Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Palo Alto Networks SD-WAN-Engineer Exam - Topic 1 Question 2 Discussion

Actual exam question for Palo Alto Networks's SD-WAN-Engineer exam
Question #: 2
Topic #: 1
[All SD-WAN-Engineer Questions]

What are two potential causes when a secondary public circuit has been added to the branch site, but the Prisma SD-WAN tunnel is not forming to the data center? (Choose two.)

Show Suggested Answer Hide Answer
Suggested Answer: A, D

Comprehensive and Detailed Explanation

In Prisma SD-WAN (formerly CloudGenix), the establishment of Secure Fabric (VPN) tunnels is automated but relies heavily on the correct definition of the Network Context for each interface. If a tunnel fails to form on a newly added s2econdary circuit, it is typically due to a misconfiguration in how the interface is defined in the ION portal.

1. Interface Scope (Statement D):

The Scope setting on an interface determines its function in the network topology.

Global Scope: This defines the interface as a WAN-facing port. The ION device will only attempt to build VPN tunnels (overlay) on interfaces configured with Global scope.

Local Scope: This defines the interface as a LAN-facing port (for users, switches, or APs). If the administrator mistakenly sets the scope to 'Local' for the new internet line, the ION treats it as a private LAN segment and will not initiate any tunnel negotiation or WAN signaling on that port.

2. Interface Role/Circuit Category (Statement A):

Prisma SD-WAN uses Circuit Categories (often referred to as Interface Roles in general networking terms, or specifically 'Circuit Category' in the ION UI) to determine peering logic.

To form a tunnel over a public internet link to a Data Center, the circuit attached to the interface must be categorized as 'Internet'.

The controller uses this category to match compatible endpoints. It knows that a 'Private WAN' (MPLS) link cannot directly tunnel to an 'Internet' link without a gateway. If the new circuit is not correctly selected/categorized as 'Internet' (e.g., left undefined or set to a different category), the system will not attempt to build the standard IPSec overlay to the Data Center's public IP address.


by Bev at Dec 22, 2025, 12:31 PM

Limited Time Offer

25%

Off

Get Premium SD-WAN-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Ahmed
28 days ago
True, but A is critical. Without the right internet role, nothing works.
upvoted 0 times
...
Josefa
1 month ago
I feel like D is a big one. If it's set to local, it won't connect.
upvoted 0 times
...
Hyman
1 month ago
C seems less likely, but I see your point, Kelvin.
upvoted 0 times
...
Kelvin
1 month ago
What about B? A missing circuit label could cause problems too.
upvoted 0 times
...
Marsha
2 months ago
I agree, A is definitely a possibility.
upvoted 0 times
...
Verda
2 months ago
D) Interface scope set to "local" sounds like a weird one, not sure about that.
upvoted 0 times
...
Sharan
2 months ago
B) Circuit label missing is definitely a possibility too.
upvoted 0 times
...
Lenita
2 months ago
Wait, could DNS being misconfigured really stop the tunnel?
upvoted 0 times
...
Muriel
2 months ago
Totally agree, I've seen that happen a lot!
upvoted 0 times
...
Brock
2 months ago
Haha, interface scope set to "local"? What is this, a private party?
upvoted 0 times
...
Bettye
3 months ago
B? Really? Who cares about the circuit label, that's just a minor detail.
upvoted 0 times
...
Lashaunda
3 months ago
C is a good one too. Can't forget about DNS configuration, that can trip you up.
upvoted 0 times
...
Glenn
4 months ago
A and D seem like the most likely culprits. Gotta make sure that internet interface is set up properly.
upvoted 0 times
...
Graham
4 months ago
I have a hunch that if the interface scope is set to "local," it might prevent the tunnel from forming. That sounds familiar from our study sessions.
upvoted 0 times
...
Belen
4 months ago
I recall something about DNS configuration being crucial, but I can't remember if it directly affects the tunnel formation.
upvoted 0 times
...
Shayne
4 months ago
I'm not entirely sure, but I feel like the circuit label might be important. If it's missing, that could definitely cause problems with the tunnel.
upvoted 0 times
...
Yolande
4 months ago
I think one possible cause could be that the interface role isn't set to "internet." I remember that being a common issue in practice questions.
upvoted 0 times
...
Huey
4 months ago
Hmm, I'm a bit confused on this one. I'd probably try the interface role and the circuit label, but I'm not totally sure. Guess I'll have to do some research on Prisma SD-WAN tunnels.
upvoted 0 times
...
Gilberto
5 months ago
I've seen this kind of issue before. My money's on the interface role not being set correctly. That's usually the first thing I'd check.
upvoted 0 times
...
Katina
5 months ago
Okay, let's think this through. I'd definitely start by looking at the DNS configuration. If that's not set up properly, that could definitely be causing the tunnel not to form.
upvoted 0 times
...
Rosalyn
5 months ago
Ugh, I'm not sure about this one. I'd probably try checking the circuit label and the interface scope. Those seem like they could be potential issues.
upvoted 0 times
...
Nobuko
5 months ago
A) Interface role is not selected as "internet." is a common issue.
upvoted 0 times
...
Alecia
5 months ago
Hmm, this seems like a tricky one. I'd start by checking the interface role and making sure it's set to "internet." That seems like the most likely culprit.
upvoted 0 times
Lynelle
17 days ago
What about the circuit label? That could be an issue too.
upvoted 0 times
...
Lynelle
23 days ago
I agree, checking the interface role is crucial.
upvoted 0 times
...
...
Jeffrey
5 months ago
I think A and D could be the issues.
upvoted 0 times
...

Save Cancel