매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Palo Alto Networks SD-WAN Engineer 온라인 연습
최종 업데이트 시간: 2026년02월14일
당신은 온라인 연습 문제를 통해 Paloalto Networks SD-WAN-Engineer 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 SD-WAN-Engineer 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 52개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Comprehensive and Detailed Explanation
Site Templates (often referred to as Site Configuration Templates) are a critical tool for the Zero Touch Provisioning (ZTP) of large-scale deployments in Prisma SD-WAN.
정답:
Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN (formerly CloudGenix) defines three distinct Operational Modes for a branch site, which determine how the ION device processes traffic and interacts with the network.
Analytics Mode (Monitor): In this mode, the ION device is typically deployed inline or in a "promiscuous" monitor state to gain visibility into network traffic without actively enforcing path selection policies.1 It "learns" applications, bandwidth usage, and network characteristics (auditing) but does not steer traffic or block flows.2 This is often used during Proof of Concepts (POVs) or the initial "burn-in" phase of a deployment to generate reports without risking network disruption.
Control Mode: This is the full production state. In Control Mode, the ION device actively enforces
Path Policies, QoS Policies, and Security Policies. It builds Secure Fabric VPN tunnels, steers traffic based on application SLAs (e.g., sending voice over MPLS and bulk data over Broadband), and handles failover events.3 This is the required mode for a fully functional SD-WAN site.
Disabled Mode: This mode effectively shuts down the site's SD-WAN functionality from the controller's perspective. It is an administrative state used when a site is being decommissioned, provisioned but not yet live, or isolated for troubleshooting. In this state, the device does not participate in the fabric.
정답:
Explanation:
Comprehensive and Detailed Explanation
To implement User/Group-based policies (Path, QoS, or Security) in Prisma SD-WAN, the system requires two specific components to resolve user identities and map them to IP addresses within the fabric.
Cloud Identity Engine (CIE): This is the primary requirement for identity management. The Cloud Identity Engine connects the Prisma SD-WAN controller to your directory service (e.g., Active Directory, Azure AD/Entra ID). It allows the system to retrieve and resolve User and Group attributes (e.g., "Marketing Group," "User: john.doe") so they can be selected in policy rules. Without CIE, the controller cannot interpret the group names or user identities defined in the policies.
Data Center ION: In the standard deployment model for User-ID, a Data Center (DC) ION is required to act as the bridge or collector for IP-to-User mappings. The DC ION connects to the User-ID Agent (running on a PAN-OS firewall or Windows Server) to learn the mapping of IP addresses to usernames. It then redistributes this information to the controller or other branch IONs so they can identify which user is associated with the traffic flows originating from a specific private IP address.
정답:
Explanation:
Comprehensive and Detailed Explanation
To achieve strict regional isolation where branch sites only form VPN tunnels with Data Centers in their specific region (e.g., EU branches to EU DCs only), the correct architectural feature to utilize is VPN Clusters.
In Prisma SD-WAN (CloudGenix), a Cluster defines a logical security and topology boundary for the overlay network. By default, devices may be placed in a "Default" cluster where they attempt to form
a mesh or hub-and-spoke topology with all other reachable devices in that context. To enforce the new policy:
Logical Partitioning: The administrator should create separate VPN Clusters for each region (e.g., "Cluster-NA", "Cluster-EU", "Cluster-Asia").
Assignment: The Regional Data Center IONs and their corresponding Branch IONs must be moved into their respective clusters.
Result: The Prisma SD-WAN controller dictates that devices can only establish Secure Fabric (VPN) tunnels with other devices within the same cluster. This effectively segments the global network, ensuring that an Asian branch never attempts to build a tunnel to a North American DC, satisfying the compliance requirement without complex access lists or manual tunnel configuration.
Option B (Manual Tunnels) is administratively unscalable and negates the benefits of SD-WAN
automation.
Option C (Circuit Labels) is primarily for path selection and traffic steering, not for hard topology segmentation.
Option D (VRFs) is used for local Layer 3 segmentation (routing isolation) within a device, not for controlling WAN overlay tunnel formation scope.
