Palo Alto Networks SD-WAN-Engineer Exam | SD-WAN-Engineerトレーニング資料 - 1年間無料アップデート SD-WAN-Engineer赤本勉強Palo Alto Networksの認証資格は最近ますます人気になっていますね。国際的に認可された資格として、Palo Alto Networksの認定試験を受ける人も多くなっています。その中で、SD-WAN-Engineer認定試験は最も重要な一つです。では、この試験に合格するためにどのように試験の準備をしているのですか。がむしゃらに試験に関連する知識を勉強しているのですか。それとも、効率が良い試験SD-WAN-Engineer参考書を使っているのですか。 Palo Alto Networks SD-WAN Engineer 認定 SD-WAN-Engineer 試験問題 (Q47-Q52):質問 # 47
A network engineer is troubleshooting an ION device that is showing as "Offline" in the Prisma SD-WAN portal, despite the site reporting that local internet access is working. The engineer has console access to the device.
Which CLI command should be used to specifically validate the device's ability to resolve the controller's hostname and establish a secure connection to it over a specific interface?
A. dump vpn summary
B. debug controller reachability <interface>
C. ping <controller-ip>
D. show system connectivity
正解:B
解説:
Comprehensive and Detailed Explanation
The CLI command debug controller reachability <interface> (e.g., debug controller reachability 1) is the specific diagnostic tool designed to verify the entire connectivity chain required for management plane availability.
Unlike a simple ICMP ping (Option A), which only tests Layer 3 connectivity to an IP address, the debug controller reachability command performs a sequential set of tests:
DNS Resolution: It attempts to resolve the specific Locator service URL (locator.cgnx.net or region-specific FQDN) to verify DNS functionality.
TCP Connectivity: It tests the ability to establish a TCP connection to the controller on port 443 (HTTPS).
SSL/TLS Handshake: It validates that the device can successfully negotiate the secure tunnel required for authentication.
If this command fails at the DNS step, the issue is likely a missing DNS server in the interface config. If it fails at the TCP step, it implies an upstream firewall is blocking outbound port 443. This targeted output allows the engineer to pinpoint exactly why the device is offline in the portal.
質問 # 48
In a data center (DC) with two ION devices, all of the remote branch Prisma SD-WAN VPNs are active only on DC ION-1.
Why are no VPNs active on DC ION-2?
A. The ION device is behind a NAT.
B. The static route to core as a next hop is missing.
C. The BGP core peer is down.
D. The DC and branches are in a different domain.
正解:C
解説:
Comprehensive and Detailed Explanation
In a Prisma SD-WAN Data Center deployment, the operational state of the Secure Fabric VPNs (overlay tunnels) is directly tied to the health of the BGP Core Peer configuration.4 Core Peer Dependency: DC ION devices typically peer with the data center core switch (Core Router) via BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller monitors this BGP peering status.5 Controller Logic: If the BGP Core Peer on a DC ION goes down (or is not established), the controller automatically marks the VPN tunnels terminating at that specific ION as "Inactive".6 This is a fail-safe mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost conne7ctivity to the internal data center network (and thus the applications).
Scenario Analysis: In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is successfully advertising reachability. DC ION-2 has no active VPNs, which strongly indicates that its BGP Core Peer is down.8 Because the controller sees the peer is down, it suppresses the tunnel establishment or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).
質問 # 49
An administrator needs to ensure that critical VoIP traffic is not dropped even when the branch's primary internet link is fully saturated with bulk file transfers.
Which QoS mechanism does Prisma SD-WAN automatically apply to the "Platinum" priority class to prevent starvation by lower-priority classes?
A. Hierarchical Token Bucket (HTB) with guaranteed bandwidth
B. Strict Priority Queuing (SPQ)
C. Weighted Round Robin (WRR)
D. First-In, First-Out (FIFO)
正解:A
解説:
Comprehensive and Detailed Explanation
Prisma SD-WAN utilizes a hierarchical QoS model (typically based on Hierarchical Token Bucket or similar shaping algorithms) to manage bandwidth contention.
Guaranteed Bandwidth: The "Platinum" class (used for Real-Time voice/video) is assigned a guaranteed bandwidth percentage (floor) in the QoS profile. This ensures that even if "Gold" (Transactional) or "Silver" (Bulk) traffic is trying to consume 100% of the link, the scheduler reserves the specific portion (e.g., 30%) for Platinum traffic, preventing starvation.
