SD-WAN-Engineer Palo Alto Networks SD-WAN Engineer Questions and Answers

Comprehensive and Detailed Explanation

The SITE_CONNECTIVITY_DOWN alarm is a high-severity alert indicating a total loss of overlay connectivity for a site.

It does not trigger if just one circuit fails (Option B), provided that other circuits are still up and maintaining VPNs. A single link failure would typically trigger a " Link Down " or " VPN Down " alarm, but the Site connectivity would remain " Up " (degraded).

It does not simply mean the device rebooted (Option A), although a reboot would cause it temporarily; the alarm specifically tracks the state of the VPN fabric.

The SITE_CONNECTIVITY_DOWN alarm specifically generates when all Secure Fabric Links (VPN tunnels) on the device are in the " Down " state. This means the branch is completely isolated from the rest of the SD-WAN network (Data Centers and other branches), even if the device itself might still be powered on and reachable via the controller (management plane). It signifies a " Blackout " of the data plane for that location.

In the Prisma SD-WAN (Instant-On Network) architecture, the " Secure Fabric " is a key feature that simplifies VPN orchestration through automation. When an ION device is deployed at a site and associated with a specific role, the Prisma SD-WAN Controller automatically manages the establishment of encrypted VPN tunnels without requiring manual IPsec configuration.

The most fundamental tunnel type is Branch gateway to data center (Option B). By default, the system follows a hub-and-spoke model where every branch ION device automatically attempts to build secure tunnels to all available Data Center clusters within its domain. This ensures that branch locations have immediate, redundant connectivity to centralized corporate resources and applications as soon as they are brought online.

Additionally, Prisma SD-WAN supports automated Branch gateway to branch gateway connectivity (Option C). Unlike traditional architectures that backhaul all traffic through a central hub, the Prisma SD-WAN fabric can dynamically establish " spoke-to-spoke " tunnels between branch gateways to facilitate direct communication. This is particularly useful for latency-sensitive applications like Voice over IP (VoIP) or video conferencing. While this can be configured as a " full mesh " where all sites build tunnels to all other sites, the controller intelligently manages these connections based on the defined site roles and domain configurations to optimize resource usage and performance. Options A and D are incorrect because the fabric orchestration logic is primarily focused on the functional roles of the gateways (Branch vs. Data Center) rather than " domains " in the context of tunnel initiation.

Comprehensive and Detailed Explanation

To achieve strict regional isolation where branch sites only form VPN tunnels with Data Centers in their specific region (e.g., EU branches to EU DCs only), the correct architectural feature to utilize is VPN Clusters .

In Prisma SD-WAN (CloudGenix), a Cluster defines a logical security and topology boundary for the overlay network. By default, devices may be placed in a " Default " cluster where they attempt to form a mesh or hub-and-spoke topology with all other reachable devices in that context.

To enforce the new policy:

Logical Partitioning: The administrator should create separate VPN Clusters for each region (e.g., " Cluster-NA " , " Cluster-EU " , " Cluster-Asia " ).

Assignment: The Regional Data Center IONs and their corresponding Branch IONs must be moved into their respective clusters.

Result: The Prisma SD-WAN controller dictates that devices can only establish Secure Fabric (VPN) tunnels with other devices within the same cluster . This effectively segments the global network, ensuring that an Asian branch never attempts to build a tunnel to a North American DC, satisfying the compliance requirement without complex access lists or manual tunnel configuration.

Option B (Manual Tunnels) is administratively unscalable and negates the benefits of SD-WAN automation.

Option C (Circuit Labels) is primarily for path selection and traffic steering, not for hard topology segmentation.

Option D (VRFs) is used for local Layer 3 segmentation (routing isolation) within a device, not for controlling WAN overlay tunnel formation scope.

Prisma SD-WAN is built on an application-defined fabric that prioritizes deep visibility into network traffic and application performance. 1 To deliver the high-fidelity flow data and application visibility required for modern operations, Prisma SD-WAN utilizes IPFIX (Internet Protocol Flow Information Export) . 2 IPFIX is a standardized protocol based on NetFlow v9 that allows for the export of IP flow information from network devices to a collector or management system. 3

In the Prisma SD-WAN architecture, ION devices act as the exporters. 4 Because the system is application-aware, it doesn ' t just export basic 5-tuple information (source/destination IP, ports, and protocol); it exports rich metadata including application IDs, performance metrics (latency, jitter, packet loss), and path information. This allows the Prisma SD-WAN Controller and the associated Analytics engine to reconstruct a complete picture of every flow in the network.