정답:
Explanation:
Comprehensive and Detailed Explanation
The Prisma SD-WAN (CloudGenix) solution is designed with a separation of the control plane (Controller) and the data plane (ION devices).1 In the event that an ION device loses connectivity to the Cloud Controller (often referred to as running in "headless mode"), the device continues to forward traffic and maintain existing VPN tunnels using the keys it currently holds.2
However, for security purposes, the VPN session keys (shared secrets) used for the Secure Fabric have a finite validity period. The system is designed such that these keys are rotated regularly.3 If the controller is unreachable, the ION device can continue to rotate keys locally and maintain the VPNs for a maximum default period of 72 hours (exactly 3 days).4
If the connection to the controller is not restored within this 72-hour window, the keys will eventually expire, and the ION will be unable to retrieve new authorized key material from the controller.5 Consequently, the VPN tunnels will go down, and the "out of shared secret key" error will be observed in the VPN status logs. This mechanism ensures that a permanently compromised or stolen device cannot maintain network access indefinitely without central authorization.
정답:
Explanation:
Comprehensive and Detailed Explanation
The Prisma SD-WAN (ION) QoS engine utilizes a hierarchical queuing structure designed to provide granular control over application performance. Each WAN interface on an ION device supports a total of 16 QoS queues.
This 16-queue structure is derived from a matrix of 4 Classes (often referred to as Priority Classes) multiplied by 4 Application Criteria (Traffic Types).2
4 Priority Classes: The system defines four high-level business priority categories:3
Platinum (Highest priority)4
Gold
Silver
Bronze (Lowest priority/Best Effort)5
4 Application Criteria (Sub-queues): Within each of the four priority classes, the system further categorizes traffic into four specific application types to ensure proper handling (e.g., ensuring voice doesn't get stuck behind bulk data even within the same priority level):6
Real-Time Video
Real-Time Audio
Transactional
Bulk7
Calculation: 4 Priority Classes × 4 Application Types = 16 Total Queues per interface. This structure allows the scheduler to ensure that a "Platinum" voice call is prioritized over "Platinum" bulk data, and both are prioritized over "Gold" traffic.
정답:
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN (formerly CloudGenix), the establishment of Secure Fabric (VPN) tunnels is automated but relies heavily on the correct definition of the Network Context for each interface. If a tunnel fails to form on a newly added s2econdary circuit, it is typically due to a misconfiguration in how the interface is defined in the ION portal.
정답:
Explanation:
Comprehensive and Detailed Explanation
When deploying Prisma Access for Remote Networks (connecting branch offices), the licensing and throughput model is based on aggregate bandwidth allocated to specific compute locations (regions).
Bandwidth Allocation (Option D): Administrators must purchase and allocate a specific amount of bandwidth (e.g., 500 Mbps, 1 Gbps) to a Prisma Access "Compute Location" (e.g., US West, Europe Central). This allocated bandwidth is then shared as a pool among all the branch sites (Remote Networks) that onboard and terminate their IPSec tunnels at that specific location. The system does not allocate bandwidth on a strict per-site basis but rather enforces the limit on the aggregate throughput of the compute node itself.
Policy Enforcement (Option A): Security policies for Prisma Access are enforced in the cloud (at the Prisma Access Service Processing Node), not pushed down to the branch ION devices for local enforcement. The ION device handles local segmentation (ZBFW) and traffic steering, but the "Remote Network" security stack resides in the cloud.
Path Usage (Option C): Prisma SD-WAN is designed to utilize Active/Active paths. When a branch has multiple internet circuits connected to Prisma Access, the CloudBlade and ION automatically build tunnels on all compatible paths and can load-balance traffic across them based on application performance (SLA), rather than defaulting to a strict Active/Standby model for internet traffic.
정답:
Explanation:
Comprehensive and Detailed Explanation
In a Prisma SD-WAN Data Center deployment, the operational state of the Secure Fabric VPNs (overlay tunnels) is directly tied to the health of the BGP Core Peer configuration.4
Core Peer Dependency: DC ION devices typically peer with the data center core switch (Core Router) via BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller monitors this BGP peering status.5
Controller Logic: If the BGP Core Peer on a DC ION goes down (or is not established), the controller automatically marks the VPN tunnels terminating at that specific ION as "Inactive".6 This is a fail-safe mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost conne7ctivity to the internal data center network (and thus the applications).
Scenario Analysis: In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is successfully advertising reachability. DC ION-2 has no active VPNs, which strongly indicates that its BGP Core Peer is down.8 Because the controller sees the peer is down, it suppresses the tunnel establishment or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).
정답:
Explanation:
Comprehensive and Detailed Explanation
This scenario depicts a High Availability (HA) topology utilizing the ION 1200-S model's Fail-to-Wire (bypass) capabilities to share WAN links between two devices without needing external switches for every WAN connection.
