Palo Alto Networks SD-WAN-Engineer Exam - Topic 2 Question 10 Discussion

In the Prisma SD-WAN (Instant-On Network) architecture, the 'Secure Fabric' is a key feature that simplifies VPN orchestration through automation. When an ION device is deployed at a site and associated with a specific role, the Prisma SD-WAN Controller automatically manages the establishment of encrypted VPN tunnels without requiring manual IPsec configuration.

The most fundamental tunnel type is Branch gateway to data center (Option B). By default, the system follows a hub-and-spoke model where every branch ION device automatically attempts to build secure tunnels to all available Data Center clusters within its domain. This ensures that branch locations have immediate, redundant connectivity to centralized corporate resources and applications as soon as they are brought online.

Additionally, Prisma SD-WAN supports automated Branch gateway to branch gateway connectivity (Option C). Unlike traditional architectures that backhaul all traffic through a central hub, the Prisma SD-WAN fabric can dynamically establish 'spoke-to-spoke' tunnels between branch gateways to facilitate direct communication. This is particularly useful for latency-sensitive applications like Voice over IP (VoIP) or video conferencing. While this can be configured as a 'full mesh' where all sites build tunnels to all other sites, the controller intelligently manages these connections based on the defined site roles and domain configurations to optimize resource usage and performance. Options A and D are incorrect because the fabric orchestration logic is primarily focused on the functional roles of the gateways (Branch vs. Data Center) rather than 'domains' in the context of tunnel initiation.