SD-WAN-Engineer Online Practice Questions

Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN calculates the Mean Opinion Score (MOS) to provide a standardized metric (1-5) for voice quality. To ensure the system always knows the "voice readiness" of a path―even before a call starts―it uses Active Probes (synthetic UDP packets).
While latency is measured, the MOS calculation algorithm is most heavily penalized by Packet Loss (D) and Jitter (B).
Packet Loss: Even a small amount of loss (e.g., >1%) dramatically reduces voice clarity, causing dropouts.
Jitter: High variance in packet arrival time (jitter) causes the "robotic" voice effect and buffer underruns.
The system continuously measures these specific metrics on all WAN links using synthetic probes. If the packet loss or jitter exceeds the threshold defined in the "Path Quality Profile" (e.g., Voice Profile), the path is marked as non-compliant, and the MOS score drops, triggering a policy action to move the flow. Throughput (C) is less critical for voice as calls consume very little bandwidth (e.g., 64-100 Kbps), making congestion (loss/jitter) the primary enemy, not raw speed.

Explanation:
In the Prisma SD-WAN architecture, reachability between sites is managed by the Control Plane, which automatically advertises prefixes across the secure fabric based on their scope. If a branch site has successful Direct Internet Access (DIA) but is invisible to the Data Center (DC), it indicates that while the local ION is online, its internal network information has not been propagated to the rest of the SD-WAN fabric.
The most common cause for this behavior is that the LAN interfaces or static routes at the branch are configured with a Local scope rather than a Global scope. When a prefix is set to "Local," the ION device treats that network as reachable only within that specific site; it will not advertise that prefix to the Controller for distribution to other ION devices, such as those at the Data Center. By ensuring the LAN branch prefixes are set to "global" (Option B), the administrator instructs the ION device to share these routes with the global fabric.
Once the prefix is marked as global, the Prisma SD-WAN Controller identifies it as a reachable destination and updates the routing tables of all peer ION devices in the same domain, including the DC gateways. This allows the Data Center to build a valid path to the branch resources over the secure VPN tunnels.
Options like creating static routes (Option A) or changing site modes (Option C) do not address the fundamental requirement of prefix advertisement within the software-defined fabric, which relies on correctly defined metadata like route scope.

Explanation:
In the Prisma SD-WAN ecosystem, ION (Instant-On Network) devices are categorized based on their performance capabilities, throughput, and their specific role within the network architecture― namely, whether they function as a Branch device or a Data Center (DC) device.2 The "Branch Gateway" designation typically refers to high-capacity hardware or virtual instances designed to handle complex routing, massive throughput, and high-density connectivity requirements found in large branch offices or regional hubs.
The devices listed in option D represent the high-performance tier of the ION family. The ION 9200 and ION 5200 are flagship hardware appliances designed for large-scale deployments, offering multi-gigabit throughput and extensive port density.3 The ION 3200 serves as a robust mid-to-high range branch solution.4 The ION 7116V is a high-capacity virtual appliance (part of the 7000 series) designed to provide flexible, software-defined gateway capabilities in virtualized environments or public clouds (like AWS, Azure, or GCP).
Specifically, these models support advanced features such as Layer 3 hardware forwarding, integrated switching (in certain sub-models), and the processing power required to run deep packet inspection (DPI) for application-based path selection at scale. While smaller units like the 1200 series are excellent for small-to-medium branches, the 9200, 3200, 5200, and 7116V are the primary workhorses for organizations requiring "Gateway" class performance to manage heavy traffic loads and maintain high availability in a Prisma SD-WAN fabric.

Explanation:
Comprehensive and Detailed Explanation
The ION Device Data Plane (the software running locally on the hardware appliance at the branch) is the component responsible for the heavy lifting of traffic analysis.
Edge Processing: Prisma SD-WAN uses an "Application-Defined" architecture. The ION device performs Deep Packet Inspection (DPI) on the first few packets of a flow to identify the application (e.g., distinguishing "Skype Video" from "Skype Chat").
Metric Calculation: The ION device timestamping engine calculates the performance metrics (RTT, NTT, SRT) in real-time as packets pass through its interfaces. It aggregates this metadata.
Role of Controller (B): The Controller collects and visualizes this data (Analytics), but it does not generate it. The Controller does not sit in the data path of the user traffic. If the ION relied on the controller for App-ID, latency would be unacceptably high. Therefore, all detection and metric generation happens locally on the ION Device.

Explanation:
Comprehensive and Detailed Explanation
The transition from "Claimed" to "Online" depends entirely on the ION device's ability to establish a secure, persistent management tunnel to the Prisma SD-WAN Controller.
Connectivity Requirements: The ION device initiates an outbound connection to the controller on TCP Port 443 (HTTPS). It also requires accurate time synchronization to validate SSL certificates, necessitating access to NTP (UDP Port 123).
Scenario Analysis: Since the installer can browse the internet from the LAN, we know the physical link and basic routing/NAT are functional. The issue is specific to the management plane traffic.
Root Cause: If an upstream firewall (e.g., a corporate edge firewall or ISP filter) is inspecting SSL traffic or blocking specific FQDNs/Ports required by the ION, the device cannot complete the handshake. Consequently, it remains "Claimed" (registered in the database) but cannot go "Online" (active management session).
Options A, C, and D prevent provisioning (configuration push) but generally do not prevent the device from initially checking in and going "Online" if the pipe is open.