SD-WAN

What are two potential causes when a secondary public circuit has been added to the branch site, but the Prisma SD-WAN tunnel is not forming to the data center? (Choose two). Interface role is not selected as “internet”. DNS is not configured. Circuit label is missing from interface type. Interface scope is set to “local”.

By default, how many days will Prisma SD-WAN VPNs stay operational before the keys expire when an ION device loses connection with the controller?. 1. 3. 5. 7.

An autonomous Digital Experience Management (ADEM) test for Microsoft 365 has been configured at a branch site. The SD-WAN policy for Microsoft 365 at this branch is set to use a direct internet breakout on the ISP – 1 circuit as the primary path or a Prisma Access tunnel as the backup path. How will the ION device at the branch execute the ADEM synthetic tests for this application?. Test will only be sent through the active path currently handling the application’s live user traffic. Tests will only be sent direct-to-internet via the ISP – 1 underlay circuit. Tests will be sent across all available WAN circuits, including any unused underlay and overlay paths. Tests will be sent simultaneously across the ISP-1 underlay circuit and the Prisma Access overlay tunnel.

A multinational company is deploying Prisma SD-WAN across North America, Europe and Asia. The data centers in the North America region have served all regions, but regional policies are now being enforced that mandate each of the regions to build their own data centers and branch site to only connect to their respective regional data centers. How can this regionalization be achieved so that new or existing branch sites only build tunnels to the regional DC IONs?. Create a new cluster for each regional DC ION and move the site from the existing cluster to the new cluster. Remove the circuit labels and apply new circuit labels for in-region circuits only. Disable the auto-tunnel feature globally on the Prisma SD-WAN portal and manually create all necessary tunnels exclusively between IONs within their designated regions. Assign WAN interfaces to distinct Virtual Routing and Forwarding (VRF) instances for each region on the DC IONs, ensuring that branches only connect to the WAN interfaces / VRFs designated for the region.

In a branch high availability (HA) deployment, which action is taken by the standby device goes down?. It automatically detects the failure, assumes the active role, and sends gratuitous ARP to minimize downtime for forwarding traffic. It notifies the controller, which then reroutes all traffic for the branch through an alternate path until the active device recovers. It takes over, but all active sessions are immediately reset, requiring user to re-establish connections. It notifies the other device to go in a diagnostic mode and logs the failure, requiring the controller to intervene and select standby device as a new forwarder.

Which troubleshooting step should be taken when users at a branch site are experiencing a maximum throughput of 200 Mbps for Direct Internet Access (DIA) traffic on a 1 Gbps internet connection?. Ensure the WAN interface is set to 1Gbps or auto mode. Ensure QoS policy is applied to the site. Ensure the circuit configuration at the site level is properly set. Ensure performance policy is applied the site.

7. User-ID integration is configured for a Prisma SD-WAN deployment. Brach – 1 has the user-to-IP mappings available, and User – 1 is mapped to IP-1. To which two use cases can User-ID based zone-based firewall policies be applied? (Choose two). User-1 accessing a private application within Branch-1, and source User-ID based firewall rules on Branch-1, and source User-ID based zone-based firewall rules on Branch- 2 ION. User-1 accessing a SaaS application on direct internet and source User-ID based zone-based firewall rules on Branch – 1 ION. User-1 accessing a private application in Branch-2 via SD-WAN overlay, and destination User-ID based zone-based firewall rules on Branch-2 ION. User-1 accessing a private application in data center via SD-WAN overlay, and destination User-ID based zone-base firewall rules on DC ION.

For how many hours are Prisma SD-WAN VPN shared secrets valid?. 1. 8. 24. 72.

