Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
SAP
ServiceNow
All Vendors
  1. Home
  2. Palo Alto Networks
  3. SD-WAN-Engineer

Palo Alto Networks SD-WAN Engineer SD-WAN-Engineer Exam Questions in PDF

Free Palo Alto Networks SD-WAN-Engineer Dumps Questions (page: 2)

SD-WAN-Engineer PDF — 86 Questions

What are two potential causes when a secondary public circuit has been added to the branch site, but the Prisma SD-WAN tunnel is not forming to the data center? (Choose two.)

  1. Interface role is not selected as "internet."
  2. Circuit label is missing from interface type.
  3. DNS is not configured.
  4. Interface scope is set to "local."

Answer(s): A,D

Explanation:

Comprehensive and Detailed Explanation

In Prisma SD-WAN (formerly CloudGenix), the establishment of Secure Fabric (VPN) tunnels is automated but relies heavily on the correct definition of the Network Context for each interface. If a tunnel fails to form on a newly added s2econdary circuit, it is typically due to a misconfiguration in how the interface is defined in the ION portal.

1. Interface Scope (Statement D):

The Scope setting on an interface determines its function in the network topology.

Global Scope: This defines the interface as a WAN-facing port. The ION device will only attempt to build VPN tunnels (overlay) on interfaces configured with Global scope.

Local Scope: This defines the interface as a LAN-facing port (for users, switches, or APs). If the administrator mistakenly sets the scope to "Local" for the new internet line, the ION treats it as a private LAN segment and will not initiate any tunnel negotiation or WAN signaling on that port.

2. Interface Role/Circuit Category (Statement A):

Prisma SD-WAN uses Circuit Categories (often referred to as Interface Roles in general networking terms, or specifically "Circuit Category" in the ION UI) to determine peering logic.

To form a tunnel over a public internet link to a Data Center, the circuit attached to the interface must be categorized as "Internet".

The controller uses this category to match compatible endpoints. It knows that a "Private WAN" (MPLS) link cannot directly tunnel to an "Internet" link without a gateway. If the new circuit is not correctly selected/categorized as "Internet" (e.g., left undefined or set to a different category), the system will not attempt to build the standard IPSec overlay to the Data Center's public IP address.



What is the number and structure of Prisma SD-WAN QoS queues supported per WAN interface?

  1. 12 queues
    4 classes1
    3 application criteria within each class
  2. 16 queues
    4 classes
    4 application criteria with each class
  3. 8 queues
    1 priority queue
    7 non-priority queues
  4. 8 queues
    2 classes
    4 application criteria within each class

Answer(s): B

Explanation:

Comprehensive and Detailed Explanation

The Prisma SD-WAN (ION) QoS engine utilizes a hierarchical queuing structure designed to provide granular control over application performance. Each WAN interface on an ION device supports a total of 16 QoS queues.

This 16-queue structure is derived from a matrix of 4 Classes (often referred to as Priority Classes) multiplied by 4 Application Criteria (Traffic Types).2

4 Priority Classes: The system defines four high-level business priority categories:3

Platinum (Highest priority)4

Gold

Silver

Bronze (Lowest priority/Best Effort)5

4 Application Criteria (Sub-queues): Within each of the four priority classes, the system further categorizes traffic into four specific application types to ensure proper handling (e.g., ensuring voice doesn't get stuck behind bulk data even within the same priority level):6

Real-Time Video

Real-Time Audio

Transactional

Bulk7

allows the scheduler to ensure that a "Platinum" voice call is prioritized over "Platinum" bulk data, and both are prioritized over "Gold" traffic.



By default, how many days will Prisma SD-WAN VPNs stay operational before the keys expire when an ION device loses connection with the controller?

  1. 1
  2. 3
  3. 5
  4. 7

Answer(s): B

Explanation:

Comprehensive and Detailed Explanation

The Prisma SD-WAN (CloudGenix) solution is designed with a separation of the control plane (Controller) and the data plane (ION devices).1 In the event that an ION device loses connectivity to the Cloud Controller (often referred to as running in "headless mode"), the device continues to forward traffic and maintain existing VPN tunnels using the keys it currently holds.2

However, for security purposes, the VPN session keys (shared secrets) used for the Secure Fabric have a finite validity period. The system is designed such that these keys are rotated regularly.3 If the controller is unreachable, the ION device can continue to rotate keys locally and maintain the VPNs for a maximum default period of 72 hours (exactly 3 days).4

If the connection to the controller is not restored within this 72-hour window, the keys will eventually expire, and the ION will be unable to retrieve new authorized key material from the controller.5 Consequently, the VPN tunnels will go down, and the "out of shared secret key" error will be observed in the VPN status logs. This mechanism ensures that a permanently compromised or stolen device cannot maintain network access indefinitely without central authorization.