While other protocols like SNMPv3 are supported for basic device health monitoring (such as CPU or interface status) and ADEM (Autonomous Digital Experience Management) provides end-to-end visibility for mobile users or SASE-connected branches, IPFIX is the primary " engine " for flow-level data across the SD-WAN fabric. Unlike traditional IP SLA , which relies on synthetic probes, the IPFIX-based monitoring in Prisma SD-WAN uses real-time application traffic to assess performance. This ensures that the visibility provided in the Flow Browser and Analytics dashboards accurately reflects the actual user experience, enabling granular troubleshooting and proactive capacity planning.

Comprehensive and Detailed Explanation

The Flow Browser and App Response Time metrics in Prisma SD-WAN are critical tools for isolating the fault domain—determining whether a problem lies in the " Network " or the " Application. "

Network Transfer Time (NTT) / Round Trip Time (RTT): These metrics measure the time it takes for packets to traverse the network (WAN/LAN) and for acknowledgments to return. A low NTT (e.g., < 50ms) confirms that the network pipes (SD-WAN overlay, Underlay circuits) are healthy and transporting packets quickly.

Server Response Time (SRT): This metric specifically measures the time between the server receiving a request and the server sending the first byte of the response. It essentially measures the " processing time " of the backend server.

In the scenario described, the network metrics (NTT/RTT) are excellent, effectively ruling out WAN congestion, packet loss, or latency (Option A and C). However, the Server Response Time (SRT) is very high (500ms). This signature is a definitive indicator that the network delivered the request instantly, but the application server took a long time to process it . This points the troubleshooting effort toward the server infrastructure (e.g., a slow SQL query, an overloaded web server, or lack of compute resources) rather than the SD-WAN environment.

In the Prisma SD-WAN (Instant-On Network) management framework, administrators can customize how events are handled and prioritized across different sites through Event Policies . An organization that requires " elevated incident notifications " for a critical site like its headquarters needs a way to differentiate those alerts from standard branch notifications in the management portal and integrated third-party tools.

The most direct and effective method to achieve this is by configuring an Event Policy Rule specifically for the headquarters site. Within the incident policy framework, administrators can create rules that match specific resources—in this case, the headquarters site—and apply an action to set the priority . Priority levels typically range from P1 (highest) to P5 (lowest). 1 By setting these to the highest level (P1), any generated incident for that site will immediately stand out on the dashboard as a high-priority event.

This approach is superior to other options because it changes the inherent importance of the alert within the Prisma SD-WAN logic itself. For example, a " WAN Link Down " event at a small retail branch might be a P3, but the same event at the HQ could be elevated to a P1 via a custom policy rule. This elevation ensures that the Network Operations Center (NOC) is alerted more urgently and that external integrations, such as ServiceNow or PagerDuty, receive the correct priority mapping for immediate escalation. Options such as aggressive SLA thresholds (Option B) only increase the frequency of alerts, not necessarily their notification priority, while global syslog or SNMP settings (Options A and D) lack the site-specific granularity required for this use case.

Comprehensive and Detailed Explanation

In a Prisma SD-WAN High Availability (HA) deployment, the HA Control Interface is the critical lifeline used to synchronize state, heartbeats, and flow information between the Active and Standby ION devices.

The strict requirement for this connection is that it must be Layer 2 adjacent .

Best Practice: A direct physical cable connection between the designated HA ports of the two devices (e.g., Port 2 on Device A to Port 2 on Device B).

Alternative: Connectivity through a switch on a dedicated, isolated VLAN is supported, provided the devices are in the same broadcast domain and subnet.

Routing (Layer 3) is not supported for the HA Control link because the keepalive mechanism relies on low-latency, multicast/broadcast-level adjacency to detect failures instantly (sub-second failover). If the HA link were routed (Option A), network latency or router convergence issues could cause " Split-Brain " scenarios where both devices assume the Active role, leading to IP conflicts and traffic loops. Option C is incorrect because the Controller is too slow to manage real-time failover; the decision must be local.

Comprehensive and Detailed Explanation

The CLI command debug controller reachability < interface > (e.g., debug controller reachability 1) is the specific diagnostic tool designed to verify the entire connectivity chain required for management plane availability.

Unlike a simple ICMP ping (Option A), which only tests Layer 3 connectivity to an IP address, the debug controller reachability command performs a sequential set of tests:

DNS Resolution: It attempts to resolve the specific Locator service URL (locator.cgnx.net or region-specific FQDN) to verify DNS functionality.

