Pass the Paloalto Networks Network Security Administrator SD-WAN-Engineer Questions and answers with Dumpstech

Comprehensive and Detailed Explanation

Prisma Access manages Remote Network bandwidth using an Aggregate Bandwidth licensing model.

Compute Locations: When you purchase bandwidth (e.g., 1 Gbps), you allocate it to specific Prisma Access Compute Locations (e.g., US West, Europe Central).

Shared Pool: All branch sites (Remote Networks) that connect to that specific Compute Location share the allocated bandwidth pool. For example, if you allocate 500 Mbps to "US West" and connect 10 branches to it, they compete for that 500 Mbps aggregate.

Bursting: An individual branch is not strictly rate-limited to a "slice" (e.g., 50 Mbps) unless you explicitly configure QoS guarantees. By default, a single branch can burst and consume a large portion of the aggregate pool if other branches are idle. The enforcement happens at the Region/Compute Node level, ensuring the total throughput does not exceed the licensed capacity for that region.

Comprehensive and Detailed Explanation

In the Prisma SD-WAN (CloudGenix) Zero Touch Provisioning (ZTP) lifecycle, the device status transitions through specific stages that indicate its readiness and connectivity.

When an administrator enters the Claim Code (or Serial Number/Claim Code pair) into the portal, the device status immediately updates to "Claimed".

This status confirms that the portal has registered the device's unique identity and associated it with the customer's tenant. However, "Claimed" does not necessarily mean the device is fully operational or passing traffic yet. It simply signifies that the ownership is verified.

Once the physical device at the site successfully connects to the internet and reaches the Prisma SD-WAN Controller (using the call-home function), it will authenticate using its installed certificate. Upon successful authentication and the establishment of the secure control channel, the status will transition from "Claimed" to "Online".

Only after the device is "Online" can the controller push the specific site configuration (Device Shell), policies, and IP addressing required for the device to become "Provisioned" and eventually "Active" in the data path. If the device remains in the "Claimed" state for an extended period, it indicates that the hardware has not yet successfully contacted the controller, which prompts troubleshooting of the physical internet circuit or firewall rules upstream.

Comprehensive and Detailed Explanation

In Prisma SD-WAN Path Policies, the Service & DC Group (Destination) field determines where the traffic is sent.

Direct: This is the specific keyword/object used to instruct the ION to route traffic directly out to the local WAN interface (Local Breakout) towards the Internet, without encapsulation in a VPN tunnel. This is the correct setting for Guest Wi-Fi, SaaS applications (like Office 365), or any public web browsing that does not need to be backhauled.

Standard VPN / Default-Cluster: These options direct traffic into an IPSec overlay tunnel destined for a Data Center or another ION. Selecting these would "backhaul" the guest traffic, which contradicts the requirement for DIA.

When "Direct" is selected, the ION uses its available "Internet" category links. The policy can further specify which internet link to use (e.g., "Use Broadband, avoid LTE") via the path preference list, but the Destination type must be "Direct".

Comprehensive and Detailed Explanation

In Prisma SD-WAN, Custom Applications are global policy objects managed centrally on the controller.

Immediate Propagation: When an administrator creates or modifies a Custom Application definition (e.g., updating the IP subnet or port for an internal app), the Prisma SD-WAN controller automatically pushes this update to all connected ION devices in the tenant.

No Manual Push: Unlike some legacy firewall management paradigms (like Panorama "Commit and Push"), the Prisma SD-WAN architecture is "intent-based" and continuously synchronized. A change to a global object like an App Definition is considered a live configuration change and is distributed immediately via the secure control channel.

No Reboot: The ION data plane updates its classification engine dynamically without interrupting traffic or requiring a reboot. This ensures that policy enforcement (steering "Inventory_App" to the correct path) remains accurate in real-time.

Comprehensive and Detailed Explanation

Dynamic VPNs (also known as ION-to-ION or Branch-to-Branch VPNs) allow Prisma SD-WAN devices to establish direct, on-demand secure tunnels between branch sites to optimize latency for peer-to-peer traffic (e.g., VoIP calls between offices).

To enable this capability, the primary architectural requirement is the configuration of VPN Clusters.

A VPN Cluster defines a logical group of devices that are authorized to communicate with one another.

By default, or if devices are in different clusters without peering, the topology typically defaults to Hub-and-Spoke, where branches only talk to the Data Center.

When two branch ION devices are placed into the same VPN Cluster (or peered clusters), the controller shares the necessary reachability and cryptographic information between them.

Once in the same cluster, the ION devices monitor traffic. If a user at Branch A tries to contact a server at Branch B, the ION devices detect this interest. If a direct path is available (e.g., via public internet), they will dynamically negotiate a direct VPN tunnel, bypassing the Data Center hub. This offloads the hub and reduces latency. Option B is incorrect because SD-WAN eliminates manual GRE config. Option C is incorrect because dynamic VPNs are a performance feature, not just a disaster recovery feature.