A branch manager reports slow network performance, and the network administrator wants to use Prisma SD-WAN Copilot to quickly identify if a specific user, by source IP address, is consuming excessive bandwidth as well as which applications are contributing to this consumption. How can Copilot assist in this investigation?. It will redirect the administrator to the WAN Clarity “Top N: Source IPs report and the “Flow Browser” utility, suggesting correlation between these tools to determine a user’s specific application usage. It will automatically generate and email a “User Bandwidth Consumption” report for the specified branch, which the administrator can use to find the top user and the application details. It can identify the top applications being used across the entire branch and can be correlated with Flow Browser to attribute specific application usage or total bandwidth consumption to individual source IPs. It can directly process a natural language query such as “Show top bandwidth source IPs at SD-WAN Branch X over last 3 hours” provide summarized views of the top-consuming source IPs, and view the primary applications they are using.

Which statement accurately describes how the Prisma SD-WAN zone-based firewall functions within a branch network?. Security zones enable granular control over both WAN-to-LAN and LAN-to-WAN as well as east-west (LAN-to-LAN) traffic flows within the branch. North-south traffic is handled by application-aware policies, while east-west traffic requires traditional Access Control List (ACLs). North-south traffic (internet / WAN agrees) is handled by zone-bases firewall and relies on external firewalls for east-west segmentation. East-west traffic between the zones can be explicitly blocked, but traditional Access Control List (ACLs) are required to block north-south traffic.

Which component of Prisma SD-WAN is responsible for distributing User-IP and user-group mappings to branch devices that match the corresponding source IPs?. DC ION. Cloud Identity Engine. |NGFW. Controller.

In which modes can a Prisma SD-WAN branch be deployed?. Testing, Control, POV. Production, Control, Disabled. Disabled, Analytics, Control. POV, Production, Analytics.

Which troubleshooting action should be taken when resources at one branch site can reach the internet but cannot be reached from the data center (DC)?. Set the site in a control mode. Create static route with DC ION as a next hop. Ensure the LAN branch prefixes are set to “global”. Admin up the Prisma SD-WAN DC endpoints.

A network administrator for an organization using Prisma SD-WAN needs to identify the top applications specifically associated with the primary data center site. Which WAN Clarity report approach will be most effective in this use case?. Utilization Quadrant report, focusing on the WAN circuits directly connected to the data center, to infer high application bandwidth from periods of high circuit use. Hotspots: Undefined Domains report, specifically filtered for the data center site, to identify high-bandwidth FQDNs that might represent applications hosted in the data center. Application Performance report, globally aggregated across all sites, to see which applications have the highest overall bandwidth usage, then correlate these with known data center services. Traffic Distribution: Top Applications report, when viewed in the context of the primary data center site, to list applications by their consumption directly related to that site’s traffic.

What is the default action for real-time media applications if link performance is poor?. Apply Forward Error Correction (FEC). Move flows. Drop the flow. Raise an alarm.

How can a network administrator detect a site outage or a service-level agreement (SLA) violation using controller-generated incidents?. Device logs, alerts , and incidents. Incidents, SNMP traps, and audits. Priority alerts, informational alerts, and audit logs. Incidents, alerts, statistics, and audit logs.

Which action meets the needs of an organization that requires elevated incident notifications for its headquarters location?. Enable SNMPv3 trap notifications to an external network management system. Export syslog to an external syslog collector and mark all messages as “Critical”. Enable an event policy rule for the site with the action to set priority to the highest available level. Implement performance policy specifically for the site with very aggressive service-level agreement (SLA) thresholds.

18. Return traffic for an application from the branch is being dropped on the branch ION. Application traffic arrives via SD-WAN internet overlay at the branch, and path policy for the application at the branch has the following settings: • Active = MPLS Overlay • Backup = Prisma Access on internet Which branch configuration is the probable cause of this behavior?. It has no MPLS circuit, and the Prisma Access tunnel is down. It has two internet circuits and no MPLS circuit. It has one MPLS and one internet circuit. It has Prisma Access tunnel over MPLS circuit but not on the internet circuit.

When deploying a branch gateway, secure fabric VPN tunnels are automatically established between which two site types? (Choose two). Branch to branch gateway (different domain). Branch gateway to branch gateway. Branch gateway to data center. Branch to branch gateway (same domain).

When an ION device has been claimed, the cloud-based controller generates and communicates with the device by which method?. Self-signed certificate. Customer installed (CIC). Existing customer public key infrastructure (PKI). Manufacturer Installed Certificate (MIC).