TCP Connectivity: It tests the ability to establish a TCP connection to the controller on port 443 (HTTPS).

SSL/TLS Handshake: It validates that the device can successfully negotiate the secure tunnel required for authentication.

If this command fails at the DNS step, the issue is likely a missing DNS server in the interface config. If it fails at the TCP step, it implies an upstream firewall is blocking outbound port 443. This targeted output allows the engineer to pinpoint exactly why the device is offline in the portal.

Comprehensive and Detailed Explanation

In the Prisma Access architecture (integrated with SD-WAN), distinct connection types serve different purposes.

Remote Networks: These are the connections from your Branch sites (using ION devices) into the cloud. They allow branches to get to the internet or other branches.

Service Connections (SC): This is a specialized high-bandwidth connection used to bridge the Prisma Access Cloud to your Private Data Center or Headquarters.

The primary use case for a Service Connection (Option A) is to allow mobile users and branch users (who are connected to the Prisma cloud) to reach private, centralized resources that still reside on-premise, such as Active Directory controllers, legacy databases, or mainframes. Without a Service Connection, users in the cloud would be able to reach the internet and each other, but not the servers physically located in your HQ data center. The CloudBlade automates the creation of these tunnels, but architecturally, the " Service Connection " is the " cloud-to-HQ " bridge.

In a Prisma SD-WAN deployment, the formation of VPN tunnels between a branch ION device and a Data Center (DC) ION is governed by specific configuration parameters that define how an interface interacts with the WAN fabric. When a secondary public circuit is introduced, the system requires precise classification to initiate the negotiation of security associations.

The first critical factor is the Interface Role . For an ION device to attempt to build a global fabric tunnel over a public circuit, the interface must be explicitly assigned the " Internet " role. If the role is incorrectly set (e.g., as " LAN " or left unconfigured), the device will not treat that physical port as a viable path for the SD-WAN overlay, preventing the tunnel from initiating.

Secondly, the Circuit Label plays a vital role in the path selection and tunnel orchestration logic. Prisma SD-WAN uses labels to match local branch circuits with corresponding circuits at the data center or other branches. If a circuit label is missing or mismatched on the interface configuration, the Controller cannot properly orchestrate the " bind " between the branch and the hub. Without a valid label, the ION device doesn ' t know which path group the circuit belongs to, and consequently, the automated tunnel signaling process fails to complete.

While DNS is important for management connectivity to the Controller, it is generally not the primary blocker for site-to-site tunnel formation if the Controller reachability is already established via the primary circuit. Similarly, " Interface Scope " is more relevant to routing advertisement rather than the foundational establishment of the SD-WAN tunnel itself. Therefore, ensuring the Internet role and Circuit Label are correctly applied is the standard troubleshooting step for non-forming tunnels on new circuits.

In complex retail or banking environments, maintaining strict network segmentation is a regulatory and security requirement. Prisma SD-WAN utilizes Virtual Routing and Forwarding (VRF) to provide this isolation, ensuring that high-security traffic, such as ATM transactions or teller cash registers, remains logically separated from Guest Wi-Fi or general corporate applications. While isolation is the default state, route leaking is used to allow specific communication between these VRFs—for instance, allowing multiple isolated segments to reach a common shared service like a DNS server or a centralized security gateway.

To verify that these configurations have been correctly pushed from the Controller to the local ION device, administrators utilize the ION CLI (Command Line Interface) for deep-dive diagnostics. The command inspect vrf route_leak_rule all is the definitive tool for this purpose. Unlike " show " commands which typically provide interface status, " inspect " commands in the Prisma SD-WAN ecosystem are designed to pull real-time operational state data from the control plane ' s internal databases.

When executed, this command displays the specific prefix-level rules that allow routes to " leak " from one VRF table into another. It provides visibility into the source VRF, the destination VRF, and the exact network prefixes or default routes being shared. This is critical for troubleshooting " Day 2 " operations; if a teller register cannot reach a shared database, the administrator can use this command to confirm if the necessary route leak rule is active and accurately reflecting the intent of the VRF Profile configured in the portal. Without this command, verifying inter-VRF reachability would be limited to trial-and-error connectivity tests, making it an essential part of the Prisma SD-WAN engineer ' s toolkit.

