Pass4Future also provide interactive practice exam software for preparing Palo Alto Networks SD-WAN Engineer (SD-WAN-Engineer) Exam effectively. You are welcome to explore sample free Palo Alto Networks SD-WAN-Engineer Exam questions below and also try Palo Alto Networks SD-WAN-Engineer Exam practice test software.
Do you know that you can access more real Palo Alto Networks SD-WAN-Engineer exam questions via Premium Access? ()
A network engineer is troubleshooting an ION device that is showing as "Offline" in the Prisma SD-WAN portal, despite the site reporting that local internet access is working. The engineer has console access to the device.
Which CLI command should be used to specifically validate the device's ability to resolve the controller's hostname and establish a secure connection to it over a specific interface?
Answer : B
Comprehensive and Detailed Explanation
The CLI command debug controller reachability <interface> (e.g., debug controller reachability 1) is the specific diagnostic tool designed to verify the entire connectivity chain required for management plane availability.
Unlike a simple ICMP ping (Option A), which only tests Layer 3 connectivity to an IP address, the debug controller reachability command performs a sequential set of tests:
DNS Resolution: It attempts to resolve the specific Locator service URL (locator.cgnx.net or region-specific FQDN) to verify DNS functionality.
TCP Connectivity: It tests the ability to establish a TCP connection to the controller on port 443 (HTTPS).
SSL/TLS Handshake: It validates that the device can successfully negotiate the secure tunnel required for authentication.
If this command fails at the DNS step, the issue is likely a missing DNS server in the interface config. If it fails at the TCP step, it implies an upstream firewall is blocking outbound port 443. This targeted output allows the engineer to pinpoint exactly why the device is offline in the portal.
An administrator has configured a Zone-Based Firewall (ZBFW) policy on a branch ION. They created a rule to "Allow" traffic from the "Guest" zone to the "Internet" zone. However, users in the "Guest" zone are reporting they cannot reach a specific public website, and the Flow Browser shows the flow state as "REJECT".
What is the most likely reason for this specific rejection, assuming the "Allow" rule is correctly placed at the top of the list?
Answer : C
Comprehensive and Detailed Explanation
In Prisma SD-WAN, security policies can be applied via Policy Stacks, which often have a hierarchy.
Stack Precedence: A common configuration involves a Global Security Stack (applied to all sites) and a Local/Site Security Stack (specific to one site). If the administrator configured a 'Global' rule that says 'Deny Access to Gambling Sites' (or a specific IP list), and that rule is higher in the binding order or part of a higher-priority stack, it will enforce the block before the local 'Allow Guest to Internet' rule is processed.
Specifics of 'REJECT': The state REJECT specifically implies a policy enforcement action (sending a TCP RST or ICMP Unreachable) rather than a silent drop or a routing failure.
Why not A? If the 'Allow' rule is at the top and matches the traffic parameters (Zone/IP), the Default Deny at the bottom would never be reached. The issue implies a higher priority Deny exists.
An administrator is configuring a High Availability (HA) pair of ION 3000 devices at a Data Center.
Which statement accurately describes the requirement for the HA Control Interface connection between the two devices?
Answer : B
Comprehensive and Detailed Explanation
In a Prisma SD-WAN High Availability (HA) deployment, the HA Control Interface is the critical lifeline used to synchronize state, heartbeats, and flow information between the Active and Standby ION devices.
The strict requirement for this connection is that it must be Layer 2 adjacent.
Best Practice: A direct physical cable connection between the designated HA ports of the two devices (e.g., Port 2 on Device A to Port 2 on Device B).
Alternative: Connectivity through a switch on a dedicated, isolated VLAN is supported, provided the devices are in the same broadcast domain and subnet.
Routing (Layer 3) is not supported for the HA Control link because the keepalive mechanism relies on low-latency, multicast/broadcast-level adjacency to detect failures instantly (sub-second failover). If the HA link were routed (Option A), network latency or router convergence issues could cause 'Split-Brain' scenarios where both devices assume the Active role, leading to IP conflicts and traffic loops. Option C is incorrect because the Controller is too slow to manage real-time failover; the decision must be local.
In the Prisma SD-WAN portal, an administrator is viewing the "Media" analytics for a branch site to troubleshoot complaints about poor voice quality.
When calculating the Mean Opinion Score (MOS) for voice traffic, which two metrics does the system prioritize active monitoring for, even when no user voice traffic is present on the link? (Choose two.)
Answer : B, D
Comprehensive and Detailed Explanation
Prisma SD-WAN calculates the Mean Opinion Score (MOS) to provide a standardized metric (1-5) for voice quality. To ensure the system always knows the 'voice readiness' of a path---even before a call starts---it uses Active Probes (synthetic UDP packets).
While latency is measured, the MOS calculation algorithm is most heavily penalized by Packet Loss (D) and Jitter (B).
Packet Loss: Even a small amount of loss (e.g., >1%) dramatically reduces voice clarity, causing dropouts.
Jitter: High variance in packet arrival time (jitter) causes the 'robotic' voice effect and buffer underruns.
The system continuously measures these specific metrics on all WAN links using synthetic probes. If the packet loss or jitter exceeds the threshold defined in the 'Path Quality Profile' (e.g., Voice Profile), the path is marked as non-compliant, and the MOS score drops, triggering a policy action to move the flow. Throughput (C) is less critical for voice as calls consume very little bandwidth (e.g., 64-100 Kbps), making congestion (loss/jitter) the primary enemy, not raw speed.
In a Data Center deployment, what is the key functional difference between configuring a BGP neighbor as a "Core Peer" versus an "Edge Peer"?
Answer : A
Comprehensive and Detailed Explanation
In the Prisma SD-WAN Data Center (DC) model, the terminology for BGP peers defines their role in the topology and how the system generates route maps.
Core Peer: This peer type is designated for the LAN-side connection (facing the DC Core Switch or internal Routers). Its primary purpose is to learn the subnets/prefixes hosted in the data center so the ION can advertise them to the remote branches. The system automatically creates route maps to facilitate this redistribution into the fabric.
Edge Peer: This peer type is designated for the WAN-side connection (facing the Edge Router or MPLS PE). Its primary purpose is to provide reachability to the underlay network.
Distinction: Selecting the correct type affects the default Route Maps and Prefix Lists generated by the controller. Configuring a Core Peer correctly ensures that the DC's internal subnets are properly learned and propagated to the overlay, whereas an Edge Peer configuration focuses on WAN next-hop reachability.
