Free Paloalto Networks SD-WAN-Engineer Practice Exam with Questions & Answers

Comprehensive and Detailed Explanation

The AppX (Application Experience) score is a proprietary metric used by Prisma SD-WAN to provide a holistic view of user experience, rather than just network statistics. It is calculated based on three key components:

Transaction Failure Rate (A): The percentage of application transactions that failed (e.g., TCP resets, HTTP 500 errors). This indicates availability.

Network Transfer Time (B): The time taken for packets to traverse the network (WAN/LAN latency). This indicates network health.

Server Response Time (C): The time taken by the application server to respond to a request. This indicates backend performance.

Why not D or E?

Bandwidth Utilization (D) is a capacity metric, not a direct measure of quality. A link can be 90% full but still deliver packets quickly (good AppX), or 10% full but dropping packets (bad AppX).

Jitter (E) is a network-layer metric primarily relevant for UDP Real-Time media. While important, the high-level "AppX" score for general TCP apps focuses on the "Time-to-Glass" metrics (NTT/SRT) and success rates.

Comprehensive and Detailed Explanation

In a Prisma SD-WAN Data Center deployment, the operational state of the Secure Fabric VPNs (overlay tunnels) is directly tied to the health of the BGP Core Peer configuration.4

Core Peer Dependency: DC ION devices typically peer with the data center core switch (Core Router) via BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller monitors this BGP peering status.5

Controller Logic: If the BGP Core Peer on a DC ION goes down (or is not established), the controller automatically marks the VPN tunnels terminating at that specific ION as "Inactive".6 This is a fail-safe mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost conne7ctivity to the internal data center network (and thus the applications).

Scenario Analysis: In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is successfully advertising reachability. DC ION-2 has no active VPNs, which strongly indicates that its BGP Core Peer is down.8 Because the controller sees the peer is down, it suppresses the tunnel establishment or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).

Comprehensive and Detailed Explanation

Prisma Access manages Remote Network bandwidth using an Aggregate Bandwidth licensing model.

Compute Locations: When you purchase bandwidth (e.g., 1 Gbps), you allocate it to specific Prisma Access Compute Locations (e.g., US West, Europe Central).

Shared Pool: All branch sites (Remote Networks) that connect to that specific Compute Location share the allocated bandwidth pool. For example, if you allocate 500 Mbps to "US West" and connect 10 branches to it, they compete for that 500 Mbps aggregate.

Bursting: An individual branch is not strictly rate-limited to a "slice" (e.g., 50 Mbps) unless you explicitly configure QoS guarantees. By default, a single branch can burst and consume a large portion of the aggregate pool if other branches are idle. The enforcement happens at the Region/Compute Node level, ensuring the total throughput does not exceed the licensed capacity for that region.

Comprehensive and Detailed Explanation

In a Prisma SD-WAN High Availability (HA) deployment, the HA Control Interface is the critical lifeline used to synchronize state, heartbeats, and flow information between the Active and Standby ION devices.

The strict requirement for this connection is that it must be Layer 2 adjacent.

Best Practice: A direct physical cable connection between the designated HA ports of the two devices (e.g., Port 2 on Device A to Port 2 on Device B).

Alternative: Connectivity through a switch on a dedicated, isolated VLAN is supported, provided the devices are in the same broadcast domain and subnet.

Routing (Layer 3) is not supported for the HA Control link because the keepalive mechanism relies on low-latency, multicast/broadcast-level adjacency to detect failures instantly (sub-second failover). If the HA link were routed (Option A), network latency or router convergence issues could cause "Split-Brain" scenarios where both devices assume the Active role, leading to IP conflicts and traffic loops. Option C is incorrect because the Controller is too slow to manage real-time failover; the decision must be local.

Comprehensive and Detailed Explanation

Prisma SD-WAN separates real-time visibility from historical summarization.

Reports (C): The Reports section is the dedicated engine for generating historical summaries. Administrators can create custom report templates (e.g., "Monthly Executive Summary") that include specific widgets like "Top Applications by Volume," "Site Availability," or "Circuit Utilization." Crucially, this feature allows for Scheduling, where the system automatically generates the PDF report at a set interval (e.g., first day of the month) and emails it to a distribution list.

Activity Charts (A) / Media Analytics (B): These provide interactive, visual graphs for ad-hoc analysis but are not designed for generating downloadable, scheduled PDF summaries for management.

Flow Browser (D): This is for deep-dive troubleshooting of individual sessions, not for high-level aggregate reporting.

Comprehensive and Detailed Explanation

In Prisma SD-WAN (CloudGenix), Path Policies control how application traffic is steered across WAN links. To ensure that traffic is automatically shifted from a saturated circuit to another circuit with available bandwidth, both circuits must be configured as Active Paths within the policy rule.

When multiple paths are designated as "Active," the ION device treats them as a shared pool of available resources. The system continuously monitors the bandwidth utilization (capacity) and health (latency, jitter, loss) of all active links. If "Circuit A" (500 Mbps) becomes saturated or approaches its defined bandwidth limit, the ION's intelligent scheduler will automatically direct new application flows to "Circuit B" (100 Mbps) because it is a valid, healthy Active path with available capacity. This achieves effective load balancing and bandwidth aggregation.

