Palo Alto Networks SD-WAN-Engineer Exam - Topic 1 Question 2 Discussion

Comprehensive and Detailed Explanation

In Prisma SD-WAN (formerly CloudGenix), the establishment of Secure Fabric (VPN) tunnels is automated but relies heavily on the correct definition of the Network Context for each interface. If a tunnel fails to form on a newly added s2econdary circuit, it is typically due to a misconfiguration in how the interface is defined in the ION portal.

1. Interface Scope (Statement D):

The Scope setting on an interface determines its function in the network topology.

Global Scope: This defines the interface as a WAN-facing port. The ION device will only attempt to build VPN tunnels (overlay) on interfaces configured with Global scope.

Local Scope: This defines the interface as a LAN-facing port (for users, switches, or APs). If the administrator mistakenly sets the scope to 'Local' for the new internet line, the ION treats it as a private LAN segment and will not initiate any tunnel negotiation or WAN signaling on that port.

2. Interface Role/Circuit Category (Statement A):

Prisma SD-WAN uses Circuit Categories (often referred to as Interface Roles in general networking terms, or specifically 'Circuit Category' in the ION UI) to determine peering logic.

To form a tunnel over a public internet link to a Data Center, the circuit attached to the interface must be categorized as 'Internet'.

The controller uses this category to match compatible endpoints. It knows that a 'Private WAN' (MPLS) link cannot directly tunnel to an 'Internet' link without a gateway. If the new circuit is not correctly selected/categorized as 'Internet' (e.g., left undefined or set to a different category), the system will not attempt to build the standard IPSec overlay to the Data Center's public IP address.