Comprehensive and Detailed Explanation

Prisma SD-WAN (formerly CloudGenix) defines three distinct Operational Modes for a branch site, which determine how the ION device processes traffic and interacts with the network.

Analytics Mode (Monitor): In this mode, the ION device is typically deployed inline or in a "promiscuous" monitor state to gain visibility into network traffic without actively enforcing path selection policies.1 It "learns" applications, bandwidth usage, and network characteristics (auditing) but does not steer traffic or block flows.2 This is often used during Proof of Concepts (POVs) or the initial "burn-in" phase of a deployment to generate reports without risking network disruption.

Control Mode: This is the full production state. In Control Mode, the ION device actively enforces Path Policies, QoS Policies, and Security Policies. It builds Secure Fabric VPN tunnels, steers traffic based on application SLAs (e.g., sending voice over MPLS and bulk data over Broadband), and handles failover events.3 This is the required mode for a fully functional SD-WAN site.

Disabled Mode: This mode effectively shuts down the site's SD-WAN functionality from the controller's perspective. It is an administrative state used when a site is being decommissioned, provisioned but not yet live, or isolated for troubleshooting. In this state, the device does not participate in the fabric.

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes a hierarchical QoS model (typically based on Hierarchical Token Bucket or similar shaping algorithms) to manage bandwidth contention.

Guaranteed Bandwidth: The "Platinum" class (used for Real-Time voice/video) is assigned a guaranteed bandwidth percentage (floor) in the QoS profile. This ensures that even if "Gold" (Transactional) or "Silver" (Bulk) traffic is trying to consume 100% of the link, the scheduler reserves the specific portion (e.g., 30%) for Platinum traffic, preventing starvation.

Shaping, not Policing: Unlike simple policing which drops excess traffic hard, the ION device shapes the egress traffic. If the link is congested, the scheduler delays the lower-priority packets (buffering) to allow the high-priority Platinum packets to exit immediately.

Why not Strict Priority (A)? While Platinum behaves like a priority queue, pure Strict Priority can completely starve lower queues if the high-priority traffic is misbehaving or voluminous. Prisma SD-WAN typically uses bandwidth guarantees (floors) and limits (ceilings) to ensure fair sharing while protecting critical apps.

Comprehensive and Detailed Explanation

In the Prisma Access architecture (integrated with SD-WAN), distinct connection types serve different purposes.

Remote Networks: These are the connections from your Branch sites (using ION devices) into the cloud. They allow branches to get to the internet or other branches.

Service Connections (SC): This is a specialized high-bandwidth connection used to bridge the Prisma Access Cloud to your Private Data Center or Headquarters.

The primary use case for a Service Connection (Option A) is to allow mobile users and branch users (who are connected to the Prisma cloud) to reach private, centralized resources that still reside on-premise, such as Active Directory controllers, legacy databases, or mainframes. Without a Service Connection, users in the cloud would be able to reach the internet and each other, but not the servers physically located in your HQ data center. The CloudBlade automates the creation of these tunnels, but architecturally, the "Service Connection" is the "cloud-to-HQ" bridge.

Comprehensive and Detailed Explanation

In a Prisma SD-WAN Data Center deployment, the operational state of the Secure Fabric VPNs (overlay tunnels) is directly tied to the health of the BGP Core Peer configuration.4

Core Peer Dependency: DC ION devices typically peer with the data center core switch (Core Router) via BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller monitors this BGP peering status.5

Controller Logic: If the BGP Core Peer on a DC ION goes down (or is not established), the controller automatically marks the VPN tunnels terminating at that specific ION as "Inactive".6 This is a fail-safe mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost conne7ctivity to the internal data center network (and thus the applications).

Scenario Analysis: In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is successfully advertising reachability. DC ION-2 has no active VPNs, which strongly indicates that its BGP Core Peer is down.8 Because the controller sees the peer is down, it suppresses the tunnel establishment or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).

Comprehensive and Detailed Explanation

To diagnose specific VPN negotiation failures (Phase 1 or Phase 2 IPSec issues), the Event Logs (specifically filtered for System or VPN events) are the correct resource.

Event Logs: This section records the control plane signaling messages. If a VPN tunnel fails to establish, the Event Log will generate an entry containing the specific IKE failure reason sent by the peer or generated locally. Common errors found here include INVALID_COOKIE, NO_PROPOSAL_CHOSEN (mismatch in encryption algorithms), or PRE_SHARED_KEY_MISMATCH.

Flow Browser (A): This shows user traffic (TCP/UDP sessions). If the VPN is down, user traffic won't even enter the tunnel, so the Flow Browser will just show dropped flows or blackholes, but it won't explain why the tunnel itself is broken.

Link Quality (D): This shows latency/loss graphs for established tunnels. It cannot diagnose why a tunnel failed to form in the first place.