Shaping, not Policing: Unlike simple policing which drops excess traffic hard, the ION device shapes the egress traffic. If the link is congested, the scheduler delays the lower-priority packets (buffering) to allow the high-priority Platinum packets to exit immediately.
Why not Strict Priority (A)? While Platinum behaves like a priority queue, pure Strict Priority can completely starve lower queues if the high-priority traffic is misbehaving or voluminous. Prisma SD-WAN typically uses bandwidth guarantees (floors) and limits (ceilings) to ensure fair sharing while protecting critical apps.
質問 # 50
In a Prisma SD-WAN deployment, what is the defining characteristic of a "Standard VPN" compared to a "Secure Fabric Link"?
A. Standard VPNs are manually configured IPSec tunnels to non-ION endpoints, while Secure Fabric Links are automated tunnels between ION devices.
B. Standard VPNs support BGP, whereas Secure Fabric Links only support static routing.
C. Standard VPNs are automatically built between ION devices, while Secure Fabric Links require manual configuration.
D. Standard VPNs use GRE encapsulation, while Secure Fabric Links use VXLAN.
正解:A
解説:
Comprehensive and Detailed Explanation
In the Prisma SD-WAN architecture, the terminology distinguishes between "Native" automation and "Legacy" interoperability.
Secure Fabric Links: These are the proprietary, automated overlay tunnels created between two Prisma SD-WAN ION devices (e.g., Branch ION to Data Center ION). The controller automatically manages the IP addressing, key rotation, and routing for these links. You do not manually configure "Phase 1" or "Phase 2" parameters for Secure Fabric links.
Standard VPNs: These are traditional, standards-based IPSec tunnels configured to connect an ION device to a Non-ION endpoint (Third-Party Peer). This is used for "Data Center to Data Center" connections where one side is a legacy firewall (e.g., Cisco ASA, Palo Alto Networks NGFW) or for connecting to cloud security services (SSE) that do not have a specific CloudBlade integration. For a Standard VPN, the administrator must manually define the IKE/IPSec profiles, pre-shared keys, and peer IP addresses to match the third-party device's configuration.
質問 # 51
A multinational company is deploying Prisma SD-WAN across North America, Europe, and Asi a. The data centers in the North America region have served all regions, but regional policies are now being enforced that mandate each of the regions to build their own data centers and branch sites to only connect to their respective regional data centers.
How can this regionalization be achieved so that new or existing branch sites only build tunnels to the regional DC IONs?
A. Disable the auto-tunnel feature globally on the Prisma SD-WAN portal and manually create all necessary tunnels exclusively between IONs within their designated regions.
B. Remove the circuit labels and apply new circuit labels for in-region circuits only.
C. Assign WAN interfaces to distinct Virtual Routing and Forwarding (VRF) instances for each region on the DC IONs, ensuring that branches only connect to the WAN interfaces/VRFs designated for their region.
D. Create a new cluster for each regional DC ION and move the sites from the existing cluster to the new cluster.
正解:D
解説:
Comprehensive and Detailed Explanation
To achieve strict regional isolation where branch sites only form VPN tunnels with Data Centers in their specific region (e.g., EU branches to EU DCs only), the correct architectural feature to utilize is VPN Clusters.
In Prisma SD-WAN (CloudGenix), a Cluster defines a logical security and topology boundary for the overlay network. By default, devices may be placed in a "Default" cluster where they attempt to form a mesh or hub-and-spoke topology with all other reachable devices in that context.
To enforce the new policy:
Logical Partitioning: The administrator should create separate VPN Clusters for each region (e.g., "Cluster-NA", "Cluster-EU", "Cluster-Asia").
Assignment: The Regional Data Center IONs and their corresponding Branch IONs must be moved into their respective clusters.
Result: The Prisma SD-WAN controller dictates that devices can only establish Secure Fabric (VPN) tunnels with other devices within the same cluster. This effectively segments the global network, ensuring that an Asian branch never attempts to build a tunnel to a North American DC, satisfying the compliance requirement without complex access lists or manual tunnel configuration.
Option B (Manual Tunnels) is administratively unscalable and negates the benefits of SD-WAN automation.
Option C (Circuit Labels) is primarily for path selection and traffic steering, not for hard topology segmentation.
Option D (VRFs) is used for local Layer 3 segmentation (routing isolation) within a device, not for controlling WAN overlay tunnel formation scope.