Free Preparation Discussions
MENU
Palo Alto Networks SD-WAN-Engineer Exam - Topic 5 Question 12 Discussion
Topic #: 5
An administrator wants to configure a Path Policy that routes all "Guest Wi-Fi" traffic directly to the internet using the local broadband interface, bypassing all VPN tunnels.
Which Service & DC Group setting should be selected in the policy rule to achieve this "Direct Internet Access" (DIA) behavior?
Comprehensive and Detailed Explanation
In Prisma SD-WAN Path Policies, the Service & DC Group (Destination) field determines where the traffic is sent.
Direct: This is the specific keyword/object used to instruct the ION to route traffic directly out to the local WAN interface (Local Breakout) towards the Internet, without encapsulation in a VPN tunnel. This is the correct setting for Guest Wi-Fi, SaaS applications (like Office 365), or any public web browsing that does not need to be backhauled.
Standard VPN / Default-Cluster: These options direct traffic into an IPSec overlay tunnel destined for a Data Center or another ION. Selecting these would 'backhaul' the guest traffic, which contradicts the requirement for DIA.
When 'Direct' is selected, the ION uses its available 'Internet' category links. The policy can further specify which internet link to use (e.g., 'Use Broadband, avoid LTE') via the path preference list, but the Destination type must be 'Direct'.
Currently there are no comments in this discussion, be the first to comment!