A network administrator is troubleshooting a critical SaaS application, “SuperSaaSApp”, that is experiencing connectivity issues. Initially, the configured active and backup paths for the application were reported as completely down at Layer 3. The Prisma SD-WAN system attempted to route traffic for the application over an L3 failure path that was explicitly configured as a Standard VPN to Prisma Access.
However, users are still reporting a complete outage for the application and monitoring tools show application flows being dropped when attempting to use the Standard VPN L3 failure path, even though the tunnel itself appears to be up. The administrator suspects a policy misconfiguration related to how the Standard VPN path interacts with destination groups.
What is the most likely reason for flows being dropped when attempting to use the Standard VPN L3 failure path?
AThe “Move Flows Forced” action was not enabled in the performance policy for “SuperSaaSApp”, preventing the system from actively shifting traffic to the L3 failure path.
BThe path policy rule for “SuperSaaSApp” has the “Required” checkbox selected for its Service & DC Group, but no direct paths were configured alongside it, creating a conflict.
CThe path policy rule explicitly designates a Standard VPN as the L3 failure path, but it does not include a designated Standard Services and DC Group, causing traffic to be dropped.
DThe Standard VPN in the path policy was not configured to “Minimize Cellular Usage”, leading to the depletion of metered data and subsequent flow drops.
0
Question 2
Planning and Design
0
Question 3
Unified SASE
0
Question 4
Deployment and Configuration
0
Question 5
Deployment and Configuration
0
That's the end of the Preview
This exam has 49 community-verified practice questions. Create a free account to access all questions, comments, and explanations.
Topics covered:
Planning and DesignDeployment and ConfigurationOperations and MonitoringUnified SASETroubleshooting
User-ID integration is configured for a Prisma SD-WAN deployment. Branch- 1 has the user-to-IP mappings available, and User-1 is mapped to IP-1.
To which two use cases can User-ID based zone-based firewall policies be applied? (Choose two.)
AUser-1 accessing a SaaS application on direct internet and source User-ID based zone-based firewall rules on Branch-1 ION
BUser-1 accessing a private application within Branch-1, and source User-ID based zone-based firewall rules on Branch-1 ION
CUser-1 accessing a private application in data center via SD-WAN overlay, and destination User-ID based zone-base firewall rules DC ION
DUser-1 accessing a private application in Branch-2 via SD-WAN overlay, and destination User-ID based zone-based firewall rules on Branch-2 ION
What is the purpose of Secure Group Tag (SGT) propagation in Prisma SD-WAN?
ATo integrate with external identity-based security solutions
BTo manage QoS policies for traffic based on user and application type
CTo clarify the intent of rules or configuration objects and improve rule organization
DTo enable or disable SGT settings at the interface level and initiate services like NTP, DHCP, and App Probes
A site has two internet circuits: Circuit A with 500 Mbps capacity and Circuit B with 100 Mbps capacity.
Which path policy configuration will ensure traffic is automatically shifted from a saturated circuit to the circuit with available bandwidth?
ACircuit A as an active, Circuit B as a backup
BCircuit B as an active, Circuit A as a backup
CBoth circuits under active path
DCircuit B as an L3 failure path
Site templates are to be used for the large-scale deployment of 100 Prisma SD-WAN branch sites across different regions.
Which two statements align with the capabilities and best practices for Prisma SD-WAN site templates? (Choose two.)
AThe use of Jinja conditional statements within a site template is not supported, thereby limiting dynamic customization options.
BMandatory variables for any site template include the site name, ION software version, and at least one ION serial number /device name pair.
CSite templates offer the capability to pre-stage device configurations by creating a device shell.
DOnce a site has been deployed using a template, its configuration can be updated or modified by applying an updated version of the template.
Question 6
Planning and Design
0
Question 7
Planning and Design
Question 8
Operations and Monitoring
Question 9
Deployment and Configuration
Question 10
Deployment and Configuration
Question 11
Unified SASE
Question 12
Troubleshooting
Question 13
Troubleshooting
Question 14
Operations and Monitoring
Question 15
Troubleshooting
Question 16
Planning and Design
Question 17
Planning and Design
Question 18
Operations and Monitoring
Question 19
Operations and Monitoring
Question 20
Planning and Design
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Network segmentation is required due to overlapping IP address space and M&A scenarios.
Which Prisma SD-WAN feature will achieve the desired segmentation and end-to-end connectivity in this use case?