A multinational company is deploying Prisma SD-WAN across North America, Europe, and Asi

  1. The data centers in the North America region have served all regions, but regional policies are now being enforced that mandate each of the regions to build their own data centers and branch sites to only connect to their respective regional data centers.
    How can this regionalization be achieved so that new or existing branch sites only build tunnels to the regional DC IONs?
  2. Create a new cluster for each regional DC ION and move the sites from the existing cluster to the new cluster.
  3. Disable the auto-tunnel feature globally on the Prisma SD-WAN portal and manually create all necessary tunnels exclusively between IONs within their designated regions.
  4. Remove the circuit labels and apply new circuit labels for in-region circuits only.
  5. Assign WAN interfaces to distinct Virtual Routing and Forwarding (VRF) instances for each region on the DC IONs, ensuring that branches only connect to the WAN interfaces/VRFs designated for their region.

Answer(s): A

Explanation:

Comprehensive and Detailed Explanation

To achieve strict regional isolation where branch sites only form VPN tunnels with Data Centers in their specific region (e.g., EU branches to EU DCs only), the correct architectural feature to utilize is VPN Clusters.

In Prisma SD-WAN (CloudGenix), a Cluster defines a logical security and topology boundary for the overlay network. By default, devices may be placed in a "Default" cluster where they attempt to form a mesh or hub-and-spoke topology with all other reachable devices in that context.

To enforce the new policy:

Logical Partitioning: The administrator should create separate VPN Clusters for each region (e.g., "Cluster-NA", "Cluster-EU", "Cluster-Asia").

Assignment: The Regional Data Center IONs and their corresponding Branch IONs must be moved into their respective clusters.

Result: The Prisma SD-WAN controller dictates that devices can only establish Secure Fabric (VPN) tunnels with other devices within the same cluster. This effectively segments the global network, ensuring that an Asian branch never attempts to build a tunnel to a North American DC, satisfying the compliance requirement without complex access lists or manual tunnel configuration.

Option B (Manual Tunnels) is administratively unscalable and negates the benefits of SD-WAN

automation.

Option C (Circuit Labels) is primarily for path selection and traffic steering, not for hard topology segmentation.

Option D (VRFs) is used for local Layer 3 segmentation (routing isolation) within a device, not for controlling WAN overlay tunnel formation scope.



What are two requirements for implementing user/group-based path policies? (Choose two.)

  1. Cloud Identity Engine
  2. Internal host detection
  3. Autonomous Digital Experience Manager (ADEM)
  4. Data center ION

Answer(s): A,D

Explanation:

Comprehensive and Detailed Explanation

To implement User/Group-based policies (Path, QoS, or Security) in Prisma SD-WAN, the system requires two specific components to resolve user identities and map them to IP addresses within the fabric.

Cloud Identity Engine (CIE): This is the primary requirement for identity management. The Cloud Identity Engine connects the Prisma SD-WAN controller to your directory service (e.g., Active Directory, Azure AD/Entra ID). It allows the system to retrieve and resolve User and Group attributes (e.g., "Marketing Group," "User: john.doe") so they can be selected in policy rules. Without CIE, the controller cannot interpret the group names or user identities defined in the policies.

Data Center ION: In the standard deployment model for User-ID, a Data Center (DC) ION is required to act as the bridge or collector for IP-to-User mappings. The DC ION connects to the User-ID Agent (running on a PAN-OS firewall or Windows Server) to learn the mapping of IP addresses to usernames. It then redistributes this information to the controller or other branch IONs so they can identify which user is associated with the traffic flows originating from a specific private IP address.



In which modes can a Prisma SD-WAN branch be deployed?

  1. Testing, Control, POV
  2. Production, Control, Disabled
  3. Disabled, Analytics, Control
  4. POV, Production, Analytics

Answer(s): C

Explanation:

Comprehensive and Detailed Explanation

Prisma SD-WAN (formerly CloudGenix) defines three distinct Operational Modes for a branch site, which determine how the ION device processes traffic and interacts with the network.

Analytics Mode (Monitor): In this mode, the ION device is typically deployed inline or in a "promiscuous" monitor state to gain visibility into network traffic without actively enforcing path selection policies.1 It "learns" applications, bandwidth usage, and network characteristics (auditing) but does not steer traffic or block flows.2 This is often used during Proof of Concepts (POVs) or the initial "burn-in" phase of a deployment to generate reports without risking network disruption.

