Free Paloalto Networks SD-WAN-Engineer Practice Exam with Questions & Answers | Set: 2

Comprehensive and Detailed Explanation

To defend against volumetric attacks such asTCP SYN Floods, UDP Floods, or ICMP Floods, Prisma SD-WAN (like PAN-OS) utilizesZone Protection Profiles.

Function:A Zone Protection Profile is a specific security object designed to screen traffic for protocol anomalies and flood behaviors before it is processed by the complex firewall policy engine. It sets thresholds (e.g., "Max 1000 SYNs/sec"). If the traffic rate exceeds this threshold, the system triggers an action (Alarm, Drop, or SYN Cookies) to protect the device's resources.

Application:Unlike a standardZBFW Rule(A) which filters based on Source/Destination/App-ID (which might still allow the initial handshake packets that cause the flood), a Zone Protection Profile is applied to theZoneobject itself (in this case, theLAN Zone). This ensures that the flood is mitigated at the ingress stage, preventing the ION's session table and CPU from being exhausted by the attack.

Comprehensive and Detailed Explanation

TheSITE_CONNECTIVITY_DOWNalarm is a high-severity alert indicating a total loss of overlay connectivity for a site.

It doesnottrigger if justonecircuit fails (Option B), provided that other circuits are still up and maintaining VPNs. A single link failure would typically trigger a "Link Down" or "VPN Down" alarm, but theSiteconnectivity would remain "Up" (degraded).

It does not simply mean the device rebooted (Option A), although a reboot would cause it temporarily; the alarm specifically tracks the state of the VPN fabric.

The SITE_CONNECTIVITY_DOWN alarm specifically generates when all Secure Fabric Links (VPN tunnels) on the device are in the "Down" state. This means the branch is completely isolated from the rest of the SD-WAN network (Data Centers and other branches), even if the device itself might still be powered on and reachable via the controller (management plane). It signifies a "Blackout" of the data plane for that location.

Comprehensive and Detailed Explanation

Prisma SD-WAN calculates the Mean Opinion Score (MOS) to provide a standardized metric (1-5) for voice quality. To ensure the system always knows the "voice readiness" of a path—even before a call starts—it uses Active Probes (synthetic UDP packets).

While latency is measured, the MOS calculation algorithm is most heavily penalized by Packet Loss (D) and Jitter (B).

Packet Loss:Even a small amount of loss (e.g., >1%) dramatically reduces voice clarity, causing dropouts.

Jitter: High variance in packet arrival time (jitter) causes the "robotic" voice effect and buffer underruns.

The system continuously measures these specific metrics on all WAN links using synthetic probes. If the packet loss or jitter exceeds the threshold defined in the "Path Quality Profile" (e.g., Voice Profile), the path is marked as non-compliant, and the MOS score drops, triggering a policy action to move the flow. Throughput (C) is less critical for voice as calls consume very little bandwidth (e.g., 64-100 Kbps), making congestion (loss/jitter) the primary enemy, not raw speed.

Comprehensive and Detailed Explanation

Prisma SD-WAN supports Dynamic VPNs (Branch-to-Branch) even when both endpoints are behind Source NAT (e.g., typical broadband connections).

To achieve this, the ION devices utilize standard NAT Traversal techniques, specifically leveraging STUN (Session Traversal Utilities for NAT).

Discovery:Each ION communicates with the Cloud Controller (which acts as a STUN server/signaling broker). Through this communication, the controller observes thepublicIP and Port that the ION's traffic is coming from (the post-NAT address).

Signaling:The controller shares this public reachability information with the peer ION.

Hole Punching:The IONs then attempt to initiate connections to each other's discovered public IP/Port. This "UDP Hole Punching" allows them to establish a direct IPSec tunnel through the NAT devices without requiring static 1:1 NAT mapping or manual port forwarding on the provider routers, enabling mesh connectivity in commodity internet environments.

Comprehensive and Detailed Explanation

In Prisma SD-WAN,Custom Applicationsare global policy objects managed centrally on the controller.

Immediate Propagation:When an administrator creates or modifies a Custom Application definition (e.g., updating the IP subnet or port for an internal app), the Prisma SD-WAN controller automatically pushes this update toallconnected ION devices in the tenant.

No Manual Push:Unlike some legacy firewall management paradigms (like Panorama "Commit and Push"), the Prisma SD-WAN architecture is "intent-based" and continuously synchronized. A change to a global object like an App Definition is considered a live configuration change and is distributed immediately via the secure control channel.

No Reboot:The ION data plane updates its classification engine dynamically without interrupting traffic or requiring a reboot. This ensures that policy enforcement (steering "Inventory_App" to the correct path) remains accurate in real-time.