SD-WAN Engineer Certification – Software-Defined WAN Specialist
                     Palo Alto Networks
SD-WAN-Engineer
ExamName: Palo Alto Networks SD-WAN Engineer
Exam Version: 6.1
Questions & Answers Sample PDF
(Preview content before you buy)
Check the full version using the link below.
https://pass2certify.com/exam/sd-wan-engineer
Unlock Full Features:
Stay Updated: 90 days of free exam updates
Zero Risk: 30-day money-back policy
Instant Access: Download right after purchase
Always Here: 24/7 customer support team
https://pass2certify.com//exam/sd-wan-engineer Page 1 of 8
Question 1. (Single Select)
A network administrator is troubleshooting a critical SaaS application, “SuperSaaSApp”, that is
experiencing connectivity issues. Initially, the configured active and backup paths for the application were
reported as completely down at Layer 3. The Prisma SD-WAN system attempted to route traffic for the
application over an L3 failure path that was explicitly configured as a Standard VPN to Prisma Access.
However, users are still reporting a complete outage for the application and monitoring tools show
application flows being dropped when attempting to use the Standard VPN L3 failure path, even though the
tunnel itself appears to be up. The administrator suspects a policy misconfiguration related to how the
Standard VPN path interacts with destination groups.
What is the most likely reason for flows being dropped when attempting to use the Standard VPN L3 failure
path?
A: The “Move Flows Forced” action was not enabled in the performance policy for “SuperSaaSApp”,
preventing the system from actively shifting traffic to the L3 failure path.
B: The path policy rule for “SuperSaaSApp” has the “Required” checkbox selected for its Service & DC
Group, but no direct paths were configured alongside it, creating a conflict.
C: The path policy rule explicitly designates a Standard VPN as the L3 failure path, but it does not include a
designated Standard Services and DC Group, causing traffic to be dropped.
D: The Standard VPN in the path policy was not configured to “Minimize Cellular Usage”, leading to the
depletion of metered data and subsequent flow drops.
Answer: C
Explanation:
Comprehensive and Detailed Explanation
According to Palo Alto Networks Prisma SD-WAN administrator documentation regarding Path Policy
configuration, specific rules apply when utilizing Standard VPNs (IPSec tunnels to non-ION devices, such
as Prisma Access or third-party firewalls) as an L3 Failure Path.
When a Path Policy rule is configured, the administrator defines Active Paths, Backup Paths, and L3
Failure Paths. The L3 Failure Path is a "last resort" mechanism used when all Active and Backup paths are
unavailable (Layer 3 down).
If Standard VPN is selected as the L3 Failure Path type, the system explicitly requires that the administrator
also associates it with a specific Standard Services and DC Group within that same policy rule.
https://pass2certify.com//exam/sd-wan-engineer Page 2 of 8
The ION device uses the Standard Services and DC Group to identify the specific remote endpoint (tunnel
destination) where the traffic should be routed. Unlike a "Direct" (Internet) path which can simply route out
to the WAN, a Standard VPN represents a logical tunnel. If the policy rule designates "Standard VPN" as
the failure path but leaves the "Standard Services and DC Group" field empty or unselected, the ION
effectively has a directive to "use a VPN" but lacks the instruction on which VPN group to use for this
specific application context. Consequently, even if the IPSec tunnel to Prisma Access is physically up and
stable, the policy engine cannot resolve the next hop for the "SuperSaaSApp" traffic, resulting in the
packets being dropped. To resolve this, the administrator must edit the Path Policy rule to ensure the
specific Standard Service/DC Group representing Prisma Access is checked/selected for the L3 Failure
Path.
Question 2. (Multi Select)
When identifying devices for IoT classification purposes, which two methods does Prisma SD-WAN use to
discover devices that are not directly connected to the branch ION? (Choose two.)
A: LLDP
B: CDP
C: SNMP
D: Syslog
Answer: C, D
Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN (formerly CloudGenix) integrates with Palo Alto Networks IoT Security to provide
comprehensive visibility into all devices at a branch, including those that are not directly connected to the
ION device. While the ION automatically detects and classifies devices connected directly to its interfaces
via traffic inspection (DPI), DHCP, and ARP analysis, gaining visibility into off-branch devices (devices
connected to downstream switches or access points) requires additional discovery mechanisms that can
query the network infrastructure or ingest its logs.
1. SNMP (Simple Network Management Protocol): This is the primary active discovery method for
off-branch devices. The Prisma SD-WAN ION device acts as a sensor that actively polls local network
switches and wireless controllers using SNMP. By querying the ARP tables and MAC address tables
(Bridge MIBs) of these intermediate network devices, the ION can identify endpoints that are connected to
https://pass2certify.com//exam/sd-wan-engineer Page 3 of 8
the switch ports, even if those endpoints are not currently sending traffic through the ION. This allows the
system to map the topology and discover silent or lateral-traffic-only devices.
2. Syslog: In conjunction with SNMP, the IoT Security solution can utilize Syslog messages to discover and
profile devices. Network infrastructure devices (like switches and WLAN controllers) can be configured to
send Syslog messages to the collection point (which enables the IoT Security service) whenever a device
connects or disconnects (e.g., port up/down events, DHCP snooping logs, or 802.1x authentication logs).
These logs provide real-time data about device presence and identity (MAC/IP mappings) for devices that
are not directly adjacent to the ION, ensuring 100% visibility across the branch network segments. LLDP
(A) and CDP (B) are typically Link Layer discovery protocols used for discovering directly connected
neighbors and do not propagate beyond the immediate link, making them unsuitable for discovering
devices multiple hops away or behind a switch.