Control Mode: This is the full production state. In Control Mode, the ION device actively enforces

Path Policies, QoS Policies, and Security Policies. It builds Secure Fabric VPN tunnels, steers traffic based on application SLAs (e.g., sending voice over MPLS and bulk data over Broadband), and handles failover events.3 This is the required mode for a fully functional SD-WAN site.

Disabled Mode: This mode effectively shuts down the site's SD-WAN functionality from the controller's perspective. It is an administrative state used when a site is being decommissioned, provisioned but not yet live, or isolated for troubleshooting. In this state, the device does not participate in the fabric.



Site templates are to be used for the large-scale deployment of 100 Prisma SD-WAN branch sites across different regions.

Which two statements align with the capabilities and best practices for Prisma SD-WAN site templates? (Choose two.)

  1. The use of Jinja conditional statements within a site template is not supported, thereby limiting dynamic customization options.
  2. Mandatory variables for any site template include the site name, ION software version, and at least one ION serial number /device name pair.
  3. Site templates offer the capability to pre-stage device configurations by creating a device shell.
  4. Once a site has been deployed using a template, its configuration can be updated or modified by applying an updated version of the template.

Answer(s): B,C

Explanation:

Comprehensive and Detailed Explanation

Site Templates (often referred to as Site Configuration Templates) are a critical tool for the Zero Touch Provisioning (ZTP) of large-scale deployments in Prisma SD-WAN.

1. Device Pre-staging (Statement C):

One of the primary capabilities of Site Templates is the creation of Device Shells. A device shell is a configuration container that exists in the controller before the physical hardware is installed or connected. By using a template, an administrator can pre-provision the entire configuration (interfaces, routing, subnets) for the "Site" and "Element" (Device).
When the physical ION device is later connected to the internet and claimed (associated with the shell via its Serial Number), it immediately inherits this pre-staged configuration, enabling a true "plug-and-play" deployment.

2. Mandatory Variables (Statement B):

To successfully instantiate a functional site from a generic template, specific unique identifiers are required in the variable data set (typically a CSV file).

Site Name: Identifies the location in the portal.

ION Software Version: Ensures the device boots to the specific validated code version required for the deployment, preventing inconsistencies.

ION Serial Number / Device Name: Required to bind the logical configuration (Shell) to the physical hardware. Even if the serial is added later during the claim process, the structure of the template and the deployment workflow mandates these variables to ensure the device can be uniquely identified and managed within the fabric.

Note on Option D: While it is technically possible to re-deploy a template, the Best Practice for "Day 2" operations (updating or modifying configuration after deployment) is to use Prisma SD-WAN Stacks (Network Stacks, Security Stacks, etc.). Stacks allow for granular, policy-based updates across multiple sites without the destructive or rigid nature of re-applying a full site initialization template.
Therefore, D is not the aligned best practice.



A network installer is at a remote branch site to deploy a new ION 3000 device. The device has been racked, cabled to the internet, and powered on. The installer has the "Claim Code" displayed on the email sent by the administrator.

When the administrator enters this Claim Code into the Prisma SD-WAN portal, what is the immediate status of the device before the configuration is fully pushed?

  1. Online
  2. Claimed
  3. Provisioned
  4. Active

Answer(s): B

Explanation:

Comprehensive and Detailed Explanation

In the Prisma SD-WAN (CloudGenix) Zero Touch Provisioning (ZTP) lifecycle, the device status transitions through specific stages that indicate its readiness and connectivity.

When an administrator enters the Claim Code (or Serial Number/Claim Code pair) into the portal, the device status immediately updates to "Claimed".

This status confirms that the portal has registered the device's unique identity and associated it with the customer's tenant. However, "Claimed" does not necessarily mean the device is fully operational or passing traffic yet. It simply signifies that the ownership is verified.

Once the physical device at the site successfully connects to the internet and reaches the Prisma SD- WAN Controller (using the call-home function), it will authenticate using its installed certificate. Upon successful authentication and the establishment of the secure control channel, the status will transition from "Claimed" to "Online".

Only after the device is "Online" can the controller push the specific site configuration (Device Shell), policies, and IP addressing required for the device to become "Provisioned" and eventually "Active" in the data path. If the device remains in the "Claimed" state for an extended period, it indicates that the hardware has not yet successfully contacted the controller, which prompts troubleshooting of the physical internet circuit or firewall rules upstream.