AVirtual Routing and Forwarding (VRF) profiles with proper site bindings to achieve desired isolation across the underlay
BVirtual Routing and Forwarding (VRF) profiles with proper site bindings to achieve desired isolation locally and across the secure fabric
CMultiple contexts with interface segmentation to achieve desired isolation across the underlay
DMultiple virtual routers with interface segmentation to achieve desired isolation across the secure fabric
Which implementation allows Prisma SD-WAN to improve application performance for organizations facing inconsistent user experiences across branch locations, especially due to varying device types and network conditions, by using Layer 4 and Layer 7 optimization to boost throughput?
APacket duplication
BWAN optimization
CForward Error Correction (FEC)
DApplication acceleration
Which metrics can be monitored at the individual Prisma SD-WAN ION device level to assess its health and operational performance?
ADevice software version and interface bandwidth
BDevice CPU, memory and disk use, interface bandwidth, and errors/discards
CDevice VPN tunnels and controller reachability status
DDevice application flow statistics, Autonomous Digital Experience Manager (ADEM) metrics, and site health score
In which modes can a Prisma SD-WAN branch be deployed?
ATesting, Control, POV
BProduction, Control, Disabled
CDisabled, Analytics, Control
DPOV, Production, Analytics
For how many hours are Prisma SD-WAN VPN shared secrets valid?
A1
B8
C24
D72
Which component of Prisma SD-WAN is responsible for distributing User-IP and user-group mappings to branch devices that match the corresponding source IPs?
ADC ION
BCloud Identity Engine
CController
DNGFW
Which troubleshooting action should be taken when resources at one branch site can reach the internet but cannot be reached from the data center (DC)?
ACreate static route with DC ION as a next hop.
BEnsure the LAN branch prefixes are set to “global.”
CSet the site in a control mode.
DAdmin up the Prisma SD-WAN DC endpoints.
When troubleshooting an issue at a site that is running on two cellular links from two carriers, the operations team shared some evidence shown in the graph below:
For the time duration shown in the graph, what are two inferencesout the site’s traffic that can be made? (Choose two.)
AUsing Carrier-1 as the WAN path may have experienced some performance degradation.
BUsing Carrier-2 as the WAN path may have experienced some performance degradation.
CUsing Carrier-2 as the WAN path may have switched over to Carrier-1.
DUsing Carrier-1 as the WAN path may have switched over to Carrier-2.
By default, how many days will Prisma SD-WAN VPNs stay operational before the keys expire when an ION device loses connection with the controller?
A1
B3
C5
D7
Return traffic for an application from the branch is being dropped on the branch ION. Application traffic arrives via SD-WAN internet overlay at the branch, and path policy for the application at the branch has the following settings:
Active = MPLS Overlay -
Backup = Prisma Access on internet
Which branch configuration is the probable cause of this behavior?
AIt has Prisma Access tunnel over MPLS circuit but not on the internet circuit.
BIt has one MPLS and one internet circuit.
CIt has two internet circuits and no MPLS circuit.
DIt has no MPLS circuit, and the Prisma Access tunnel is down.
What is the number and structure of Prisma SD-WAN QoS queues supported per WAN interface?
A12 queues4 classes3 application criteria within each class
B16 queues4 classes4 application criteria with each class
C8 queues1 priority queue7 non-priority queues
D8 queues2 classes4 application criteria within each class
To aid in capacity planning and QoS policy adjustments, what should be reviewed to gain the necessary insights for data center application traffic distribution, hotspots, and overall utilization trends?
APrisma SD-WAN Predictive Analytics Dashboard
BWAN Clarity Data Center Reports
CPrisma SD-WAN Link Quality Dashboard
DWAN Clarity Branch Reports
In a branch high availability (HA) deployment, which action is taken by the standby device when the active device goes down?
AIt notifies the controller, which then reroutes all traffic for the branch through an alternate path until the active device recovers.
BIt automatically detects the failure, assumes the active role, and sends gratuitous ARP to minimize downtime for forwarding traffic.
CIt takes over, but all active sessions are immediately reset, requiring users to re-establish connections.
DIt notifies the other device to go in a diagnostic mode and logs the failure, requiring the controller to intervene and select standby device as a new forwarder.
Which action meets the needs of an organization that requires elevated incident notifications for its headquarters location?
AExport syslog to an external syslog collector and mark all messages as “Critical.”
BImplement performance policy specifically for the site with very aggressive service-level agreement (SLA) thresholds.
CEnable an event policy rule for the site with the action to set priority to the highest available level.
DEnable SNMPv3 trap notifications to an external network management system.
An organization has provided the following technical requirements and details:
High availability (HA) at all data center and branch locations
Two geographically separate main data center locations
One small data center location that contains local users and applications requiring policies
50 branch locations
ISP capacities for all branch locations but no accurate measurement of the actual bandwidth consumption
Based on Palo Alto Networks best practices and recommendations, which two licensing options will meet the customer objectives? (Choose two.)
