SD-WAN-Engineer Exam - Free Palo Alto Networks Questions and Answers

Question #1 (Topic: Exam A)

When identifying devices for IoT classification purposes, which two methods does Prisma SD-WAN use to discover devices that are not directly connected to the branch ION? (Choose two.)

A. LLDP B. CDP C. SNMP D. Syslog

Answer: CD

Question #2 (Topic: Exam A)

A network administrator is troubleshooting a critical SaaS application, “SuperSaaSApp”, that is experiencing connectivity issues. Initially, the configured active and backup paths for the application were reported as completely down at Layer 3. The Prisma SD-WAN system attempted to route traffic for the application over an L3 failure path that was explicitly configured as a Standard VPN to Prisma Access.
However, users are still reporting a complete outage for the application and monitoring tools show application flows being dropped when attempting to use the Standard VPN L3 failure path, even though the tunnel itself appears to be up. The administrator suspects a policy misconfiguration related to how the Standard VPN path interacts with destination groups.
What is the most likely reason for flows being dropped when attempting to use the Standard VPN L3 failure path?

A. The “Move Flows Forced” action was not enabled in the performance policy for “SuperSaaSApp”, preventing the system from actively shifting traffic to the L3 failure path. B. The path policy rule for “SuperSaaSApp” has the “Required” checkbox selected for its Service & DC Group, but no direct paths were configured alongside it, creating a conflict. C. The path policy rule explicitly designates a Standard VPN as the L3 failure path, but it does not include a designated Standard Services and DC Group, causing traffic to be dropped. D. The Standard VPN in the path policy was not configured to “Minimize Cellular Usage”, leading to the depletion of metered data and subsequent flow drops.

Answer: C

Question #3 (Topic: Exam A)

User-ID integration is configured for a Prisma SD-WAN deployment. Branch- 1 has the user-to-IP mappings available, and User-1 is mapped to IP-1.
To which two use cases can User-ID based zone-based firewall policies be applied? (Choose two.)

A. User-1 accessing a SaaS application on direct internet and source User-ID based zone-based firewall rules on Branch-1 ION B. User-1 accessing a private application within Branch-1, and source User-ID based zone-based firewall rules on Branch-1 ION C. User-1 accessing a private application in data center via SD-WAN overlay, and destination User-ID based zone-base firewall rules DC ION D. User-1 accessing a private application in Branch-2 via SD-WAN overlay, and destination User-ID based zone-based firewall rules on Branch-2 ION

Answer: AB

Question #4 (Topic: Exam A)

A site has two internet circuits: Circuit A with 500 Mbps capacity and Circuit B with 100 Mbps capacity.
Which path policy configuration will ensure traffic is automatically shifted from a saturated circuit to the circuit with available bandwidth?

A. Circuit A as an active, Circuit B as a backup B. Circuit B as an active, Circuit A as a backup C. Both circuits under active path D. Circuit B as an L3 failure path

Answer: C

Question #5 (Topic: Exam A)

What is the purpose of Secure Group Tag (SGT) propagation in Prisma SD-WAN?

A. To integrate with external identity-based security solutions B. To manage QoS policies for traffic based on user and application type C. To clarify the intent of rules or configuration objects and improve rule organization D. To enable or disable SGT settings at the interface level and initiate services like NTP, DHCP, and App Probes

Answer: A

Palo Alto Networks SD-WAN-Engineer - Palo Alto Networks SD-WAN Engineer Exam