The provided graph displays the Signal-to-Noise Ratio (SNR) for two cellular carriers, Carrier-1 (blue line) and Carrier-2 (green line), over a specific period. In cellular communications, SNR is a critical metric used to determine the quality of a wireless signal. A higher SNR indicates a cleaner, stronger signal, while a lower SNR indicates that the signal is being " drowned out " by background noise or interference, which directly correlates to performance degradation, packet loss, and lower throughput.

Looking at the graph, Carrier-1 experiences a significant and sustained drop in SNR, falling from roughly 4.5 dB to nearly 0.5 dB for the majority of the time duration. This drastic reduction in signal quality strongly suggests that Carrier-1 may have experienced performance degradation (Option A). During this dip, the link quality would likely fall below the configured thresholds for business-critical application traffic.

Because Prisma SD-WAN is an application-defined fabric that continuously monitors path health, the ION device would detect this degradation on Carrier-1. If Carrier-2 maintains a significantly higher and more stable SNR (as shown by the green line remaining between 4.5 dB and 6.5 dB), the ION device ' s Path Selection engine would automatically steer traffic away from the degraded link. Consequently, it is highly probable that Carrier-1 traffic switched over to Carrier-2 (Option D) to maintain the application SLA. This automated failover is a core strength of the Prisma SD-WAN architecture, ensuring that the best available path is utilized based on real-time link statistics rather than simple " up/down " states.

In the Prisma SD-WAN ecosystem, the centralized cloud controller provides a robust multi-layered visibility framework to ensure network reliability. To effectively detect critical events like site outages or application performance issues (SLA violations), the controller aggregates several types of operational data. Incidents are the primary mechanism for high-level alerting; they are automatically generated when the system detects significant state changes, such as an ION device going offline (site outage) or a path failing to meet the required performance metrics.

While Incidents provide the " what " and " where, " Alerts offer granular notifications for specific events that may not yet have escalated to a full-scale incident. To provide deep context, the controller also utilizes Statistics , which include real-time and historical telemetry regarding bandwidth, latency, jitter, and packet loss. These statistics allow administrators to visualize the specific SLA violation as it occurs. Furthermore, Audit logs are essential for tracking configuration changes or administrative actions that might have preceded an outage, helping engineers correlate human intervention with network behavior.

By combining these four elements—Incidents for major events, Alerts for specific notifications, Statistics for performance validation, and Audit logs for change tracking—a network administrator gains a 360-degree view of the fabric. This comprehensive approach moves beyond simple " up/down " monitoring, allowing for " Day 2 " operational excellence where performance degradation is identified and remediated before it impacts the end-user experience.

Prisma SD-WAN simplifies the integration with Prisma Access through a feature known as " CloudBlades, " specifically the Prisma Access for Networks CloudBlade. The " easy onboarding " workflow is designed to automate the complex task of establishing secure tunnels between Branch ION devices and the SASE security processing nodes (SPNs).

When an administrator initiates this process, the system abstracts the manual configuration of IKE and IPSec parameters. Instead of manually defining an IPSec Crypto Profile or an IKE Profile (which are automatically handled by the CloudBlade orchestration), the user must specify where the traffic is going and which physical resources will handle the connection. The Prisma Access Primary Location (Option B) is a mandatory selection because it determines the geographical region and specific compute instance within the Prisma Access cloud that will serve as the primary security gateway for that branch.

Furthermore, the IPSec Termination Node (Option D) must be selected to define the specific endpoint within the Prisma Access infrastructure where the ION device ' s tunnels will terminate. This selection ensures that the Controller can properly orchestrate the site-to-site VPN tunnels, ensuring that the branch traffic is correctly routed to the SASE fabric for security inspection. By selecting these two options, the CloudBlade can automatically negotiate the rest of the tunnel parameters, significantly reducing the potential for human error and accelerating the deployment of a Secure Access Service Edge (SASE) architecture across multiple branch locations.

In the Prisma SD-WAN (formerly CloudGenix) architecture, the security and authenticity of device-to-controller communication are paramount. When a new ION (Instant-On Network) device is powered on and connected to the internet, it initiates a secure " phone home " process to the Prisma SD-WAN Cloud Controller. To ensure that the controller is communicating with a genuine Palo Alto Networks hardware or software instance, the system utilizes a Manufacturer Installed Certificate (MIC) .

The MIC is a unique digital certificate burned into the hardware ' s Trusted Platform Module (TPM) or secure storage during the manufacturing process. This certificate acts as the device ' s foundational identity. When a customer " claims " a device in the Prisma SD-WAN portal using its serial number, the controller maps that serial number to the specific MIC associated with that unit.

