SD-WAN-Engineer Palo Alto Networks SD-WAN Engineer Questions and Answers

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes a sophisticated decision engine forApplication-Based Path Selectionthat goes beyond simple failover. When configuring a Path Policy, the administrator defines "Active" paths and a "Path Quality Profile" (SLA).

SLA Compliance (The Filter):First, the system filters the available paths based on the Path Quality Profile. In this scenario, both ISP-A and ISP-B have 40ms latency against a 150ms threshold. Both are "green" or compliant paths.

Selection Criteria (The Tie-Breaker):When multiple paths are configured as "Active" and all meet the performance SLA, the ION device aims to optimize the overall user experience and network utilization. The default behavior for load balancing across healthy, compliant active paths is to select the path with thehighest available bandwidth capacity.

By steering new flows to the link with the most "headroom" (available Mbps), the system prevents the saturation of a smaller link (e.g., a 20Mbps DSL line) while a larger link (e.g., 1Gbps Fiber) sits underutilized. This maximizes the aggregate throughput for the site. While latency is thequalifier, bandwidth availability is often theselectorfor compliant paths. Note that if the application was defined as "Real-Time" and configured for packet duplication, behavior would differ, but for standard traffic, capacity-based distribution is the standard active/active logic.

Comprehensive and Detailed Explanation

TheAppX (Application Experience)score is a proprietary metric used by Prisma SD-WAN to provide a holistic view of user experience, rather than just network statistics. It is calculated based on three key components:

Transaction Failure Rate (A):The percentage of application transactions that failed (e.g., TCP resets, HTTP 500 errors). This indicates availability.

Network Transfer Time (B):The time taken for packets to traverse the network (WAN/LAN latency). This indicates network health.

Server Response Time (C):The time taken by the application server to respond to a request. This indicates backend performance.

Why not D or E?

Bandwidth Utilization (D)is a capacity metric, not a direct measure ofquality. A link can be 90% full but still deliver packets quickly (good AppX), or 10% full but dropping packets (bad AppX).

Jitter (E)is a network-layer metric primarily relevant for UDP Real-Time media. While important, the high-level "AppX" score for general TCP apps focuses on the "Time-to-Glass" metrics (NTT/SRT) and success rates.

Comprehensive and Detailed Explanation

Prisma SD-WAN calculates the Mean Opinion Score (MOS) to provide a standardized metric (1-5) for voice quality. To ensure the system always knows the "voice readiness" of a path—even before a call starts—it uses Active Probes (synthetic UDP packets).

While latency is measured, the MOS calculation algorithm is most heavily penalized by Packet Loss (D) and Jitter (B).

Packet Loss:Even a small amount of loss (e.g., >1%) dramatically reduces voice clarity, causing dropouts.

Jitter: High variance in packet arrival time (jitter) causes the "robotic" voice effect and buffer underruns.

The system continuously measures these specific metrics on all WAN links using synthetic probes. If the packet loss or jitter exceeds the threshold defined in the "Path Quality Profile" (e.g., Voice Profile), the path is marked as non-compliant, and the MOS score drops, triggering a policy action to move the flow. Throughput (C) is less critical for voice as calls consume very little bandwidth (e.g., 64-100 Kbps), making congestion (loss/jitter) the primary enemy, not raw speed.

Comprehensive and Detailed Explanation

To validate specific packet-level details likeDSCP (Differentiated Services Code Point)values, header checksums, or exact payload sizes, aPacket Capture (PCAP)is required.

PCAP Tool:Prisma SD-WAN provides a built-in PCAP utility accessible directly from the portal. The engineer can select the specificInterface(e.g., Internet 1), apply aFilter(e.g., port 5060 or host 1.2.3.4), and capture the traffic.

Analysis:The resulting .pcap file can be downloaded and opened in Wireshark. This allows the engineer to definitively see if the packets leaving the ION have DSCP EF (46) and if the packets arriving (if capturing on the other side) still retain that marking, or if the ISP has bleached it to CS0 (0).

Flow Browser (A):While it shows "Application" and metrics, the Flow Browser typically displays theassignedpriority class, not necessarily the raw bit-level DSCP value present in the packet header on the wire.