정답:
Explanation:
Comprehensive and Detailed Explanation
According to the Prisma SD-WAN Performance Policy Default Behavior documentation, the default action configured for applications (including real-time media) when a path experiences poor performance (violates the SLA thresholds for latency, jitter, or packet loss) is to Move Flows.
The Prisma SD-WAN ION device continuously monitors the health of all available paths. If the active path for a media application degrades and fails to meet the specified SLA, the default policy dictates that the traffic should be steered (moved) to an alternate, compliant path that meets the performance criteria.
While Forward Error Correction (FEC) is a powerful feature available in Prisma SD-WAN to mitigate packet loss for real-time applications, it is an optional action that must be explicitly enabled or configured within the performance policy rules. It is not the default action in the base system configuration; the primary default mechanism for handling performance issues is to leverage the multi-path fabric to switch to a better link.
Reference: Prisma SD-WAN Administrator's Guide: Performance Policy Default Behavior
정답:
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN (CloudGenix), Path Policies control how application traffic is steered across WAN links. To ensure that traffic is automatically shifted from a saturated circuit to another circuit with available bandwidth, both circuits must be configured as Active Paths within the policy rule.
When multiple paths are designated as "Active," the ION device treats them as a shared pool of available resources. The system continuously monitors the bandwidth utilization (capacity) and health (latency, jitter, loss) of all active links. If "Circuit A" (500 Mbps) becomes saturated or approaches its defined bandwidth limit, the ION's intelligent scheduler will automatically direct new application flows to "Circuit B" (100 Mbps) because it is a valid, healthy Active path with available capacity. This achieves effective load balancing and bandwidth aggregation.
In contrast, configuring "Circuit B" as a Backup Path (Option A or B) creates a strict priority relationship. Traffic would only move to the Backup path if the Active path completely failed or violated its configured SLA (Path Quality Profile) significantly enough to be considered "down." Mere bandwidth saturation might not trigger an SLA failure immediately, potentially leading to dropped packets on the saturated link while the backup link remains idle. Therefore, placing Both circuits under active path is the correct configuration for dynamic capacity management.
정답:
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN (CloudGenix), Zone-Based Firewall (ZBFW) policies rely on the device's ability to map an IP address to a User-ID to enforce identity-based rules. The key to this question is understanding where the mapping exists and which direction the policy attributes (Source User vs. Destination User) apply to.
정답:
Explanation:
Comprehensive and Detailed Explanation
According to Palo Alto Networks Prisma SD-WAN administrator documentation regarding Path Policy configuration, specific rules apply when utilizing Standard VPNs (IPSec tunnels to non-ION devices, such as Prisma Access or third-party firewalls) as an L3 Failure Path.
When a Path Policy rule is configured, the administrator defines Active Paths, Backup Paths, and L3 Failure Paths. The L3 Failure Path is a "last resort" mechanism used when all Active and Backup paths are unavailable (Layer 3 down).
If Standard VPN is selected as the L3 Failure Path type, the system explicitly requires that the administrator also associates it with a specific Standard Services and DC Group within that same policy rule.
The ION device uses the Standard Services and DC Group to identify the specific remote endpoint (tunnel destination) where the traffic should be routed. Unlike a "Direct" (Internet) path which can simply route out to the WAN, a Standard VPN represents a logical tunnel. If the policy rule designates "Standard VPN" as the failure path but leaves the "Standard Services and DC Group" field empty or unselected, the ION effectively has a directive to "use a VPN" but lacks the instruction on which VPN group to use for this specific application context. Consequently, even if the IPSec tunnel to Prisma Access is physically up and stable, the policy engine cannot resolve the next hop for the "SuperSaaSApp" traffic, resulting in the packets being dropped. To resolve this, the administrator must edit the Path Policy rule to ensure the specific Standard Service/DC Group representing Prisma
Access is checked/selected for the L3 Failure Path.
정답:
Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN (formerly CloudGenix) integrates with Palo Alto Networks IoT Security to provide comprehensive visibility into all devices at a branch, including those that are not directly connected to the ION device. While the ION automatically detects and classifies devices connected directly to its interfaces via traffic inspection (DPI), DHCP, and ARP analysis, gaining visibility into off-branch devices (devices connected to downstream switches or access points) requires additional discovery mechanisms that can query the network infrastructure or ingest its logs