device would detect this degradation on Carrier-1. If Carrier-2 maintains a significantly higher and more stable SNR (as shown by the green line remaining between 4.5 dB and 6.5 dB), the ION device's Path Selection engine would automatically steer traffic away from the degraded link. Consequently, it is highly probable that Carrier-1 traffic switched over to Carrier-2 (Option D) to maintain the application SLA. This automated failover is a core strength of the Prisma SD-WAN architecture, ensuring that the best available path is utilized based on real-time link statistics rather than simple "up/down" states.


NEW QUESTION # 22
Two branch sites, "Branch-A" and "Branch-B", are both behind active NAT devices (Source NAT) on their local internet circuits.
What requirement must be met for these two branches to successfully establish a direct Dynamic VPN (ION-to-ION) tunnel over the internet?

  • A. The ION devices automatically use STUN (Session Traversal Utilities for NAT) to discover their public IPs and negotiate the connection.
  • B. Dynamic VPNs are not supported if both sides are behind NAT.
  • C. One of the sites must have a Static Public IP (1:1 NAT) to act as the initiator.
  • D. Both sites must disable NAT and use public IPs on the ION interface.

Answer: A

Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN supports Dynamic VPNs (Branch-to-Branch) even when both endpoints are behind Source NAT (e.g., typical broadband connections).
To achieve this, the ION devices utilize standard NAT Traversal techniques, specifically leveraging STUN (Session Traversal Utilities for NAT).
Discovery: Each ION communicates with the Cloud Controller (which acts as a STUN server/signaling broker). Through this communication, the controller observes the public IP and Port that the ION's traffic is coming from (the post-NAT address).
Signaling: The controller shares this public reachability information with the peer ION.
Hole Punching: The IONs then attempt to initiate connections to each other's discovered public IP/Port. This "UDP Hole Punching" allows them to establish a direct IPSec tunnel through the NAT devices without requiring static 1:1 NAT mapping or manual port forwarding on the provider routers, enabling mesh connectivity in commodity internet environments.


NEW QUESTION # 23
An administrator needs to generate a monthly report showing the "Top Applications" by bandwidth usage across all branch sites to justify a bandwidth upgrade.
Which specific component of the Prisma SD-WAN interface is designed to create, schedule, and email these PDF summaries?

  • A. Media Analytics
  • B. Flow Browser
  • C. Activity Charts
  • D. Reports

Answer: D

Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN separates real-time visibility from historical summarization.
Reports (C): The Reports section is the dedicated engine for generating historical summaries. Administrators can create custom report templates (e.g., "Monthly Executive Summary") that include specific widgets like "Top Applications by Volume," "Site Availability," or "Circuit Utilization." Crucially, this feature allows for Scheduling, where the system automatically generates the PDF report at a set interval (e.g., first day of the month) and emails it to a distribution list.
Activity Charts (A) / Media Analytics (B): These provide interactive, visual graphs for ad-hoc analysis but are not designed for generating downloadable, scheduled PDF summaries for management.
Flow Browser (D): This is for deep-dive troubleshooting of individual sessions, not for high-level aggregate reporting.


NEW QUESTION # 24
When integrating Prisma SD-WAN with Prisma Access, what is the specific role of the Service Connection (SC)?

  • A. It connects the Prisma Access cloud infrastructure back to the customer's Headquarters or Data Center for access to internal private resources (e.g., AD, DNS, Intranet).
  • B. It is the peering link between different Prisma Access regions to optimize global traffic.
  • C. It is the IPSec tunnel that connects a Branch site to the Prisma Access gateway for internet access.
  • D. It is the SSL VPN portal used by mobile users to connect to the network.

Answer: A

Explanation:
Comprehensive and Detailed Explanation
In the Prisma Access architecture (integrated with SD-WAN), distinct connection types serve different purposes.
Remote Networks: These are the connections from your Branch sites (using ION devices) into the cloud. They allow branches to get to the internet or other branches.
Service Connections (SC): This is a specialized high-bandwidth connection used to bridge the Prisma Access Cloud to your Private Data Center or Headquarters.
The primary use case for a Service Connection (Option A) is to allow mobile users and branch users (who are connected to the Prisma cloud) to reach private, centralized resources that still reside on-premise, such as Active Directory controllers, legacy databases, or mainframes. Without a Service Connection, users in the cloud would be able to reach the internet and each other, but not the servers physically located in your HQ data center. The CloudBlade automates the creation of these tunnels, but architecturally, the "Service Connection" is the "cloud-to-HQ" bridge.


