Free Preparation Discussions
MENU
Palo Alto Networks SD-WAN-Engineer Exam Questions
- Topic 1: Planning and Design: This domain covers SD-WAN planning fundamentals including device selection, bandwidth and licensing planning, network assessment, data center and branch configurations, security requirements, high availability, and policy design for path, security, QoS, performance, and NAT.
- Topic 2: Deployment and Configuration: This domain focuses on Prisma SD-WAN deployment procedures, site-specific settings, configuration templates for different locations, routing protocol tuning, and VRF implementation for network segmentation.
- Topic 3: Operations and Monitoring: This domain addresses monitoring device statistics, controller events, alerts, WAN Clarity reports, real-time network visibility tools, and SASE-related event management.
- Topic 4: Unified SASE: This domain covers Prisma SD-WAN integration with Prisma Access, ADEM configuration, IoT connectivity via Device-ID, Cloud Identity Engine integration, and User/Group-based policy implementation.
- Topic 5: Troubleshooting: This domain focuses on resolving connectivity, routing, forwarding, application performance, and policy issues using co-pilot data analysis and analytics for network optimization and reporting.
Free Palo Alto Networks SD-WAN-Engineer Exam Actual Questions
Note: Premium Questions for SD-WAN-Engineer were last updated On Apr. 08, 2026 (see below)
When deploying a branch gateway, secure fabric VPN tunnels are automatically established between which two site types? (Choose two.)
In the Prisma SD-WAN (Instant-On Network) architecture, the 'Secure Fabric' is a key feature that simplifies VPN orchestration through automation. When an ION device is deployed at a site and associated with a specific role, the Prisma SD-WAN Controller automatically manages the establishment of encrypted VPN tunnels without requiring manual IPsec configuration.
The most fundamental tunnel type is Branch gateway to data center (Option B). By default, the system follows a hub-and-spoke model where every branch ION device automatically attempts to build secure tunnels to all available Data Center clusters within its domain. This ensures that branch locations have immediate, redundant connectivity to centralized corporate resources and applications as soon as they are brought online.
Additionally, Prisma SD-WAN supports automated Branch gateway to branch gateway connectivity (Option C). Unlike traditional architectures that backhaul all traffic through a central hub, the Prisma SD-WAN fabric can dynamically establish 'spoke-to-spoke' tunnels between branch gateways to facilitate direct communication. This is particularly useful for latency-sensitive applications like Voice over IP (VoIP) or video conferencing. While this can be configured as a 'full mesh' where all sites build tunnels to all other sites, the controller intelligently manages these connections based on the defined site roles and domain configurations to optimize resource usage and performance. Options A and D are incorrect because the fabric orchestration logic is primarily focused on the functional roles of the gateways (Branch vs. Data Center) rather than 'domains' in the context of tunnel initiation.
Where is route leaking configured between VRFs?
In the Prisma SD-WAN solution, multi-tenancy and network isolation are achieved through the use of Virtual Routing and Forwarding (VRF) instances. However, there are many operational scenarios---such as providing shared access to a common service (e.g., DNS, NTP) or a central Internet gateway---where traffic must transition between these isolated routing domains. This process is known as route leaking.
In the Prisma SD-WAN management interface, route leaking is specifically configured within the VRF Profile. Unlike traditional CLI-based routers where route leaking might be configured under a global routing table or individual VRF definitions via import/export targets, Prisma SD-WAN utilizes a profile-based approach to ensure scalability and consistency across multiple sites. A VRF Profile acts as a template that defines the routing behavior for specific VRFs across the fabric.
When an administrator navigates to the VRF Profile settings, they can define 'Leaking Rules.' These rules specify the 'From VRF' (source) and 'To VRF' (destination) parameters, along with the specific prefixes or default routes that should be shared. By placing this configuration within the VRF Profile rather than a site-specific configuration, Palo Alto Networks allows for a 'configure once, apply many' workflow. Once the VRF Profile is updated with the leaking rules, any ION device associated with that profile will automatically update its local routing table to allow the specified inter-VRF communication. This centralized orchestration simplifies the management of complex segmentation requirements in large-scale SD-WAN deployments.