Once the device is claimed and attempts to connect, a mutual TLS (mTLS) handshake occurs. The ION device presents its MIC to the controller to prove its identity, and the controller validates this against its records. This method eliminates the need for manual staging, pre-configuration, or the complexity of managing a Customer Installed Certificate (CIC) or a private Public Key Infrastructure (PKI) during the initial deployment phase. By leveraging the MIC, Prisma SD-WAN achieves true Zero Touch Provisioning (ZTP), ensuring that only authorized, authentic devices can join the fabric and receive configuration policies, thereby maintaining a secure and automated onboarding workflow.

Comprehensive and Detailed Explanation

The transition from " Claimed " to " Online " depends entirely on the ION device ' s ability to establish a secure, persistent management tunnel to the Prisma SD-WAN Controller.

Connectivity Requirements: The ION device initiates an outbound connection to the controller on TCP Port 443 (HTTPS) . It also requires accurate time synchronization to validate SSL certificates, necessitating access to NTP (UDP Port 123) .

Scenario Analysis: Since the installer can browse the internet from the LAN, we know the physical link and basic routing/NAT are functional. The issue is specific to the management plane traffic.

Root Cause: If an upstream firewall (e.g., a corporate edge firewall or ISP filter) is inspecting SSL traffic or blocking specific FQDNs/Ports required by the ION, the device cannot complete the handshake. Consequently, it remains " Claimed " (registered in the database) but cannot go " Online " (active management session). Options A, C, and D prevent provisioning (configuration push) but generally do not prevent the device from initially checking in and going " Online " if the pipe is open.

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes Link Quality Monitoring (LQM) to maintain a real-time health score for every WAN path.

To ensure the system knows the quality of a path before sending critical user traffic onto it, the ION device uses Active Probing.

Mechanism: The ION sends synthetic probe packets (typically UDP) across the Secure Fabric (VPN tunnels) and Direct Internet paths to its peers. These probes measure Latency, Jitter, and Packet Loss .

Active vs. Passive: While the system does use Passive Monitoring (observing actual user flows) when traffic is present to reduce overhead, Active Probes are essential for idle links or backup paths. Without active probing, the ION would have no data to make an intelligent steering decision for the first packet of a new video call. This ensures that " Real-Time " policies always have up-to-date metrics to select the best path immediately.

In a Prisma SD-WAN deployment, the routing of traffic between branches and Data Centers (DCs) relies on the proper synchronization between the AppFabric (the overlay) and the local routing protocols (the underlay/LAN side). In this scenario, the branch can successfully reach DC1, indicating the branch ION is correctly participating in the fabric. However, traffic to DC2 (10.2.2.22) is failing.

The DC2 site has the site prefix 10.2.2.0/23 configured. In Prisma SD-WAN, defining a site prefix informs the Controller that this specific subnet " belongs " to that site, causing the Controller to advertise reachability for this prefix to all other ION devices in the fabric. Consequently, when the branch ION (192.168.1.123) attempts to reach 10.2.2.22, it correctly identifies DC2 as the destination and encapsulates the traffic toward the DC2 ION.

The bottleneck occurs once the packet arrives at the DC2 ION. While the ION is advertising the branch subnet (192.168.1.0/24) to the DC Core (ensuring the return path), the ION itself must know how to forward the incoming traffic from the branch to the internal DC network. If the DC2 ION does not have a specific route in its local routing table for the 10.2.2.0/23 subnet pointing to the DC Core ' s internal interface, the packet will be dropped.

According to Palo Alto Networks best practices for Data Center ION deployment, a static default route (0.0.0.0/0) should be configured on the ION device pointing toward the DC Core’s next-hop IP address. This ensures that any traffic received from the AppFabric destined for internal DC resources—which are not directly connected to the ION—is successfully handed off to the core switching fabric for final delivery. Adding this default route (Option A) resolves the reachability issue by providing the " last-hop " routing instruction within the DC.