What are two requirements for implementing user / group based path policies? (Choose two). Data center ION. Internal host detection. Autonomous Digital Experience Manager (ADEM). Cloud Identity Engine.

What is the basis for calculating the minimum bandwidth subscription required branch IONs?. Amount of traffic which will traverse the SD-WAN secure fabric. ISP circuit capacity at the branch location. Maximum traffic (ingress and egress) passing through the ION device. Maximum throughput supported by the ION hardware deployed at data center locations.

Which statement is valid when integrating Prisma SD-WAN with Prisma Access remote networks?. Security policies for remote networks are configures in Prisma Access and pushed to Prisma SD-WAN for enforcement on the branch ION devices. Easy onboarding automatically recommends the closest preconfigured remote network security processing nodes and can be overridden manually. Bandwidth must be allocated to each Prisma Access remote network compute location, and this bandwidth is shared between all branches that terminate on this remote network node. A branch with multiple internet circuits will automatically connect to Prisma Access on each circuit and will be used in an active/standby manner for internet-bound traffic.

Full discovery and classification of loT devices by the loT Security service is failing. Which Prisma SD-WAN ION devices configuration will cause this behavior?. The Prisma SD-WAN ION devices lack properly configured or enabled Service Health Probes specifically targeting the loT device subnets. Without these active probes, the system cannot gather critical real-time reachability and performance metrics essential for dynamic device profiling and classification. The Syslog export configuration on the ION devices to the Strata Logging Service has filters that are too restrictive, potentially excluding logs vital for loT Security’s device identification and classification engine. This prevents comprehensive event data, including device discovery messages, from reaching the portal. The ION devices are missing DHCP Configuration. If ION devices are not explicitly configured as either a DHCP relay agent or a DHCP server, DHCP traffic logs will not be sent to the Strata Logging Service, resulting in incomplete device profiles for loT Security. The ION devices are not configured to explicitly enable and export IPFIX flow records, especially those containing Layer 2 and Layer 7 context, to the Strata Logging Service for loT Security. While ARP data is sent by default, comprehensive device classification relies on these detailed flow records. Which are not being captured.

WHEN IDENTIFYING DEVICES FOR LOT CLASSIFICATION PURPOSES, WHICH TWO METHODS DOES PRISMA SD-WAN USE TO DISCOVER DEVICES THAT ARE NOT DIRECTLY CONNECTED TO THE BRANCH ION? (CHOOSE TWO). SNMP. LLDP. SYSLOG. CDP.

Based on the HA topology image below, which two statements describe the end-state when power is removed from the ION 1200-S labeled “Active” assuming that the ION labeled “Standby” becomes the active ION? (Choose two). Both the connection to ISP A and the connection to LTE/5G will be usable. The connection to ISP A will be usable, but the connection to LTE/5G will not. The newly active ION will send a gratuitous ARP to the LAN for the IP address of any SVIs. The VRRP Virtual IP address assigned to any SVIs will be moved to the newly active ION.

An organization has provided the following technical requirements and details: • High availability (HA) at all data center and branch locations • Two geographically separate main data center locations • One small data center location that contains local users and applications requiring policies • 50 branch locations • ISP capacities for all branch locations but no accurate measurement of the actual bandwidth consumption Based on Palo Alto Networks best practices and recommendations, which two licensing options will meet the customer objective? (Choose two). Aggregate bandwidth subscription. Four data center subscriptions. Six data center subscriptions. Branch subscription per site.

1000 branches are to be deployed on Prisma SD-WAN with the following constraints: • Devices will be shipped in batches directly to the site • Configuration Management Database (CMDB) has all the necessary details for site deployment • Fleld tech will be responsible for rack, stack, and cabling of the IONs at each site • Fleld tech will need to spend minimum amount of time at each branch site to reduce the cost • The NOC operates in shifts and is responsible for remote cutover support Which method will achieve mass deployment in shortest possible time?. Connect the ION to the LAN switch to bring it online, configure the device using the legacy network, connect the ISP modem or cellular, and cutover the site once the ION is configured. Connect the device to the ISP modem or use cellular, use Prisma SD-WAN Software Development Kit (SDK) using API method for site deployment once the device is online, connect the LAN switch to the ION. Connect the device to the ISP modem or use cellular, use device shell to pre-create the configuration for a site, assign the device to template when device is online, and connect the LAN switch to the ION. Use site templates and device shells to pre-create the configuration using csv bulk upload, connect the device to the ISP modem or using cellular, assign the device to the template when device is online, and connect the LAN switch to the ION.