Comprehensive and Detailed Explanation

TheFlow BrowserandApp Response Timemetrics in Prisma SD-WAN are critical tools for isolating the fault domain—determining whether a problem lies in the "Network" or the "Application."

Network Transfer Time (NTT) / Round Trip Time (RTT):These metrics measure the time it takes for packets to traverse the network (WAN/LAN) and for acknowledgments to return. A low NTT (e.g., <50ms) confirms that the network pipes (SD-WAN overlay, Underlay circuits) are healthy and transporting packets quickly.

Server Response Time (SRT):This metric specifically measures the time between the server receiving a request and the server sending the first byte of the response. It essentially measures the "processing time" of the backend server.

In the scenario described, the network metrics (NTT/RTT) are excellent, effectively ruling out WAN congestion, packet loss, or latency (Option A and C). However, theServer Response Time (SRT)is very high (500ms). This signature is a definitive indicator that the network delivered the request instantly, but theapplication server took a long time to process it. This points the troubleshooting effort toward the server infrastructure (e.g., a slow SQL query, an overloaded web server, or lack of compute resources) rather than the SD-WAN environment.

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizesSTUN (Session Traversal Utilities for NAT)to facilitateNAT Traversalfor its Secure Fabric overlay.

Discovery:When an ION device connects to the internet behind a NAT router, it reaches out to the Prisma SD-WAN Controller. The controller acts as a STUN server, identifying thepublicIP address andportthat the ION's traffic is originating from.

Symmetric NAT Challenge:In Symmetric NAT, the mapping changes for every destination. However, the Prisma SD-WAN architecture is designed to handle this by having the controller coordinate the connection attempt.

Hole Punching:The controller shares the discovered public mapping information between two peer ION devices. They then simultaneously initiate traffic to each other's public IP/Port (a technique called "UDP Hole Punching"). This tricks the intermediate NAT devices into allowing the inbound traffic, establishing a direct P2P IPSec tunnel without requiring manual port forwarding or static IPs at the edge.

Comprehensive and Detailed Explanation

Prisma SD-WAN supports Dynamic VPNs (Branch-to-Branch) even when both endpoints are behind Source NAT (e.g., typical broadband connections).

To achieve this, the ION devices utilize standard NAT Traversal techniques, specifically leveraging STUN (Session Traversal Utilities for NAT).

Discovery:Each ION communicates with the Cloud Controller (which acts as a STUN server/signaling broker). Through this communication, the controller observes thepublicIP and Port that the ION's traffic is coming from (the post-NAT address).

Signaling:The controller shares this public reachability information with the peer ION.

Hole Punching:The IONs then attempt to initiate connections to each other's discovered public IP/Port. This "UDP Hole Punching" allows them to establish a direct IPSec tunnel through the NAT devices without requiring static 1:1 NAT mapping or manual port forwarding on the provider routers, enabling mesh connectivity in commodity internet environments.

Comprehensive and Detailed Explanation

In a Prisma SD-WAN Data Center deployment, the operational state of theSecure Fabric VPNs(overlay tunnels) is directly tied to the health of theBGP Core Peerconfiguration.4

Core Peer Dependency:DC ION devices typically peer with the data center core switch (Core Router) via BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller monitors this BGP peering status.5

Controller Logic:If theBGP Core Peeron a DC ION goes down (or is not established), the controller automatically marks the VPN tunnels terminating at that specific ION as"Inactive".6This is a fail-safe mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost conne7ctivity to the internal data center network (and thus the applications).

Scenario Analysis:In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is successfully advertising reachability. DC ION-2 hasnoactive VPNs, which strongly indicates that itsBGP Core Peer is down.8Because the controller sees the peer is down, it suppresses the tunnel establishment or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).

Comprehensive and Detailed Explanation

In the Prisma SD-WAN architecture, the terminology distinguishes between "Native" automation and "Legacy" interoperability.