The Prisma SD-WAN (ION) device includes a native, application-aware Zone-Based Firewall (ZBFW) that provides comprehensive security within the branch without the mandatory requirement for additional hardware. 2 The fundamental principle of this architecture is the grouping of interfaces and sub-interfaces into logical Security Zones . 3 Once these zones are defined (e.g., LAN, WAN, Guest, IoT), the administrator can create security policies that govern the traffic permitted to flow between them. 4

Unlike traditional routers that rely on stateless Access Control Lists (ACLs) which are difficult to manage and lack application visibility, the Prisma SD-WAN ZBFW is stateful and application-aware . 5 This means it can apply granular control over North-South traffic (flows moving between the LAN and the WAN/Internet) and East-West traffic (flows moving between different segments within the LAN, such as from a Guest zone to a Corporate zone). 6

By using security zones, an ION device can ensure that even if two local networks are connected to the same physical appliance, they remain completely isolated unless a specific policy explicitly allows communication. This " Zero Trust " approach at the branch edge allows organizations to segment vulnerable devices (like IoT) from critical internal resources and strictly control how users access the internet or the corporate data center. 7 The ZBFW works in tandem with the global controller to ensure that security postures are consistent across all branch locations, eliminating the complexity of manual ACL management at each site. 8

To ensure the stability and performance of the SD-WAN fabric, Prisma SD-WAN provides granular visibility into the health of each Instant-On Network (ION) appliance. While the solution is primarily application-defined, monitoring the underlying physical and system resources of the hardware or virtual instance is critical for proactive maintenance and troubleshooting.

At the individual device level, administrators can monitor system resource utilization , which includes CPU usage, memory (RAM) consumption, and disk space availability . 1 High CPU or memory usage can indicate that the device is reaching its throughput limits or that a specific process (such as deep packet inspection) is overtaxing the system. Disk utilization is monitored to ensure there is sufficient space for local logs and system operations.

Beyond internal system health, interface-level metrics are essential. This includes monitoring interface bandwidth utilization to identify bottlenecks on WAN or LAN ports. Crucially, operational performance is also assessed through error and discard counters on each interface. High error rates or frequent packet discards often signal physical layer issues (like bad cabling), duplex mismatches, or upstream provider congestion. While VPN status and application flows are vital for network-wide visibility, the core health of an ION device is defined by these foundational system and interface metrics.

Monitoring these specific parameters allows network engineers to distinguish between an application performance issue caused by network latency and one caused by a local hardware resource constraint.

In Prisma SD-WAN, application performance is monitored through distinct metrics that separate network health from application health. The provided graph displays Network Transfer Time (NTT) in blue and Server Response Time (SRT) in orange. NTT measures the round-trip time of packets traversing the WAN fabric, while SRT measures the time elapsed from when the server receives a request to when it sends the first response packet.

Analysis of the telemetry data shows that the NTT (blue line) remains consistently low and stable, generally staying below 100 milliseconds throughout the capture period. This indicates that the SD-WAN path and underlying network circuits are not the source of the latency. Conversely, the SRT (orange line) exhibits significant and erratic spikes, reaching as high as 450 to 475 milliseconds. These spikes occur while the network latency (NTT) remains flat.

Because the latency increases are isolated to the SRT metric, the root cause is confirmed to be on the Application Server side . This pattern typically suggests that the server is struggling with resource exhaustion, high CPU utilization, or database query delays during peak processing times. For a real-time application, these SRT spikes translate directly to jitter and " lag " for the end-user. By distinguishing between these two metrics, Prisma SD-WAN allows network administrators to prove that the network is performing within SLA and shift the troubleshooting focus to the application or server management teams, significantly reducing mean time to innocence (MTTI).

In Prisma SD-WAN, Performance Policies are the primary mechanism used to define the expected quality of experience for specific applications. Unlike traditional monitoring that relies solely on " up/down " interface states, Prisma SD-WAN focuses on the actual health of the application path. An incident is triggered when the system detects a violation of defined service-level agreement (SLA) thresholds , such as excessive latency, jitter, or packet loss, even if the physical link remains active.

When an administrator configures a performance policy, they set specific bounds for these metrics. For example, a VoIP application might have an SLA requiring latency below 150ms and packet loss below 1%. If the ION device detects that the current path (e.g., a broadband circuit) exceeds these limits, it generates a performance incident. This incident serves two purposes: first, it alerts the administrator to the degradation; second, it triggers the Path Selection engine to proactively steer the application traffic to a more suitable " Backup " or " Available " path that currently meets the SLA requirements.

Options B, C, and D represent system-level or network-level events that generate different types of alerts or incidents (System or Network incidents), but they are not the triggers defined within a Performance Policy . Performance policies are specifically concerned with the application ' s perceived performance across the fabric. By focusing on SLA violations rather than just physical link status, Prisma SD-WAN ensures that business-critical applications remain functional even during " brownout " conditions where a circuit is technically " up " but performing poorly.