SD-WAN-Engineer Palo Alto Networks SD-WAN Engineer Questions and Answers

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes a hierarchical QoS model (typically based onHierarchical Token Bucketor similar shaping algorithms) to manage bandwidth contention.

Guaranteed Bandwidth:The "Platinum" class (used for Real-Time voice/video) is assigned aguaranteed bandwidth percentage(floor) in the QoS profile. This ensures that even if "Gold" (Transactional) or "Silver" (Bulk) traffic is trying to consume 100% of the link, the scheduler reserves the specific portion (e.g., 30%) for Platinum traffic, preventing starvation.

Shaping, not Policing:Unlike simple policing which drops excess traffic hard, the ION deviceshapesthe egress traffic. If the link is congested, the scheduler delays the lower-priority packets (buffering) to allow the high-priority Platinum packets to exit immediately.

Why not Strict Priority (A)?While Platinum behaveslikea priority queue, pure Strict Priority can completely starve lower queues if the high-priority traffic is misbehaving or voluminous. Prisma SD-WAN typically uses bandwidth guarantees (floors) and limits (ceilings) to ensure fair sharing while protecting critical apps.

Comprehensive and Detailed Explanation

According to thePrisma SD-WAN Performance Policy Default Behaviordocumentation, the default action configured for applications (including real-time media) when a path experiences poor performance (violates the SLA thresholds for latency, jitter, or packet loss) is toMove Flows.

The Prisma SD-WAN ION device continuously monitors the health of all available paths. If the active path for a media application degrades and fails to meet the specified SLA, the default policy dictates that the traffic should be steered (moved) to an alternate, compliant path that meets the performance criteria.

WhileForward Error Correction (FEC)is a powerful feature available in Prisma SD-WAN to mitigate packet loss for real-time applications, it is anoptional actionthat must be explicitly enabled or configured within the performance policy rules. It is not thedefaultaction in the base system configuration; the primary default mechanism for handling performance issues is to leverage the multi-path fabric to switch to a better link.

Comprehensive and Detailed Explanation

Prisma SD-WAN calculates the Mean Opinion Score (MOS) to provide a standardized metric (1-5) for voice quality. To ensure the system always knows the "voice readiness" of a path—even before a call starts—it uses Active Probes (synthetic UDP packets).

While latency is measured, the MOS calculation algorithm is most heavily penalized by Packet Loss (D) and Jitter (B).

Packet Loss:Even a small amount of loss (e.g., >1%) dramatically reduces voice clarity, causing dropouts.

Jitter: High variance in packet arrival time (jitter) causes the "robotic" voice effect and buffer underruns.

The system continuously measures these specific metrics on all WAN links using synthetic probes. If the packet loss or jitter exceeds the threshold defined in the "Path Quality Profile" (e.g., Voice Profile), the path is marked as non-compliant, and the MOS score drops, triggering a policy action to move the flow. Throughput (C) is less critical for voice as calls consume very little bandwidth (e.g., 64-100 Kbps), making congestion (loss/jitter) the primary enemy, not raw speed.

Comprehensive and Detailed Explanation

To validate specific packet-level details likeDSCP (Differentiated Services Code Point)values, header checksums, or exact payload sizes, aPacket Capture (PCAP)is required.

PCAP Tool:Prisma SD-WAN provides a built-in PCAP utility accessible directly from the portal. The engineer can select the specificInterface(e.g., Internet 1), apply aFilter(e.g., port 5060 or host 1.2.3.4), and capture the traffic.

Analysis:The resulting .pcap file can be downloaded and opened in Wireshark. This allows the engineer to definitively see if the packets leaving the ION have DSCP EF (46) and if the packets arriving (if capturing on the other side) still retain that marking, or if the ISP has bleached it to CS0 (0).

Flow Browser (A):While it shows "Application" and metrics, the Flow Browser typically displays theassignedpriority class, not necessarily the raw bit-level DSCP value present in the packet header on the wire.

Comprehensive and Detailed Explanation

This behavior describes the"Best Available Path"logic inherent in Prisma SD-WAN's availability design.