NEW QUESTION # 25
In which modes can a Prisma SD-WAN branch be deployed?

  • A. Disabled, Analytics, Control
  • B. POV, Production, Analytics
  • C. Testing, Control, POV
  • D. Production, Control, Disabled

Answer: A

Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN (formerly CloudGenix) defines three distinct Operational Modes for a branch site, which determine how the ION device processes traffic and interacts with the network.
* Analytics Mode (Monitor): In this mode, the ION device is typically deployed inline or in a
"promiscuous" monitor state to gain visibility into network traffic without actively enforcing path selection policies.1 It "learns" applications, bandwidth usage, and network characteristics (auditing) but does not steer traffic or block flows.2 This is often used during Proof of Concepts (POVs) or the initial
"burn-in" phase of a deployment to generate reports without risking network disruption.
* Control Mode: This is the full production state. In Control Mode, the ION device actively enforces Path Policies, QoS Policies, and Security Policies. It builds Secure Fabric VPN tunnels, steers traffic based on application SLAs (e.g., sending voice over MPLS and bulk data over Broadband), and handles failover events.3 This is the required mode for a fully functional SD-WAN site.
* Disabled Mode: This mode effectively shuts down the site's SD-WAN functionality from the controller's perspective. It is an administrative state used when a site is being decommissioned, provisioned but not yet live, or isolated for troubleshooting. In this state, the device does not participate in the fabric.


NEW QUESTION # 26
A network engineer is troubleshooting a user complaint regarding "slow application performance" for an internal web application. While viewing the Flow Browser in the Prisma SD-WAN portal, the engineer notices that the Server Response Time (SRT) is consistently high (over 500ms), while the Network Transfer Time (NTT) and Round Trip Time (RTT) are low (under 50ms).
What does this data indicate about the root cause of the issue?

  • A. The issue is likely caused by congestion on the WAN circuit, requiring a QoS policy adjustment.
  • B. The issue is likely on the application server itself (e.g., high CPU, slow database query), not the network.
  • C. The issue is due to a misconfigured DNS server at the branch.
  • D. The issue is caused by a high packet loss rate on the internet path.

Answer: B

Explanation:
Comprehensive and Detailed Explanation
The Flow Browser and App Response Time metrics in Prisma SD-WAN are critical tools for isolating the fault domain-determining whether a problem lies in the "Network" or the "Application."
* Network Transfer Time (NTT) / Round Trip Time (RTT): These metrics measure the time it takes for packets to traverse the network (WAN/LAN) and for acknowledgments to return. A low NTT (e.g.,
<50ms) confirms that the network pipes (SD-WAN overlay, Underlay circuits) are healthy and transporting packets quickly.
* Server Response Time (SRT): This metric specifically measures the time between the server receiving a request and the server sending the first byte of the response. It essentially measures the "processing time" of the backend server.
In the scenario described, the network metrics (NTT/RTT) are excellent, effectively ruling out WAN congestion, packet loss, or latency (Option A and C). However, the Server Response Time (SRT) is very high (500ms). This signature is a definitive indicator that the network delivered the request instantly, but the application server took a long time to process it. This points the troubleshooting effort toward the server infrastructure (e.g., a slow SQL query, an overloaded web server, or lack of compute resources) rather than the SD-WAN environment.


NEW QUESTION # 27
Which troubleshooting step should be taken when users at a branch site are experiencing a maximum throughput of 200 Mbps for Direct Internet Access (DIA) traffic on a 1 Gbps internet connection?

  • A. Ensure the WAN interface is set to 1 Gbps or auto mode.
  • B. Ensure the circuit configuration at the site level is properly set.
  • C. Ensure performance policy is applied to the site.
  • D. Ensure QoS policy is applies to the site.

Answer: B

Explanation:
In Prisma SD-WAN, the effective throughput for any given circuit is fundamentally dictated by the Circuit Configuration defined at the site level. When a branch experiences a "throughput ceiling" (e.g., traffic capped at 200 Mbps on a 1 Gbps physical link), the most likely cause is that the software-defined bandwidth limit for that circuit has been set incorrectly in the Prisma SD-WAN Controller.
Prisma SD-WAN ION devices do not simply forward traffic at the maximum physical line rate by default; they rely on the administrator-defined Upstream and Downstream bandwidth values to perform traffic shaping, policing, and path selection. If a circuit is physically capable of 1 Gbps but is configured in the portal as having only 200 Mbps, the ION device will enforce this 200 Mbps limit to prevent oversubscribing the link and to ensure that Quality of Service (QoS) and path selection calculations remain accurate based on the assumed capacity.
To resolve this, an engineer must navigate to the Site Configuration, locate the specific WAN circuit, and verify that the bandwidth settings match the actual service provider's handoff. If these values are set lower than the actual link speed, the device will artificially throttle the traffic. While ensuring the WAN interface is set to the correct speed/duplex (Option B) is a valid physical layer check, and QoS/Performance policies (Options A and C) manage how that bandwidth is used, it is the Circuit Configuration that defines the total available bandwidth for the SD-WAN fabric to utilize. Correcting this configuration allows the ION device to scale its throughput to match the full 1 Gbps capability of the broadband connection.


