Scribd
Upload
33 views16 pages

PMSS

The document consists of a series of multiple-choice questions related to Prisma SD-WAN, covering topics such as configuration, compatibility, command usage, and troubleshooting. It includes questions about NAT policies, VPN setups, interface capabilities, and application probing. The questions are designed to assess knowledge of Prisma SD-WAN functionalities and best practices.

Uploaded by

fredl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
33 views16 pages

PMSS

The document consists of a series of multiple-choice questions related to Prisma SD-WAN, covering topics such as configuration, compatibility, command usage, and troubleshooting. It includes questions about NAT policies, VPN setups, interface capabilities, and application probing. The questions are designed to assess knowledge of Prisma SD-WAN functionalities and best practices.

Uploaded by

fredl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Question 1 of 35

5083091
What is the duration of the flows that you can look up in the flow browser under the activity tab?

1 week

2 weeks

3 months

1 month

Question 2 of 35
5083091
Which two of the following Prisma Access plugins are not compatible with Prisma Access for Networks
(managed by Panorama) CloudBlades 2.1.1? (Choose two.)

Select All Correct Responses

PA Plugin 2.0 Preferred

PA Plugin 1.6

PA Plugin 1.8

PA Plugin 1.7

Question 3 of 35
5083091
When configuring Prisma SD-WAN, which two of the following interfaces do NOT support NAT? (Choose
two.)

Select All Correct Responses

LAN interfaces

Private L2 interfaces
Private WAN interfaces

Controller interfaces

Question 4 of 35
5083091
Which CLI command can be used to check and verify the subnets learned by using VPN paths?

inspect fib vpn

dump routing summary

dump vpn summary

dump routing peer status all

Question 5 of 35
5083091
Which two statements are INCORRECT about Prisma SD-WAN Branch HA? (Choose two.)

Select All Correct Responses

Prisma SD-WAN ION with lower priority will take an Active role.

Prisma SD-WAN Branch HA supports preempt configuration.

Prisma SD-WAN Branch HA supports Active-Active forwarding.

Prisma SD-WAN Branch HA can have a maximum of two devices in the HA Group.

Question 6 of 35
5083091
Which two interfaces are used to reply to a DHCP broadcast request if the DHCP server is configured on
Prisma SD-WAN ION? (Choose two.)

Select All Correct Responses


Private L2 interface

Any port with a static IP address configured

L3 LAN interface

Controller interface

Question 7 of 35
5083091
After the device claim process is completed and the device is bound to a site, the device will begin to
establish IPSec VPN tunnels to authorized devices. Session keys are renegotiated every 1 hour by the
VPN endpoints. What is the time period of the shared secret before it expires on the device?

4 days

1 day

8 hours

3 days

Question 8 of 35
5083091
What is the maximum number of loopback interfaces that can be configured on a Prisma SD-WAN
device?

Four

One

Two

Five

Question 9 of 35
5083091
Prisma SD-WAN supports stacked Security policies following which release?

5.2
5.4

5.5

5.6

Question 10 of 35
5083091
Application probe is enabled by default for all Prisma SD-WAN ION devices except which one?

ION 2000

ION 7000

ION 1000

ION 3000

Question 11 of 35
5083091
A customer has set up a new site with ION and has configured port1 as the LAN interface with two sub-
interfaces as follows:
1.100 - [Link]/24 - Guest net
1.200 - [Link]/24 - Production net

The customer wants to create a policy for Guest net which can traverse the DIA, but it must not access
the Production network at this site. How may a support engineer help the customer?

Make a path policy rule in the stack policy that is attached to the site with the source prefix
[Link]/24 and Paths: Active Path - Direct Primary Internet.

Make a Network Context - Guest Net and attach it to the sub-interface with the prefix [Link]/24.
Make a path policy rule in the stack policy that is attached to the site with the Network Context - Guest
Net and Paths: Active Path - Direct Primary Internet.

The two sub-interfaces belong to the same port, and the engineer will not be able to create the policy.
Have the customer apply security rules to the new site and place the Guest Net sub-interface to a
specific security zone.

Question 12 of 35
5083091
With which release did Prisma SD-WAN begin support for multicast routing for LAN?