Viewing page 2 of 8

Share your comments for Palo Alto Networks SD-WAN-Engineer exam with other users:

J
Josh
7/10/2023 1:54:00 PM

please i need the mo-100 questions

Anonymous
V
VINNY
6/2/2023 11:59:00 AM

very good use full

Anonymous
A
Andy
12/6/2023 5:56:00 AM

very valid questions

Anonymous
M
Mamo
8/12/2023 7:46:00 AM

will these question help me to clear pl-300 exam?

UNITED STATES
M
Marial Manyang
7/26/2023 10:13:00 AM

please provide me with these dumps questions. thanks

Anonymous
A
Amel Mhamdi
12/16/2022 10:10:00 AM

in the pdf downloaded is write google cloud database engineer i think that it isnt the correct exam

FRANCE
A
Angel
8/30/2023 10:58:00 PM

i think you have the answers wrong regarding question: "what are three core principles of web content accessibility guidelines (wcag)? answer: robust, operable, understandable

UNITED STATES
S
SH
5/16/2023 1:43:00 PM

these questions are not valid , they dont come for the exam now

UNITED STATES
S
sudhagar
9/6/2023 3:02:00 PM

question looks valid

UNITED STATES
V
Van
11/24/2023 4:02:00 AM

good for practice

Anonymous
D
Divya
8/2/2023 6:54:00 AM

need more q&a to go ahead

Anonymous
R
Rakesh
10/6/2023 3:06:00 AM

question 59 - a newly-created role is not assigned to any user, nor granted to any other role. answer is b https://docs.snowflake.com/en/user-guide/security-access-control-overview

Anonymous
N
Nik
11/10/2023 4:57:00 AM

just passed my exam today. i saw all of these questions in my text today. so i can confirm this is a valid dump.

HONG KONG
D
Deep
6/12/2023 7:22:00 AM

needed dumps

INDIA
T
tumz
1/16/2024 10:30:00 AM

very helpful

UNITED STATES
N
NRI
8/27/2023 10:05:00 AM

will post once the exam is finished

UNITED STATES
K
kent
11/3/2023 10:45:00 AM

relevant questions

Anonymous
Q
Qasim
6/11/2022 9:43:00 AM

just clear exam on 10/06/2202 dumps is valid all questions are came same in dumps only 2 new questions total 46 questions 1 case study with 5 question no lab/simulation in my exam please check the answers best of luck

Anonymous
C
Cath
10/10/2023 10:09:00 AM

q.112 - correct answer is c - the event registry is a module that provides event definitions. answer a - not correct as it is the definition of event log

VIET NAM
S
Shiji
10/15/2023 1:31:00 PM

good and useful.

INDIA
A
Ade
6/25/2023 1:14:00 PM

good questions

Anonymous
P
Praveen P
11/8/2023 5:18:00 AM

good content

UNITED STATES
A
Anastasiia
12/28/2023 9:06:00 AM

totally not correct answers. 21. you have one gcp account running in your default region and zone and another account running in a non-default region and zone. you want to start a new compute engine instance in these two google cloud platform accounts using the command line interface. what should you do? correct: create two configurations using gcloud config configurations create [name]. run gcloud config configurations activate [name] to switch between accounts when running the commands to start the compute engine instances.

Anonymous
P
Priyanka
7/24/2023 2:26:00 AM

kindly upload the dumps

Anonymous
N
Nabeel
7/25/2023 4:11:00 PM

still learning

Anonymous
G
gure
7/26/2023 5:10:00 PM

excellent way to learn

UNITED STATES
C
ciken
8/24/2023 2:55:00 PM

help so much

Anonymous
B
Biswa
11/20/2023 9:28:00 AM

understand sql col.

Anonymous
S
Saint Pierre
10/24/2023 6:21:00 AM

i would give 5 stars to this website as i studied for az-800 exam from here. it has all the relevant material available for preparation. i got 890/1000 on the test.

Anonymous
R
Rose
7/24/2023 2:16:00 PM

this is nice.

Anonymous
A
anon
10/15/2023 12:21:00 PM

q55- the ridac workflow can be modified using flow designer, correct answer is d not a

UNITED STATES
N
NanoTek3
6/13/2022 10:44:00 PM

by far this is the most accurate exam dumps i have ever purchased. all questions are in the exam. i saw almost 90% of the questions word by word.

UNITED STATES
E
eriy
11/9/2023 5:12:00 AM

i cleared the az-104 exam by scoring 930/1000 on the exam. it was all possible due to this platform as it provides premium quality service. thank you!

UNITED STATES
M
Muhammad Rawish Siddiqui
12/8/2023 8:12:00 PM

question # 232: accessibility, privacy, and innovation are not data quality dimensions.

SAUDI ARABIA
AI Tutor 👋 I’m here to help!