NEW QUESTION # 28
Which troubleshooting action should be taken when resources at one branch site can reach the internet but cannot be reached from the data center (DC)?

  • A. Set the site in a control mode.
  • B. Admin up the Prisma SD-WAN DC endpoints.
  • C. Create static route with DC ION as a next hop.
  • D. Ensure the LAN branch prefixes are set to "global."

Answer: D

Explanation:
In the Prisma SD-WAN architecture, reachability between sites is managed by the Control Plane, which automatically advertises prefixes across the secure fabric based on their scope. If a branch site has successful Direct Internet Access (DIA) but is invisible to the Data Center (DC), it indicates that while the local ION is online, its internal network information has not been propagated to the rest of the SD-WAN fabric.
The most common cause for this behavior is that the LAN interfaces or static routes at the branch are configured with a Local scope rather than a Global scope. When a prefix is set to "Local," the ION device treats that network as reachable only within that specific site; it will not advertise that prefix to the Controller for distribution to other ION devices, such as those at the Data Center. By ensuring the LAN branch prefixes are set to "global" (Option B), the administrator instructs the ION device to share these routes with the global fabric.
Once the prefix is marked as global, the Prisma SD-WAN Controller identifies it as a reachable destination and updates the routing tables of all peer ION devices in the same domain, including the DC gateways. This allows the Data Center to build a valid path to the branch resources over the secure VPN tunnels. Options like creating static routes (Option A) or changing site modes (Option C) do not address the fundamental requirement of prefix advertisement within the software-defined fabric, which relies on correctly defined metadata like route scope.


NEW QUESTION # 29
A network design mandates segmentation at the routing level and traffic isolation across various services, such as teller cash registers, ATM traffic, guest Wi-Fi, and corporate applications. Which command can be used to validate and display the Virtual Routing and Forwarding (VRF) route leak rules?

  • A. dump vrf route_leak_rule
  • B. show interface vrf route_leak_rule all
  • C. inspect flow_browser vrf all
  • D. inspect vrf route_leak_rule all

Answer: D

Explanation:
In complex retail or banking environments, maintaining strict network segmentation is a regulatory and security requirement. Prisma SD-WAN utilizes Virtual Routing and Forwarding (VRF) to provide this isolation, ensuring that high-security traffic, such as ATM transactions or teller cash registers, remains logically separated from Guest Wi-Fi or general corporate applications. While isolation is the default state, route leaking is used to allow specific communication between these VRFs-for instance, allowing multiple isolated segments to reach a common shared service like a DNS server or a centralized security gateway.
To verify that these configurations have been correctly pushed from the Controller to the local ION device, administrators utilize the ION CLI (Command Line Interface) for deep-dive diagnostics. The command inspect vrf route_leak_rule all is the definitive tool for this purpose. Unlike "show" commands which typically provide interface status, "inspect" commands in the Prisma SD-WAN ecosystem are designed to pull real-time operational state data from the control plane's internal databases.
When executed, this command displays the specific prefix-level rules that allow routes to "leak" from one VRF table into another. It provides visibility into the source VRF, the destination VRF, and the exact network prefixes or default routes being shared. This is critical for troubleshooting "Day 2" operations; if a teller register cannot reach a shared database, the administrator can use this command to confirm if the necessary route leak rule is active and accurately reflecting the intent of the VRF Profile configured in the portal.
Without this command, verifying inter-VRF reachability would be limited to trial-and-error connectivity tests, making it an essential part of the Prisma SD-WAN engineer's toolkit.


NEW QUESTION # 30
......

Get Prepared for Your SD-WAN-Engineer Exam With Actual 88 Questions: https://actual4test.exam4labs.com/SD-WAN-Engineer-practice-torrent.html

Related Blogs

more
Palo Alto Networks SD-WAN-Engineer Certification Practice Exam

Copyright © 2026 EXAM4LABS.COM. All rights reserved. All trademarks are the property of their respective owners and we don't provide actual questions from any vendor.