5.5

5.4

5.2

5.6

Question 13 of 35
5083091
A Zscaler VPN is not coming up. An engineer looks at the site level/interface configuration and creates
the VPN to the correct endpoint. The reachability for the IPSec control traffic to the Zscaler endpoint is
also successful. What action can the engineer take?

Look in the Path policies to verify that the Zscaler VPN is allowed in the paths.

Verify that the Secure Fabric is up and functioning, and that it is on the same parent internet interface.

Verify that the third-party endpoint configured on the Zscaler VPN interface is part of the Service and DC
groups/domain that the site is part of.

Look at the Security Zone bindings to verify that the VPN is part of the WAN Zone.

Question 14 of 35
5083091
Application reachability probes can be sourced from which two ports? (Choose two.)
Select All Correct Responses

LAN port

Controller port

Private WAN port

Internet port

Question 15 of 35
5083091
Which command shows Prisma SD-WAN ION uptime?

dump time config

dump site config

dump overview

dump time status

Question 16 of 35
5083091
Prisma SD-WAN branch sites support which BGP peer type?

Core

Edge

Classic

Active

Question 17 of 35
5083091
A company's branch location has two ISPs. The flows are not following the ISP-A underlay path. All the
flows follow the ISP-B underlay path instead. Which three situations could be the issue? (Choose three.)

Select All Correct Responses

The cost of the circuit ISP-A is higher than the cost of ISP-B.

The VPNs on ISP-A are down, and the VPNs on ISP-B are up.

The port through which ISP-A is connected is down.

Direct on ISP-A is not an available path in the path policies.

The ISP-A underlay path is pruned because it is not part of the Dst Zone binding for this traffic.

Question 18 of 35
5083091
There are two data centers (DC1 and DC2) for a tenant. The DC1 site prefix is [Link]/24, and the
DC2 site prefix is [Link]/24. Traffic from site A has to travel to [Link], and in the path policies,
the active path for this traffic is "VPN any public." The Active Service and DC group is DC1, and the
Backup Service and DC group is DC2. Which two statements correctly describe the traffic flow? (Choose
two.)

Select All Correct Responses

Traffic will NOT take the VPN path to DC1 because [Link]/24 belongs to DC2, and traffic destined
to that subnet will take the DC2 path irrespective of the status of Service and DC group.

Traffic will NOT take the VPN path to DC2 because Active path and Active DC is up.

Traffic will take the VPN path to DC2 even though it is the backup DC in the policies.
Traffic will take the VPN path to DC1 because it is the Active DC configured in the policies.

Question 19 of 35
5083091
If the Prisma SD-WAN VPN goes down because it is out of a shared secret key, how many encrypted
shared secrets will the controller send to its respective endpoints?

one encrypted shared secret

three encrypted shared secrets

four encrypted shared secrets

five encrypted shared secrets

Question 20 of 35
5083091
What is the default LQM threshold for link packet loss?

3%

4%

5%

2%

Question 21 of 35
5083091
If a VPN is flapping continuously, what actions can an engineer take? (Choose two.)

Select All Correct Responses

Go to Activity > Link Quality, select the VPN, and verify that the link quality is good.

Log in to the CLI of the ION and check whether or not the VPN bfd/liveliness is up or down.

Go to Stacked policies > Path > Policies, and verify that the VPN is allowed in the policies.

Go to Site level view > Secure Fabric, select the VPN, and check whether or not the VPN is admin up or
admin down.

Question 22 of 35
5083091
A company wants to set up a NAT policy to redirect incoming packets, which have an external IP
address, to an internal IP address. How should the NAT policy be configured?

Create a NAT policy rule in the Source Zone Rules with DEST PREFIX as Public IP and Actions - Source NAT
pool as Private IP.

Create a NAT policy rule in the Destination Zone Rules with DEST PREFIX as Public IP and Actions - Source
NAT pool as Private IP.

Create a NAT policy rule in the Source Zone Rules with DEST PREFIX as Public IP and Actions - Destination
NAT pool as Private IP.

Create a NAT policy rule in the Destination Zone Rules with DEST PREFIX as Public IP and Actions -
Destination NAT pool as Private IP.
Question 23 of 35
5083091
By default, Link Quality metrics influence path selection for which type of applications?