Secure Fabric Links:These are the proprietary, automated overlay tunnels created between twoPrisma SD-WAN ION devices(e.g., Branch ION to Data Center ION). The controller automatically manages the IP addressing, key rotation, and routing for these links. You do not manually configure "Phase 1" or "Phase 2" parameters for Secure Fabric links.

Standard VPNs:These are traditional, standards-based IPSec tunnels configured to connect an ION device to aNon-ION endpoint(Third-Party Peer). This is used for "Data Center to Data Center" connections where one side is a legacy firewall (e.g., Cisco ASA, Palo Alto Networks NGFW) or for connecting to cloud security services (SSE) that do not have a specific CloudBlade integration. For a Standard VPN, the administrator must manually define the IKE/IPSec profiles, pre-shared keys, and peer IP addresses to match the third-party device's configuration.

Comprehensive and Detailed Explanation

TheBypass Pairfeature on Prisma SD-WAN ION devices (specifically supported models like ION 2000, 3000, 7000, 9000) is a hardware-based resiliency mechanism known asFail-to-Wire.

Operation:A "Bypass Pair" logically groups two physical interfaces (e.g., WAN 1 and LAN 1). Under normal operation, the ION processes traffic between them.

Power Loss:In the event of a total power loss (or critical software failure), a mechanical relay inside the devicephysicallycloses the circuit between the two ports.

Result:This creates a direct electrical connection (like a patch cable) between the upstream device (ISP Modem) and the downstream device (Legacy Firewall or Router). This ensures that internet connectivity is preserved for the site, even if the SD-WAN appliance is completely dead. This is critical for single-point-of-failure deployments where maintaining basic dial-tone is more important than SD-WAN optimization during a hardware outage.

Comprehensive and Detailed Explanation

This scenario depicts a High Availability (HA) topology utilizing theION 1200-Smodel'sFail-to-Wire (bypass)capabilities to share WAN links between two devices without needing external switches for every WAN connection.

1. WAN Link Availability (Statement A):

The diagram illustrates a "daisy-chain" cabling method supported by the ION 1200-S bypass pairs.

ISP A (Green):Connects directly to the "Standby" (Left) unit first. Since the Standby unit remains powered on, it maintains direct access to ISP A.

LTE/5G (Blue):Connects to the "Active" (Right) unit first. The connection then loops through a bypass pair on the Active unit to the Standby unit. When power is removed from the "Active" unit, thefail-to-wire relayson its Ethernet ports close physically. This creates a passive electrical bridge that connects the LTE modem directly to the Standby unit. The Standby unit (now becoming Active) will detect the link state change and successfully utilize the LTE connection. Therefore, both WAN links remain usable.

2. LAN Failover Mechanism (Statement C):

Prisma SD-WAN ION devices typically use a VRRP-like mechanism for LAN redundancy.

When the "Active" node fails (loses power), the "Standby" node stops receiving keepalives and promotes itself to the Active state.

To ensure downstream switches and clients immediately send traffic to the new Active unit, it must update their ARP tables. It does this by broadcasting aGratuitous ARP (GARP)packet for the Virtual IP (VIP) address of the Switch Virtual Interfaces (SVIs). This action informs the network that the MAC address associated with the Gateway I1P is now reachable via the port connected to the new Active ION.234

Comprehensive and Detailed Explanation

The CLI command debug controller reachability (e.g., debug controller reachability 1) is the specific diagnostic tool designed to verify the entire connectivity chain required for management plane availability.

Unlike a simple ICMP ping (Option A), which only tests Layer 3 connectivity to an IP address, the debug controller reachability command performs a sequential set of tests:

DNS Resolution:It attempts to resolve the specificLocatorservice URL (locator.cgnx.net or region-specific FQDN) to verify DNS functionality.

TCP Connectivity:It tests the ability to establish a TCP connection to the controller on port 443 (HTTPS).

SSL/TLS Handshake: It validates that the device can successfully negotiate the secure tunnel required for authentication.

If this command fails at the DNS step, the issue is likely a missing DNS server in the interface config. If it fails at the TCP step, it implies an upstream firewall is blocking outbound port 443. This targeted output allows the engineer to pinpoint exactly why the device is offline in the portal.