SLA Thresholds:Path Quality Profiles act asfiltersto identify compliant paths.

Total Violation:Ifallconfigured "Active" paths violate the SLA (e.g., Path A has 2% loss, Path B has 5% loss, and the threshold is 1%), the system does not drop the traffic (Option A) because maintaining connectivity is prioritized over perfect quality.

Selection Logic:The system enters a fallback state where it compares the available active paths and selects the"Least Bad"one—the path that isclosestto meeting the SLA (in this case, Path A with 2% loss).

Backup Paths:Traffic would only move to aBackuppath (Option D) if the policy explicitly configures the backup path to engage upon SLA violation of the active set. However, strictly speaking, ifonlyactive paths are considered and all fail, it picks the best of the active group rather than blackholing the traffic.

Comprehensive and Detailed Explanation

In a Prisma SD-WAN High Availability (HA) deployment, theHA Control Interfaceis the critical lifeline used to synchronize state, heartbeats, and flow information between the Active and Standby ION devices.

The strict requirement for this connection is that it must beLayer 2 adjacent.

Best Practice:A direct physical cable connection between the designated HA ports of the two devices (e.g., Port 2 on Device A to Port 2 on Device B).

Alternative:Connectivity through a switch on a dedicated, isolated VLAN is supported, provided the devices are in the same broadcast domain and subnet.

Routing (Layer 3) isnot supportedfor the HA Control link because the keepalive mechanism relies on low-latency, multicast/broadcast-level adjacency to detect failures instantly (sub-second failover). If the HA link were routed (Option A), network latency or router convergence issues could cause "Split-Brain" scenarios where both devices assume the Active role, leading to IP conflicts and traffic loops. Option C is incorrect because the Controller is too slow to manage real-time failover; the decision must be local.

Comprehensive and Detailed Explanation

In Prisma SD-WAN,Custom Applicationsare global policy objects managed centrally on the controller.

Immediate Propagation:When an administrator creates or modifies a Custom Application definition (e.g., updating the IP subnet or port for an internal app), the Prisma SD-WAN controller automatically pushes this update toallconnected ION devices in the tenant.

No Manual Push:Unlike some legacy firewall management paradigms (like Panorama "Commit and Push"), the Prisma SD-WAN architecture is "intent-based" and continuously synchronized. A change to a global object like an App Definition is considered a live configuration change and is distributed immediately via the secure control channel.

No Reboot:The ION data plane updates its classification engine dynamically without interrupting traffic or requiring a reboot. This ensures that policy enforcement (steering "Inventory_App" to the correct path) remains accurate in real-time.

Comprehensive and Detailed Explanation

In Prisma SD-WAN (CloudGenix),Zone-Based Firewall (ZBFW)policies rely on the device's ability to map an IP address to a User-ID to enforce identity-based rules. The key to this question is understandingwhere the mapping existsandwhich directionthe policy attributes (Source User vs. Destination User) apply to.

1. Mapping Location (Branch-1):The prompt states that Branch-1 has the user-to-IP mapping for User-1. For the most effective and scalable security enforcement, policies should be applied at thesource (ingress)device where the traffic originates and where the user identity is known. This prevents unauthorized traffic from consuming WAN bandwidth only to be dropped at the destination. Therefore, the Branch-1 ION is the correct enforcement point for User-1's traffic.

2. Source vs. Destination User:

User-1 is the Source:In all scenarios, User-1 is the initiator of the traffic. Therefore, the security rule must match onSource User-ID.

Options C and D are incorrectbecause they suggest usingDestinationUser-ID based rules to control User-1. Destination User-ID rules are used when thetargetof the traffic is a known user (e.g., VoIP calls to a specific user's phone), not when filtering based on the sender. Furthermore, relying on the DC or Branch-2 ION to enforce policies for User-1 would require the propagation of User-ID mappings across the overlay, whereas local enforcement at Branch-1 is the standard architectural model.

