Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Palo Alto Networks SD-WAN-Engineer Exam - Topic 3 Question 8 Discussion

Actual exam question for Palo Alto Networks's SD-WAN-Engineer exam
Question #: 8
Topic #: 3
[All SD-WAN-Engineer Questions]

A customer wants to deploy Prisma SD-WAN ION devices at small home offices that use consumer-grade broadband routers. These routers typically use Symmetric NAT and do not allow static port forwarding.

Which standard mechanism does Prisma SD-WAN utilize to successfully establish direct Branch-to-Branch (Dynamic) VPN tunnels through these Symmetric NAT devices?

Show Suggested Answer Hide Answer
Suggested Answer: B

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes STUN (Session Traversal Utilities for NAT) to facilitate NAT Traversal for its Secure Fabric overlay.

Discovery: When an ION device connects to the internet behind a NAT router, it reaches out to the Prisma SD-WAN Controller. The controller acts as a STUN server, identifying the public IP address and port that the ION's traffic is originating from.

Symmetric NAT Challenge: In Symmetric NAT, the mapping changes for every destination. However, the Prisma SD-WAN architecture is designed to handle this by having the controller coordinate the connection attempt.

Hole Punching: The controller shares the discovered public mapping information between two peer ION devices. They then simultaneously initiate traffic to each other's public IP/Port (a technique called 'UDP Hole Punching'). This tricks the intermediate NAT devices into allowing the inbound traffic, establishing a direct P2P IPSec tunnel without requiring manual port forwarding or static IPs at the edge.


by Fabiola at Mar 07, 2026, 05:49 PM

Limited Time Offer

25%

Off

Get Premium SD-WAN-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Truman
17 days ago
Wait, isn't UPnP risky for security?
upvoted 0 times
...
Portia
23 days ago
Totally agree, STUN is the way to go!
upvoted 0 times
...
Huey
28 days ago
I think it's B) STUN for sure.
upvoted 0 times
...
Alysa
1 month ago
SSL VPN encapsulation could work too, but STUN is more efficient here.
upvoted 0 times
...
Reta
1 month ago
Manual GRE Tunnels seem outdated for this scenario.
upvoted 0 times
...
Hailey
1 month ago
Wait, are we sure about that? I thought UPnP was more common.
upvoted 0 times
...
Jina
2 months ago
Totally agree, STUN is the way to go!
upvoted 0 times
...
Odette
2 months ago
I think it's B) STUN, right?
upvoted 0 times
...
Georgiana
2 months ago
Manual GRE Tunnels seem too static for this situation. I think it's definitely between STUN and SSL VPN, but I lean towards STUN.
upvoted 0 times
...
Jesusita
2 months ago
I feel like we discussed SSL VPN encapsulation in class, but I can't remember if it applies to this specific scenario with Symmetric NAT.
upvoted 0 times
...
Edda
2 months ago
I recall that UPnP is often used for NAT traversal, but I don't think it's the right choice here. Maybe it's STUN after all?
upvoted 0 times
...
Suzi
2 months ago
I think the answer might be STUN, but I'm not entirely sure. I remember it being mentioned in a similar context during our practice sessions.
upvoted 0 times
...

Save Cancel