A network engineer is able to ping and traceroute from SD-WAN branch IP 192.168.1.123 to servers in primary data center – DC1, but is unable to ping or traceroute to a server 10.22.22 in the newly configured secondary data center, DC2. The DC2 ION device is advertising the branch IP subnet 192.168.1.0/24 to the DC2 core via eBGP Core Peer. The DC2 data center site has site prefix 10.2.2.0/23 configured. Which configuration will resolve the issue in this scenario?. Add default 0.0.0.0/0 static route to the DC2 ION pointing to the DC2 next hop. Remove site prefix 10.2.2.0/23 from DC2 site configuration. Reconfigure eBGP Core Peer to iBGP Core Peer. Reconfigure eBGP Core Peer as Edge Peer type.

In a data center (DC) with two ION devices, all of the remote branch Prisma SD-WAN VPNs are active only on DC ION – 1. Why are no VPNs active on DC ION-2?. The ION device is behind a NAT. The BGP core peer is down. The static route to core as a next hop is missing. The DC and branches are in a different domain.

A network administrator is troubleshooting a critical SaaS application, “SuperSaaSApp,” that is experiencing connectivity issues. Initially, the configured active and backup paths for the application were reported as completely down at Layer. The Prisma SD-WAN system attempted to route traffic for the application over an L3 failure path that was explicitly configured as a Standard VPN to Prisma Access. However, users are still reporting a complete outage for the application and monitoring tools show applications flow being dropped when attempting to use the Standard VPN L3 failure path, even though the tunnel itself appears to be up. The administrator suspects a policy misconfiguration related to how the Standard VPN path interacts with destination groups. The path policy rule for “SuperSaaSApp” has the “Required” checkbox select for its Service & DC Group, but no direct paths were configured alongside it, creating a conflict. The Standard VPN in the path policy was not configured to “Minimize Cellular Usage,” leading to the depletion of metered data and subsequent flow drops. The “Move Flows Forced” action was not enabled in the performance policy for “SuperSaaSApp,” preventing the system from actively from actively shifting traffic to the LA failure path. The path policy rule explicitly designates a Standard VPN as the L3 failure path, but it does not include a designated Standard Services and DC Group, causing traffic to be dropped.

Which implementation allows Prisma SD-WAN to improve application performance for organizations facing inconsistent user experiences across branch locations, especially due to varying device types and network conditions, by using Layer 4 and Layer 7 optimization to boost throughput?. WAN optimization. Forward Error Correction (FEC). Packet duplication. Application acceleration.

Site templates are to be used for the large-scale deployment of 100 Prisma SD-WAN branch sites across different regions. Which two statements align with the capabilities and best practices for Prisma SD-WAN site templates? (Choose two). Site templates offer the capability to pre-stage device configurations by creating a device shell. Mandatory variables for any site template include the site name, ION software version, and at least one ION serial number / device name pair. The use of Jinja conditional statements within a site template is not supported, thereby limiting dynamic customization options. Once a site has been deployed using a template, its configuration can be updated or modified by applying an updated version of the template.

What is the purpose of Secure Group Tag (SGT) propagation in Prisma SD-WAN?. To integrate with external identity-based security solutions. To manage QoS policies for traffic based on user and application type. To enable or disable SGT settings at the interface level and initiate services like NTP, DHCP, and App Probes. To clarify the intent of rules or configuration objects and improve rule organization.