A customer wants to deploy Prisma SD-WAN ION devices at small home offices that use consumer-grade broadband routers. These routers typically use Symmetric NAT and do not allow static port forwarding.
Which standard mechanism does Prisma SD-WAN utilize to successfully establish direct Branch-to-Branch (Dynamic) VPN tunnels through these Symmetric NAT devices?
Comprehensive and Detailed Explanation
Prisma SD-WAN utilizes STUN (Session Traversal Utilities for NAT) to facilitate NAT Traversal for its Secure Fabric overlay.
Discovery: When an ION device connects to the internet behind a NAT router, it reaches out to the Prisma SD-WAN Controller. The controller acts as a STUN server, identifying the public IP address and port that the ION's traffic is originating from.
Symmetric NAT Challenge: In Symmetric NAT, the mapping changes for every destination. However, the Prisma SD-WAN architecture is designed to handle this by having the controller coordinate the connection attempt.
Hole Punching: The controller shares the discovered public mapping information between two peer ION devices. They then simultaneously initiate traffic to each other's public IP/Port (a technique called 'UDP Hole Punching'). This tricks the intermediate NAT devices into allowing the inbound traffic, establishing a direct P2P IPSec tunnel without requiring manual port forwarding or static IPs at the edge.
When defining a Path Quality Profile (SLA) for a "Transactional" application group (e.g., Citrix, Oracle), the administrator sets the "Packet Loss" threshold to 1%.
What happens to the traffic for this application if all active paths currently exceed this 1% loss threshold?
Comprehensive and Detailed Explanation
This behavior describes the 'Best Available Path' logic inherent in Prisma SD-WAN's availability design.
SLA Thresholds: Path Quality Profiles act as filters to identify compliant paths.
Total Violation: If all configured 'Active' paths violate the SLA (e.g., Path A has 2% loss, Path B has 5% loss, and the threshold is 1%), the system does not drop the traffic (Option A) because maintaining connectivity is prioritized over perfect quality.
Selection Logic: The system enters a fallback state where it compares the available active paths and selects the 'Least Bad' one---the path that is closest to meeting the SLA (in this case, Path A with 2% loss).
Backup Paths: Traffic would only move to a Backup path (Option D) if the policy explicitly configures the backup path to engage upon SLA violation of the active set. However, strictly speaking, if only active paths are considered and all fail, it picks the best of the active group rather than blackholing the traffic.
What is the number and structure of Prisma SD-WAN QoS queues supported per WAN interface?
Comprehensive and Detailed Explanation
The Prisma SD-WAN (ION) QoS engine utilizes a hierarchical queuing structure designed to provide granular control over application performance. Each WAN interface on an ION device supports a total of 16 QoS queues.
This 16-queue structure is derived from a matrix of 4 Classes (often referred to as Priority Classes) multiplied by 4 Application Criteria (Traffic Types).2
4 Priority Classes: The system defines four high-level business priority categories:3
Platinum (Highest priority)4
Gold
Silver
Bronze (Lowest priority/Best Effort)5
4 Application Criteria (Sub-queues): Within each of the four priority classes, the system further categorizes traffic into four specific application types to ensure proper handling (e.g., ensuring voice doesn't get stuck behind bulk data even within the same priority level):6
Real-Time Video
Real-Time Audio
Transactional
Bulk7
Calculation: 4 Priority Classes 4 Application Types = 16 Total Queues per interface. This structure allows the scheduler to ensure that a 'Platinum' voice call is prioritized over 'Platinum' bulk data, and both are prioritized over 'Gold' traffic.
- Select Question Types you want
- Set your Desired Pass Percentage
- Allocate Time (Hours : Minutes)
- Create Multiple Practice tests with Limited Questions
- Customer Support
Bronwyn
11 days agoJess
18 days agoGerald
25 days agoRebbecca
1 month agoQuiana
1 month agoLashawna
2 months agoEdna
2 months agoMarge
2 months agoPatrick
2 months agoArlette
3 months agoGilma
3 months agoToi
3 months agoGearldine
3 months agoBenedict
4 months agoAlona
4 months agoMalika
4 months agoWilliam
4 months ago