Get Palo Alto Networks SD-WAN-Engineer Exam Practice Questions - Real and Updated

Answer : C

Palo Alto Networks utilizes an aggregate throughput model for Prisma SD-WAN licensing.1 The minimum bandwidth subscription required for a branch ION is determined by the maximum traffic (the sum of both ingress and egress) that passes through the ION device. This is often referred to as 'Aggregate Throughput.' It is a critical distinction in the Prisma SD-WAN architecture because the license must account for all traffic processed by the device, whether that traffic stays local (Direct Internet Access), goes to the Data Center via the VPN fabric, or moves between local LAN segments.

When sizing a subscription, engineers must evaluate the total capacity of the WAN circuits connected to the branch. For example, if a branch has two 100 Mbps internet circuits, the device is capable of processing 200 Mbps of egress traffic and 200 Mbps of ingress traffic simultaneously. However, the licensing is based on the aggregate peak throughput the customer expects to utilize across the device's interfaces.

Choosing an under-sized subscription based only on 'fabric traffic' (Option B) or 'ISP capacity' (Option D) without considering the total bi-directional flow can lead to artificial performance bottlenecks. If the traffic exceeds the licensed bandwidth, the ION device will police the traffic to the licensed limit, regardless of the physical port speed or the hardware's theoretical maximum. Therefore, the subscription must be aligned with the total actual traffic volume the device is expected to handle to ensure an optimal user experience and full utilization of available circuit bandwidth.

Answer : A

In the Prisma SD-WAN (formerly CloudGenix) architecture, the security and authenticity of device-to-controller communication are paramount. When a new ION (Instant-On Network) device is powered on and connected to the internet, it initiates a secure 'phone home' process to the Prisma SD-WAN Cloud Controller. To ensure that the controller is communicating with a genuine Palo Alto Networks hardware or software instance, the system utilizes a Manufacturer Installed Certificate (MIC).

The MIC is a unique digital certificate burned into the hardware's Trusted Platform Module (TPM) or secure storage during the manufacturing process. This certificate acts as the device's foundational identity. When a customer 'claims' a device in the Prisma SD-WAN portal using its serial number, the controller maps that serial number to the specific MIC associated with that unit.

Once the device is claimed and attempts to connect, a mutual TLS (mTLS) handshake occurs. The ION device presents its MIC to the controller to prove its identity, and the controller validates this against its records. This method eliminates the need for manual staging, pre-configuration, or the complexity of managing a Customer Installed Certificate (CIC) or a private Public Key Infrastructure (PKI) during the initial deployment phase. By leveraging the MIC, Prisma SD-WAN achieves true Zero Touch Provisioning (ZTP), ensuring that only authorized, authentic devices can join the fabric and receive configuration policies, thereby maintaining a secure and automated onboarding workflow.

Answer : B

Prisma SD-WAN is built on an application-defined fabric that prioritizes deep visibility into network traffic and application performance.1 To deliver the high-fidelity flow data and application visibility required for modern operations, Prisma SD-WAN utilizes IPFIX (Internet Protocol Flow Information Export).2 IPFIX is a standardized protocol based on NetFlow v9 that allows for the export of IP flow information from network devices to a collector or management system.3

In the Prisma SD-WAN architecture, ION devices act as the exporters.4 Because the system is application-aware, it doesn't just export basic 5-tuple information (source/destination IP, ports, and protocol); it exports rich metadata including application IDs, performance metrics (latency, jitter, packet loss), and path information. This allows the Prisma SD-WAN Controller and the associated Analytics engine to reconstruct a complete picture of every flow in the network.

While other protocols like SNMPv3 are supported for basic device health monitoring (such as CPU or interface status) and ADEM (Autonomous Digital Experience Management) provides end-to-end visibility for mobile users or SASE-connected branches, IPFIX is the primary 'engine' for flow-level data across the SD-WAN fabric. Unlike traditional IP SLA, which relies on synthetic probes, the IPFIX-based monitoring in Prisma SD-WAN uses real-time application traffic to assess performance. This ensures that the visibility provided in the Flow Browser and Analytics dashboards accurately reflects the actual user experience, enabling granular troubleshooting and proactive capacity planning.

Answer : B, C

In the Prisma SD-WAN (Instant-On Network) architecture, the 'Secure Fabric' is a key feature that simplifies VPN orchestration through automation. When an ION device is deployed at a site and associated with a specific role, the Prisma SD-WAN Controller automatically manages the establishment of encrypted VPN tunnels without requiring manual IPsec configuration.

The most fundamental tunnel type is Branch gateway to data center (Option B). By default, the system follows a hub-and-spoke model where every branch ION device automatically attempts to build secure tunnels to all available Data Center clusters within its domain. This ensures that branch locations have immediate, redundant connectivity to centralized corporate resources and applications as soon as they are brought online.

Additionally, Prisma SD-WAN supports automated Branch gateway to branch gateway connectivity (Option C). Unlike traditional architectures that backhaul all traffic through a central hub, the Prisma SD-WAN fabric can dynamically establish 'spoke-to-spoke' tunnels between branch gateways to facilitate direct communication. This is particularly useful for latency-sensitive applications like Voice over IP (VoIP) or video conferencing. While this can be configured as a 'full mesh' where all sites build tunnels to all other sites, the controller intelligently manages these connections based on the defined site roles and domain configurations to optimize resource usage and performance. Options A and D are incorrect because the fabric orchestration logic is primarily focused on the functional roles of the gateways (Branch vs. Data Center) rather than 'domains' in the context of tunnel initiation.

Answer : C

In the Prisma SD-WAN architecture, security is built directly into the AppFabric using a centralized, controller-led approach to key management. Unlike traditional VPNs that rely on manual Internet Key Exchange (IKE) or static Pre-Shared Keys (PSKs) which can be administratively burdensome and security-vulnerable, Prisma SD-WAN automates the entire lifecycle of encrypted tunnels. The Prisma SD-WAN Controller acts as the central authority for identity and key distribution for all ION (Instant-On Network) devices within the tenant's fabric.

Specifically, the VPN shared secrets used to secure these tunnels are ephemeral and are valid for exactly 24 hours. This 24-hour validity period is a security best practice implemented by Palo Alto Networks to limit the 'blast radius' or window of exposure in the unlikely event that a key is compromised. The controller automatically handles the generation, distribution, and rotation of these secrets. Before the 24-hour timer expires, the controller pushes new keys to the ION devices, which then perform a hitless rollover. This ensures that the data plane remains active and encrypted without requiring manual intervention from a network administrator. If an ION device loses its control plane connection to the controller, it will maintain its existing tunnels using the current keys until they expire, at which point it must re-authenticate with the controller to receive a new set of valid secrets. This automated rotation is a core component of the Prisma SD-WAN Zero-Trust security model.