There are periodic complaints about the poor performance of a real-time application. What can be inferred about the performance issue, based on the Network Transfer Time (NTT) and Server Response Time (SRT) image below?. The NTT value drops periodically due to network related issues. The NTT value increases periodically resulting in higher SRT. The SRT value increases periodically due to Application Server side issues. The SRT value drops periodically due to Application Server side issues.

The UI triggers incident DEVICESW_CONCURRENT_FLOWLIMIT-EXCEEDED for a branch site. Based on the image below, which tool can be used to identify the host?. MonitorActivity  Flows. MonitorActivityNew flows. MonitorActivityTransaction Stats. Run tcpdump under the LAN interface.

When configuring SASE connectivity with easy onboarding at a branch, which two options must be selected? (Choose two). Prisma Access IKE Profile. Prisma Access Primary Location. IPSec Termination Node. IPSec Crypto Profile.

Which IONs can support Branch Gateway?. 3102V,3200, 1200S,5200. 3104V, 1200S, 5200, 7108V. 1200, 3200, 9200, 7108V. 9200, 3200, 5200, 7116V.

What does Prisma SD-WAN use for monitoring and operations to deliver flow data and application visibility?. IP SLA. ADEM. IPFIX. SNMPv3.

Which metrics can be monitored at the individual Prisma SD-WAN ION device level to assess its health and operational performance?. Device VPN tunnels and controller reachability status. Device application flow statistics, Autonomous Digital Experience Manager (ADEM) metrics, and site health score. Device software version and interface bandwidth. Device CPU, memory and disk use, interface bandwidth, and errors / discards.

Which condition, when configured within a performance policy, is a trigger for generating an incident related to application performance or path degradation?. Violation of defined service-level agreement (SLA) thresholds for application performance or link quality. Exceeding the configured threshold for total concurrent flows on the ION device, resulting in a SYSTEM-CONCURRENT_FLOW_THRESHOLD_EXCEEDED incident. Physical Wan interface transitioning from an “up” to a “down” state, resulting in a NETWORK-ANYNETLINK-DOWN event. Loss of a BGP peering session on a data center ION device, leading to potential routing instability.

Where is route leaking configured between VRFs?. Site configuration. VRF definition. BGP peer. VRF profile.

Network segmentation is required due to overlapping IP address space and M&A scenarios. Which Prisma SD-WAN feature will achieve the desired segmentation and end-to-end connectivity in this use case?. Virtual Routing and Forwarding (VRF) profiles with proper site bindings to achieve desired isolation locally and across the secure fabric. Virtual Routing and Forwarding (VRF) profiles with proper site bindings to achieve desired isolation across the underlay. Multiple virtual routers with interface segmentation to achieve desired isolation across the secure fabric. Multiple contexts with interface segmentation to achieve desired isolation the underlay.

A site has two internet circuits. Circuit A with 500 Mbps capacity and Circuit B with 100 Mbps capacity. Which path policy configuration will ensure traffic is automatically shifted from a saturated circuit to the circuit with available bandwidth?. Circuit B as an L3 failure path. Both circuits under active path. Circuit B as an active, Circuit A as a backup. Circuit A as an active, Circuit B as a backup.

BGP core peers on data center IONs are learning only a default route from the core router. Which action will protect the SD-WAN network from getting isolated in the event of BGP misconfiguration on the core routers?. Implement BGP route filtering using prefix lists and route maps on the ION devices to only accept specific, known prefixes from the core. Add a static default route with higher admin distance pointing to the core peer Ips. Enable BGP Bidirectional Forwarding Detention (BFD) on the core peer sessions to rapidly detect BGP neighbor failures. Configure BGP max-prefix limits on the ION devices to prevent them from accepting too many routers from the core routers.

A network design mandates segmentation at the routing level and traffic isolation across various services, such as teller cash registers, ATM traffic, guest WiFi, and corporate applications. Which command can be used to validate and display the Virtual Routing and Forwarding (VFR) route leak rules?. inspect flow_browser vrf all. dump vrf route_leak_rule all. show interface vrf route_leak_rule all. inspect vrf route_leak_rule all.