Question 3. (Single Select)
In a data center (DC) with two ION devices, all of the remote branch Prisma SD-WAN VPNs are active only
on DC ION-1.
Why are no VPNs active on DC ION-2?
A: The BGP core peer is down.
B: The static route to core as a next hop is missing.
C: The ION device is behind a NAT.
D: The DC and branches are in a different domain.
Answer: A
Explanation:
Comprehensive and Detailed Explanation
In a Prisma SD-WAN Data Center deployment, the operational state of the Secure Fabric VPNs (overlay
tunnels) is directly tied to the health of the BGP Core Peer configuration.4
Core Peer Dependency: DC ION devices typically peer with the data center core switch (Core Router) via
BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller
monitors this BGP peering status.5
Controller Logic: If the BGP Core Peer on a DC ION goes down (or is not established), the controller
automatically marks the VPN tunnels terminating at that specific ION as "Inactive".6 This is a fail-safe
https://pass2certify.com//exam/sd-wan-engineer Page 4 of 8
mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost
conne7ctivity to the internal data center network (and thus the applications).
Scenario Analysis: In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is
successfully advertising reachability. DC ION-2 has no active VPNs, which strongly indicates that its BGP
Core Peer is down.8 Because the controller sees the peer is down, it suppresses the tunnel establishment
or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).
Question 4. (Single Select)
Which statement is valid when integrating Prisma SD-WAN with Prisma Access remote networks?
A: Security policies for remote networks are configured in Prisma Access and pushed to Prisma SD-WAN
for enforcement on the branch ION devices.
B: Easy onboarding automatically recommends the closest preconfigured remote network security
processing nodes and can be overridden manually.
C: A branch with multiple internet circuits will automatically connect to Prisma Access on each circuit and
will be used in an active/standby manner for internet-bound traffic.
D: Bandwidth must be allocated to each Prisma Access remote network compute location, and this
bandwidth is shared between all branches that terminate on this remote network node.
Answer: D
Explanation:
Comprehensive and Detailed Explanation
When deploying Prisma Access for Remote Networks (connecting branch offices), the licensing and
throughput model is based on aggregate bandwidth allocated to specific compute locations (regions).
Bandwidth Allocation (Option D): Administrators must purchase and allocate a specific amount of
bandwidth (e.g., 500 Mbps, 1 Gbps) to a Prisma Access "Compute Location" (e.g., US West, Europe
Central). This allocated bandwidth is then shared as a pool among all the branch sites (Remote Networks)
that onboard and terminate their IPSec tunnels at that specific location. The system does not allocate
bandwidth on a strict per-site basis but rather enforces the limit on the aggregate throughput of the
compute node itself.
Policy Enforcement (Option A): Security policies for Prisma Access are enforced in the cloud (at the Prisma
Access Service Processing Node), not pushed down to the branch ION devices for local enforcement. The
ION device handles local segmentation (ZBFW) and traffic steering, but the "Remote Network" security
https://pass2certify.com//exam/sd-wan-engineer Page 5 of 8
stack resides in the cloud.
Path Usage (Option C): Prisma SD-WAN is designed to utilize Active/Active paths. When a branch has
multiple internet circuits connected to Prisma Access, the CloudBlade and ION automatically build tunnels
on all compatible paths and can load-balance traffic across them based on application performance (SLA),
rather than defaulting to a strict Active/Standby model for internet traffic.
Question 5. (Multi Select)
What are two potential causes when a secondary public circuit has been added to the branch site, but the
Prisma SD-WAN tunnel is not forming to the data center? (Choose two.)
A: Interface role is not selected as “internet.”
B: Circuit label is missing from interface type.
C: DNS is not configured.
D: Interface scope is set to “local.”
Answer: A, D
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN (formerly CloudGenix), the establishment of Secure Fabric (VPN) tunnels is automated
but relies heavily on the correct definition of the Network Context for each interface. If a tunnel fails to form
on a newly added s2econdary circuit, it is typically due to a misconfiguration in how the interface is defined
in the ION portal.
1. Interface Scope (Statement D):
The Scope setting on an interface determines its function in the network topology.
Global Scope: This defines the interface as a WAN-facing port. The ION device will only attempt to build
VPN tunnels (overlay) on interfaces configured with Global scope.
Local Scope: This defines the interface as a LAN-facing port (for users, switches, or APs). If the
administrator mistakenly sets the scope to "Local" for the new internet line, the ION treats it as a private
LAN segment and will not initiate any tunnel negotiation or WAN signaling on that port.
2. Interface Role/Circuit Category (Statement A):
Prisma SD-WAN uses Circuit Categories (often referred to as Interface Roles in general networking terms,
or specifically "Circuit Category" in the ION UI) to determine peering logic.
To form a tunnel over a public internet link to a Data Center, the circuit attached to the interface must be
https://pass2certify.com//exam/sd-wan-engineer Page 6 of 8
categorized as "Internet".
The controller uses this category to match compatible endpoints. It knows that a "Private WAN" (MPLS) link
cannot directly tunnel to an "Internet" link without a gateway. If the new circuit is not correctly
selected/categorized as "Internet" (e.g., left undefined or set to a different category), the system will not
attempt to build the standard IPSec overlay to the Data Center's public IP address.
https://pass2certify.com//exam/sd-wan-engineer Page 7 of 8
Need more info? Check the link below:
https://pass2certify.com/exam/sd-wan-engineer
Thanks for Being a Valued Pass2Certify User!
Guaranteed Success Pass Every Exam with Pass2Certify.
Save $15 instantly with promo code
SAVEFAST
Sales: [email protected]
Support: [email protected]
https://pass2certify.com//exam/sd-wan-engineer Page 8 of 8