3. Valid Use Cases (A and B):

Option A (SaaS/Internet):The Branch-1 ION acts as the internet gateway. It can use the local mapping (IP-1 = User-1) to allow or deny access to specific SaaS applications (Direct Internet Access) based on the user's identity (e.g., "Allow Marketing Group to access Social Media").

Option B (Internal Segmentation):The Branch-1 ION can enforce policies for traffic moving between local zones (e.g., from a "Users" VLAN to a "Servers" VLAN within the branch). Since the ION routes this traffic and holds the mapping, it can enforce Source User-ID policies to secure local private applications.

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes Link Quality Monitoring (LQM) to maintain a real-time health score for every WAN path.

To ensure the system knows the quality of a path before sending critical user traffic onto it, the ION device uses Active Probing.

Mechanism:The ION sends synthetic probe packets (typically UDP) across the Secure Fabric (VPN tunnels) and Direct Internet paths to its peers. These probes measure Latency, Jitter, andPacket Loss.

Active vs. Passive:While the systemdoesuse Passive Monitoring (observing actual user flows) when traffic is present to reduce overhead, Active Probes are essential for idle links or backup paths. Without active probing, the ION would have no data to make an intelligent steering decision for thefirstpacket of a new video call. This ensures that "Real-Time" policies always have up-to-date metrics to select the best path immediately.

Comprehensive and Detailed Explanation

The transition from "Claimed" to "Online" depends entirely on the ION device's ability to establish a secure, persistent management tunnel to the Prisma SD-WAN Controller.

Connectivity Requirements:The ION device initiates an outbound connection to the controller onTCP Port 443 (HTTPS). It also requires accurate time synchronization to validate SSL certificates, necessitating access toNTP (UDP Port 123).

Scenario Analysis:Since the installer can browse the internet from the LAN, we know the physical link and basic routing/NAT are functional. The issue is specific to themanagement planetraffic.

Root Cause:If an upstream firewall (e.g., a corporate edge firewall or ISP filter) is inspecting SSL traffic or blocking specific FQDNs/Ports required by the ION, the device cannot complete the handshake. Consequently, it remains "Claimed" (registered in the database) but cannot go "Online" (active management session). Options A, C, and D preventprovisioning(configuration push) but generally do not prevent the device from initially checking in and going "Online" if the pipe is open.

Comprehensive and Detailed Explanation

TheION Device Data Plane(the software running locally on the hardware appliance at the branch) is the component responsible for the heavy lifting of traffic analysis.

Edge Processing:Prisma SD-WAN uses an "Application-Defined" architecture. The ION device performsDeep Packet Inspection (DPI)on the first few packets of a flow to identify the application (e.g., distinguishing "Skype Video" from "Skype Chat").

Metric Calculation:The ION device timestamping engine calculates the performance metrics (RTT, NTT, SRT) in real-time as packets pass through its interfaces. It aggregates this metadata.

Role of Controller (B):The Controllercollectsandvisualizesthis data (Analytics), but it does notgenerateit. The Controller does not sit in the data path of the user traffic. If the ION relied on the controller for App-ID, latency would be unacceptably high. Therefore, all detection and metric generation happens locally on theION Device.

Comprehensive and Detailed Explanation

In the Prisma Access architecture (integrated with SD-WAN), distinct connection types serve different purposes.

Remote Networks:These are the connections from yourBranchsites (using ION devices) into the cloud. They allow branches to get to the internet or other branches.

Service Connections (SC):This is a specialized high-bandwidth connection used to bridge thePrisma Access Cloudto yourPrivate Data Centeror Headquarters.

The primary use case for a Service Connection (Option A) is to allow mobile users and branch users (who are connected to the Prisma cloud) to reachprivate, centralized resourcesthat still reside on-premise, such as Active Directory controllers, legacy databases, or mainframes. Without a Service Connection, users in the cloud would be able to reach the internet and each other, but not the servers physically located in your HQ data center. The CloudBlade automates the creation of these tunnels, but architecturally, the "Service Connection" is the "cloud-to-HQ" bridge.