While designing a greenfield Prisma SD-WAN solutions for a retailer, the risk management group requires segmentation of the retail network to avoid one largen fault domain. The following data points are provided: • Two data centers and all sites need to access applications in both data centers • 1000 retail branches with stores concentrated in multiple metropolitan areas • Data centers 1 and Data Center 2 have a different set of applications that are not replicated • Maintaining applications availability is the primary goal Which action will segment the retail network and reduce regional outages?. Implement a single, large data center cluster spanning both data centers to centralize management and optimize resource use. Create more than one data center cluster in each data center and assign sites to clusters so nearby retail locations can be spread on separate clusters. Create more than one data center cluster for a larger pool of resource and resiliency. Add more data centers aggregation devices within the same cluster to enehance the scalability and resilience.

To aid in capacity planning and QoS policy adjustments, what should be reviewed to gain the necessary insight for data center applications traffic distribution, hotspots and overall utilization trends?. WAN Clarity Data Center Reports. Prisma SD-WAN Predictive Analytics Dashboard. WAN Clarity Branch Reports. Prisma SD-WAN Link Quality Dashboard.

What is the number and structure of Prisma SD-WAN QoS queues supported per WAN interface?. 12 queues 4 classes 3 applications criteria within each class. 16 queues 4 classes 4 applications criteria within each class. 8 queues 1 priority queue 7 non-priority queues. 8 queues 2 classes 4 applications criteria within each.

When troubleshooting an issue at a site that is running on two cellular links from two carriers, the operations team shared some evidence shown in the graph below: For the time duration shown in the graph, what are two inferencesout the site’s traffic that can be made? (Choose two.). Using Carrier-1 as the WAN path may have experienced some performance degradation. Using Carrier-2 as the WAN path may have experienced some performance degradation. Using Carrier-2 as the WAN path may have switched over to Carrier-1. Using Carrier-1 as the WAN path may have switched over to Carrier-2.

A remote branch site is reporting intermittent connectivity to the Data Center. The administrator checks the System > Alarms page and sees a "VPN_DOWN" alarm for the tunnel to the DC. However, the internet circuit status is "Up". Which specific log file or diagnostic tool in the Prisma SD-WAN portal would provide the IKE (Internet Key Exchange) error codes (e.g., "NO_PROPOSAL_CHOSEN" or "AUTH_FAILED") to pinpoint the cause of the tunnel failure?. Flow Browser. Event Logs > System. Site Summary > Topology. Link Quality Graphs.

A network operator receives a critical SITE_CONNECTIVITY_DOWN alarm for a branch site in the Prisma SD-WAN portal. What specific condition triggers this alarm type?. The device has lost power and rebooted. One of the two internet circuits at the site has gone down. All Secure Fabric Links (VPNs) to all remote peers are down, isolating the site from the overlay. The site has exceeded its licensed bandwidth capacity.

Two branch sites, "Branch-A" and "Branch-B", are both behind active NAT devices (Source NAT) on their local internet circuits. What requirement must be met for these two branches to successfully establish a direct Dynamic VPN (ION- to- ON) tunnel over the internet?. One of the sites must have a Static Public IP (1:1 NAT) to act as the initiator. Both sites must disable NAT and use public IPs on the ION interface. The ION devices automatically use STUN (Session Traversal Utilities for NAT) to discover their public IPs and negotiate the connection. Dynamic VPNs are not supported if both sides are behind NAT.

When planning a software upgrade for a large fleet of ION devices, what is the recommended best practice regarding the "Software Version" assigned in the Site Summary?. Manually log into each device and upload the new image file via USB. Assign the new software version to the "Global" site configuration to upgrade all 1000+sites simultaneously. Use Site Tags to group sites (e.g., "Pilot", "Region-1", "Region-2") and assign the new software version incrementally to these tags to minimize risk. The ION devices upgrade themselves automatically whenever a new version is released by Palo Alto Networks.

Which specialized hardware feature is available on the ION 9000 series but NOT on the ION 3000 series, making it suitable for high-throughput Data Center deployments?. Support for LTE/5G SIM cards. Fail-to-Wire Bypass Pairs. 10 Gigabit Ethernet (SFP+) ports. PoE+ (Power over Ethernet) output ports.

