SD-WAN-Engineer Online Practice Questions

Explanation:
Comprehensive and Detailed Explanation at least 150 to 250 words each from Palo Alto Networks SD-WAN Engineer documents:
Prisma SD-WAN High Availability (HA) for branch ION devices, particularly the Gen-2 ION 1200-S, is designed to provide "100% WAN Capacity" preservation during a hardware or power failure. This is achieved through the use of Bypass Pairs (Fail-to-Wire). In the provided topology, the ISP A and LTE/5G circuits are cross-connected using the bypass ports (typically ports 3 and 4 on the ION 1200-S).
When the "Active" ION device loses power, the internal physical relays in its bypass ports transition to a closed state, effectively creating a physical bridge between the ports. In this scenario, the LTE/5G signal―which enters the Active ION's port 4―is mechanically bridged to port 3, allowing it to pass through to port 4 of the Standby ION. Simultaneously, ISP A is already connected to the Standby ION. Consequently, once the Standby device completes its transition to the "Active" state, it has physical access to both WAN circuits, validating Statement A.
Regarding the LAN transition, Prisma SD-WAN does not use standard VRRP for ION-to-ION HA; instead, it uses a proprietary Control Plane HA mechanism. When the failover occurs, the newly active ION takes over the IP addresses of all configured Switch Virtual Interfaces (SVIs) and LAN interfaces. To ensure the downstream Layer 2 infrastructure (like the LAN switches shown in the diagram) updates its MAC address tables to point to the new physical hardware for those IPs, the newly active ION immediately broadcasts a Gratuitous ARP (GARP). This ensures that LAN traffic is correctly steered to the new device without a significant timeout, validating Statement C.

Explanation:
Comprehensive and Detailed Explanation
To defend against volumetric attacks such as TCP SYN Floods, UDP Floods, or ICMP Floods, Prisma SD-WAN (like PAN-OS) utilizes Zone Protection Profiles.
Function: A Zone Protection Profile is a specific security object designed to screen traffic for protocol anomalies and flood behaviors before it is processed by the complex firewall policy engine. It sets thresholds (e.g., "Max 1000 SYNs/sec"). If the traffic rate exceeds this threshold, the system triggers an action (Alarm, Drop, or SYN Cookies) to protect the device's resources.
Application: Unlike a standard ZBFW Rule (A) which filters based on Source/Destination/App-ID (which might still allow the initial handshake packets that cause the flood), a Zone Protection Profile is applied to the Zone object itself (in this case, the LAN Zone). This ensures that the flood is mitigated at the ingress stage, preventing the ION's session table and CPU from being exhausted by the attack.

Explanation:
Comprehensive and Detailed Explanation
The Flow Browser and App Response Time metrics in Prisma SD-WAN are critical tools for isolating the fault domain―determining whether a problem lies in the "Network" or the "Application."
Network Transfer Time (NTT) / Round Trip Time (RTT): These metrics measure the time it takes for packets to traverse the network (WAN/LAN) and for acknowledgments to return. A low NTT (e.g., <50ms) confirms that the network pipes (SD-WAN overlay, Underlay circuits) are healthy and
transporting packets quickly.
Server Response Time (SRT): This metric specifically measures the time between the server receiving a request and the server sending the first byte of the response. It essentially measures the "processing time" of the backend server.
In the scenario described, the network metrics (NTT/RTT) are excellent, effectively ruling out WAN congestion, packet loss, or latency (Option A and C). However, the Server Response Time (SRT) is very high (500ms). This signature is a definitive indicator that the network delivered the request instantly, but the application server took a long time to process it. This points the troubleshooting effort toward the server infrastructure (e.g., a slow SQL query, an overloaded web server, or lack of compute resources) rather than the SD-WAN environment.

Explanation:
Comprehensive and Detailed Explanation
In a Prisma SD-WAN High Availability (HA) deployment, the HA Control Interface is the critical lifeline used to synchronize state, heartbeats, and flow information between the Active and Standby ION devices.
The strict requirement for this connection is that it must be Layer 2 adjacent.
Best Practice: A direct physical cable connection between the designated HA ports of the two devices (e.g., Port 2 on Device A to Port 2 on Device B).
Alternative: Connectivity through a switch on a dedicated, isolated VLAN is supported, provided the devices are in the same broadcast domain and subnet.
Routing (Layer 3) is not supported for the HA Control link because the keepalive mechanism relies on low-latency, multicast/broadcast-level adjacency to detect failures instantly (sub-second failover). If the HA link were routed (Option A), network latency or router convergence issues could cause "Split-Brain" scenarios where both devices assume the Active role, leading to IP conflicts and traffic loops.
Option C is incorrect because the Controller is too slow to manage real-time failover; the decision must be local.

Explanation:
Comprehensive and Detailed Explanation
In the Prisma Access architecture (integrated with SD-WAN), distinct connection types serve different purposes.
Remote Networks: These are the connections from your Branch sites (using ION devices) into the cloud. They allow branches to get to the internet or other branches.
Service Connections (SC): This is a specialized high-bandwidth connection used to bridge the Prisma Access Cloud to your Private Data Center or Headquarters.
The primary use case for a Service Connection (Option A) is to allow mobile users and branch users (who are connected to the Prisma cloud) to reach private, centralized resources that still reside on-premise, such as Active Directory controllers, legacy databases, or mainframes. Without a Service Connection, users in the cloud would be able to reach the internet and each other, but not the servers physically located in your HQ data center. The CloudBlade automates the creation of these tunnels, but architecturally, the "Service Connection" is the "cloud-to-HQ" bridge.