In contrast, configuring "Circuit B" as a Backup Path (Option A or B) creates a strict priority relationship. Traffic would only move to the Backup path if the Active path completely failed or violated its configured SLA (Path Quality Profile) significantly enough to be considered "down." Mere bandwidth saturation might not trigger an SLA failure immediately, potentially leading to dropped packets on the saturated link while the backup link remains idle. Therefore, placing Both circuits under active path is the correct configuration for dynamic capacity management.

In the Prisma SD-WAN (Instant-On Network) management framework, administrators can customize how events are handled and prioritized across different sites through Event Policies. An organization that requires "elevated incident notifications" for a critical site like its headquarters needs a way to differentiate those alerts from standard branch notifications in the management portal and integrated third-party tools.

The most direct and effective method to achieve this is by configuring an Event Policy Rule specifically for the headquarters site. Within the incident policy framework, administrators can create rules that match specific resources—in this case, the headquarters site—and apply an action to set the priority. Priority levels typically range from P1 (highest) to P5 (lowest).1 By setting these to the highest level (P1), any generated incident for that site will immediately stand out on the dashboard as a high-priority event.

This approach is superior to other options because it changes the inherent importance of the alert within the Prisma SD-WAN logic itself. For example, a "WAN Link Down" event at a small retail branch might be a P3, but the same event at the HQ could be elevated to a P1 via a custom policy rule. This elevation ensures that the Network Operations Center (NOC) is alerted more urgently and that external integrations, such as ServiceNow or PagerDuty, receive the correct priority mapping for immediate escalation. Options such as aggressive SLA thresholds (Option B) only increase the frequency of alerts, not necessarily their notification priority, while global syslog or SNMP settings (Options A and D) lack the site-specific granularity required for this use case.

When a Prisma SD-WAN ION device triggers the DEVICESW_CONCURRENT_FLOWLIMIT_EXCEEDED incident, it indicates that the number of active sessions has reached the hardware or software-defined capacity limit of that specific appliance. In the provided graph, we can see a massive spike in concurrent TCP flows on May 13th, reaching nearly 500k, which is a clear indicator of anomalous behavior—likely a "top talker" host, a malware outbreak, or a misconfigured application generating excessive connections.

To identify the specific host responsible for this surge, administrators should navigate to Monitor → Activity → Flows. This interface, commonly known as the Flow Browser, provides the most granular visibility into real-time and historical session data within the Prisma SD-WAN fabric. Unlike "Transaction Stats," which provide high-level summaries, or "New Flows," which only show the rate of session initiation, the Flows view allows an engineer to filter and sort the active session table by metadata such as Source IP, Destination IP, Application, and Site.

By utilizing the Flow Browser, an administrator can quickly group flows by "Source IP" to pinpoint exactly which internal host is consuming the most flow table entries. This is the standard "Day 2" operational workflow for troubleshooting performance and capacity incidents. While running a tcpdump (Option A) is a valid diagnostic for packet-level analysis, it is inefficient for identifying a single host among hundreds of thousands of flows and can further tax the device's CPU during a high-load event. The Monitor → Activity → Flows tool is designed specifically for this type of scale, providing the necessary visibility to remediate the flow limit exhaustion and restore normal network operations.

In modern enterprise environments, particularly those undergoing Mergers and Acquisitions (M&A), engineers often face the challenge of overlapping IP address space.4 Prisma SD-WAN addresses this by utilizing Virtual Routing and Forwarding (VRF) profiles.5 A VRF creates a separate routing table instance within the ION device, allowing multiple networks to coexist on the same physical hardware even if they use the same IP ranges.

To achieve end-to-end connectivity while maintaining strict segmentation, these VRF profiles must be correctly associated with site bindings.7 When a VRF is "bound" to a site, the ION device ensures that traffic belonging to that specific segment remains isolated not only locally (on the LAN) but also across the secure SD-WAN fabric. Prisma SD-WAN achieves this by encapsulating the traffic within the overlay tunnels and tagging it with a unique VRF identifier.8 This ensures that a "Corporate" VRF at Site A can only communicate with the "Corporate" VRF at Site B, effectively keeping "Guest" or "Acquisition" traffic completely separate.

This architectural approach is superior to traditional underlay segmentation (Option A) or simple interface-based virtual routers (Option D) because it provides a centralized, software-defined method to manage multi-tenancy. By using VRF profiles, administrators can define a global security and routing posture once and push it to all relevant sites.9 This simplifies the integration of new business units with conflicting IP schemes, as the Prisma SD-WAN controller handles the complex orchestration required to maintain path selection and security policies uniquely for each VRF across the entire global network.

Comprehensive and Detailed Explanation

The Prisma SD-WAN (ION) QoS engine utilizes a hierarchical queuing structure designed to provide granular control over application performance. Each WAN interface on an ION device supports a total of 16 QoS queues.

This 16-queue structure is derived from a matrix of 4 Classes (often referred to as Priority Classes) multiplied by 4 Application Criteria (Traffic Types).2

4 Priority Classes: The system defines four high-level business priority categories:3

Platinum (Highest priority)4

Gold

Silver

Bronze (Lowest priority/Best Effort)5

4 Application Criteria (Sub-queues): Within each of the four priority classes, the system further categorizes traffic into four specific application types to ensure proper handling (e.g., ensuring voice doesn't get stuck behind bulk data even within the same priority level):6

Real-Time Video

Real-Time Audio

Transactional

Bulk7

Calculation: 4 Priority Classes × 4 Application Types = 16 Total Queues per interface. This structure allows the scheduler to ensure that a "Platinum" voice call is prioritized over "Platinum" bulk data, and both are prioritized over "Gold" traffic.