An administrator needs to generate a monthly report showing the "Top Applications" by bandwidth usage across all branch sites to justify a bandwidth upgrade. Which specific component of the Prisma SD-WAN interface is designed to create, schedule, and email these PDF summaries?. Activity Charts. Media Analytics. Reports. Flow Browser.

A network engineer is troubleshooting a user complaint regarding "slow application performance" for an internal web application. While viewing the Flow Browser in the Prisma SD-WAN portal, the engineer notices that the Server Response Time (SRT) is consistently high (over 500ms), while the Network Transfer Time (NTT) and Round Trip Time (RTT) are low (under 50ms). What does this data indicate about the root cause of the issue?. The issue is likely caused by congestion on the WAN circuit, requiring a QoS policy adjustment. The issue is likely on the application server itself (e.g., high CPU, slow database query), not the network. The issue is caused by a high packet loss rate on the internet path. The issue is due to a misconfigured DNS server at the branch.

A network installer is attempting to claim a new ION device using the "Claim Code" method. The device is connected to the internet, but the status in the portal remains stuck at "Claimed" and does not transition to "Online". The installer connects a laptop to the LAN port of the ION and can successfully browse the internet, confirming the uplink is active. What is the most likely cause of the device failing to reach the "Online" state?. The device has not yet downloaded the latest software image. The "Circuit Label" has not been applied to the WAN interface. The upstream firewall is blocking outbound TCP port 443 or UDP port 123 (NTP). The device is missing the "Site" assignment in the portal.

A network engineer is troubleshooting a "Voice Quality" issue. They suspect that the DSCP markings are being stripped or altered by the ISP. Which tool in the Prisma SD-WAN portal allows the engineer to capture live packets on the WAN interface and inspect the IP header ToS/DSCP field?. Flow Browser. Packet Capture (PCAP). Path Quality Monitor. Event Logs.

A network engineer is troubleshooting an ION device that is showing as "Offline" in the Prisma SD-WAN portal, despite the site reporting that local internet access is working. The engineer has console access to the device. Which CLI command should be used to specifically validate the device's ability to resolve the controller's hostname and establish a secure connection to it over a specific interface?. ping <controller-ip>. debug controller reachability <interface>. show system connectivity. dump vpn summary.

An administrator is configuring an ION 2000 device for a deployment where high availability is required, but the site has only a single internet circuit. The administrator configures a Bypass Pair (Fail-to-Wire) on ports 1 and 2 connecting the ISP modem to the legacy firewall. If the ION device loses power, what is the resulting behavior of the traffic flowing through this Bypass Pair?. Traffic is blocked to prevent uninspected packets from entering the network (Fail-to-Block). The internal relay closes, physically bridging Port 1 and Port 2, allowing traffic to flow transparently between the modem and firewall. The device reboots into "Safe Mode" and acts as a Layer 2 switch. Traffic is rerouted to the LTE modem automatically.

A network administrator is viewing the Flow Browser to investigate a report that a specific user cannot access an internal web server. The flow entry for this traffic shows the "Flow State" as "INIT" and it remains in that state until it times out. What does the "INIT" state indicate about the traffic flow?. The TCP 3-way handshake was completed successfully, and data is being transferred. The ION device received the SYN packet from the client but never saw a SYN-ACK response from the server. The flow was denied by a Zone-Based Firewall policy on the ION. The traffic is being buffered while the ION waits for a dynamic VPN tunnel to establish.

An administrator is configuring a BGP peer on a Data Center ION to learn routes from the core switch. The goal is to have the ION learn these prefixes and then advertise them to all remote branch sites across the SD- WAN overlay. Which setting must be configured on the BGP Peer to ensure these learned routes are redistributed into the SD-WAN fabric?. Set the "Admin Distance" to 20. Enable "Graceful Restart". Set the "Scope" to "Global". Configure a "Prefix List" to deny all.

Which configuration requirement must be met to allow two branch ION devices to automatically establish a direct Dynamic VPN (branch-to-branch) connection for traffic flow, bypassing the Data Center?. Both ION devices must be members of the same VPN Cluster. A static "Gre Tunnel" must be manually configured between the two sites. The Data Center ION must be offline to trigger the dynamic failover. The "Standard VPN" path policy must be selected.

When configuring a Path Policy rule for a "Real-Time Video" application, the administrator wants to ensure the traffic uses the path with the lowest packet loss. How does the Prisma SD-WAN ION determine the "Packet Loss" metric for a given path when there is no active user traffic flowing on that link?. It sends Active Probes (synthetic UDP packets) across the Secure Fabric to measure path quality continuously. It relies solely on Passive Monitoring of TCP retransmissions from other user traffic on that link. It queries the ISP's router via SNMP to retrieve interface error counters. It defaults to a static value of 0% loss until user traffic begins.

During the Zero Touch Provisioning (ZTP) process of a new ION device at a branch site, which interface ports are supported by default to request an IP address via DHCP and reach the Prisma SD-WAN controller for claiming?. Only the dedicated Controller port (if available). Any LAN or WAN port on the device. The dedicated Controller port, or Port 1 / Internet 1 if a dedicated port is absent. Only the USB port via a cellular modem.

An ION 3000 device at a remote branch has suffered a critical hardware failure and must be replaced via the RMA process. The administrator has received the replacement unit. What is the correct procedure to transfer the configuration and license from the defective unit to the replacement unit to ensure minimal downtime and retention of historical data?. Delete the old device from the portal, create a new site for the replacement device, and rebuild the policies manually. Use the "Replace Device" workflow in the Prisma SD-WAN portal, which automatically transfers the configuration (Device Shell) and re-associates the site to the new serial number. Manually configure the new device from scratch, then open a support ticket to transfer the license. Backup the configuration of the old device to a USB drive and restore it to the new device using the local console.

An engineer at a managed services provider is updating an application that allows its customers to request firewall changes to also manage SD-WAN. The application will be able to make any approved changes directly to devices via API. What is a requirement for the application to create SD-WAN interfaces?. REST API's "sdwanInterfaceprofiles" parameter on a Panorama device. REST API's "sdwanInterfaces" parameter on a firewall device. XML API's "sdwanprofiles/interfaces" parameter on a Panorama device. XML API's "InterfaceProfiles/sdwan" parameter on a firewall device.

When defining a Path Quality Profile (SLA) for a "Transactional" application group (e.g., Citrix, Oracle), the administrator sets the "Packet Loss" threshold to 1%. What happens to the traffic for this application if all active paths currently exceed this 1% loss threshold?. The traffic is dropped to prevent data corruption. The system selects the best available path (lowest loss) among the active paths, even if it violates the profile. The traffic is queued indefinitely until a path recovers. The system automatically enables a Backup path, even if the Active paths are technically "Up" but degraded.

In the Prisma SD-WAN portal, an administrator is viewing the "Media" analytics for a branch site to troubleshoot complaints about poor voice quality. When calculating the Mean Opinion Score (MOS) for voice traffic, which two metrics does the system prioritize active monitoring for, even when no user voice traffic is present on the link? (Choose two.). Latency (One-Way). Jitter. Throughput. Packet Loss.

What is the default behavior of the Zone-Based Firewall (ZBFW) for traffic originating from the ION device itself (e.g., DNS queries, NTP sync, or Controller connectivity) destined for the "Internet" zone?. It is denied by the default "Deny All" rule unless explicitly allowed. It is allowed by the implicit "Self-Zone" allow rule. It is allowed only if the "Management" interface is used. It is inspected by the "Global" security stack but bypasses local rules.

What is the primary function of the "CloudBlade" platform in a Prisma SD-WAN deployment when integrating with third-party services or Prisma Access?. It acts as a physical line card on the ION device to provide additional 10Gbps interfaces. It is a containerized application running on the ION device that performs Deep Packet Inspection (DPI). It is a cloud-based API integration layer that automates the configuration of the ION devices and the remote service. It is a monitoring dashboard used exclusively for viewing flow records.