TCP-based applications

All applications

Real-time voice and video applications

UDP-based applications

Question 24 of 35
5083091
What is the Prisma SD-WAN default LQM threshold for link latency?

100ms

150ms

125ms
200ms

Question 25 of 35
5083091
A customer has set up a new site with ION 3000, but complains that there is no traffic to the Internet1
port. Which three actions should a support engineer take? (Choose three.)

Select All Correct Responses

Verify that WAN forwarding is enabled on the device.

Verify that the path policy applied to the site and that it has "Direct any public" set as a path.

Verify that the correct label is applied to the Internet1 port.

Verify that the Internet1 port and BP1 port are coupled and that the ports are UP.

Verify that the public IP address sourced from the Internet1 port can be pinged.

Question 26 of 35
5083091
Which deployment mode will enable a native Prisma SD-WAN virtual private network (VPN) between a
branch and an on-premises data center?

Analytics

Advertise

Disabled

Control

Question 27 of 35
5083091
What is the baud rate for Prisma SD-WAN?

115200 bps

9600 bps

4800 bps
38400 bps

Question 28 of 35
5083091
Which statement about branch HA design and data-center HA design is correct?

Branch HA is an active-backup setup, and a data-center HA is an active-active setup.

Branch HA is an active-active setup, and a data-center HA is an active-backup setup.

Both branch HA and data-center HA are active-active setups and work similarly.

Both branch HA and data center HA are active-backup setups and work similarly.

Question 29 of 35
5083091
Which two conditions do the alarms NETWORK_VPNSS_UNAVAILABLE and NETWORK_VPNBFD_DOWN
indicate? (Choose two.)

Select All Correct Responses

BFD needs to be enabled on the VPN connection.

Control connection is up, but data connection is not coming up. Check firewall settings.

Device is out of shared secrets. Check controller connectivity.

Peer devices disagree on which shared secret to use. Check for clock skew.

Question 30 of 35
5083091
What is the throughput of the ION 3000?
Up to 250 Mbps

Up to 500 Mbps

Up to 1000 Mbps

Up to 700 Mbps

Question 31 of 35
5083091
Prisma SD-WAN can be deployed in which three modes? (Choose three.)

Select All Correct Responses

Analytics

Disabled

Bridge

Control

Fail-to-Wire
Question 32 of 35
5083091
A company has two internet circuits at its on-premises site, and ZBF security rules have been applied to
the site. A customer of the company complains that traffic is not passing over their Internet2
environment. What could be the issue for a support engineer to resolve? (Choose two.)

Select All Correct Responses

The Internet2 port has a malfunction.

The path policy at the site does not have Internet2 as an available path.

The Internet2 port has lower bandwidth and has not been selected.

The correct Security Zone has not been applied to the Internet2 port.

Question 33 of 35
5083091
Application Probing is NOT performed for which three of the following applications? (Choose three.)

Select All Correct Responses

SSL

TCP-based application

HTTP

UDP-based application

DNS

Question 34 of 35
5083091
A company wants to set up a policy for its guest network with CIDR range [Link]/24. Direct Internet
(with label Primary Internet) is selected as a primary path, and in the event port1 fails, they can use
port2 (with label LTE) as the backup internet path. How should a policy be configured to achieve this?
(Choose two.)

Select All Correct Responses

Make a Network Context - Guest Net and attach it to the sub-interface with the [Link]/24 prefix.
Make a path policy rule in the stack policy that is attached to the site with the Network Context - Guest
Net and Paths: Active Path - Direct Primary Internet, L3 Failure Path - Direct LTE.

Make a path policy rule in the stack policy that is attached to the site with the source prefix
[Link]/24 and Paths: Active Path - Direct Primary Internet, L3 Failure Path - Direct LTE.

Make a Network Context - Guest Net and attach it to the sub-interface with the [Link]/24 prefix.
Make a path policy rule in the stack policy that is attached to the site with the Network Context - Guest
Net and Paths: Active Path - Direct Primary Internet, Backup Path - Direct LTE.

Make a path policy rule in the stack policy that is attached to the site with the source prefix
[Link]/24 and Paths: Active Path - Direct Primary Internet, Backup Path - Direct LTE.

Question 35 of 35
5083091
Which Prisma SD-WAN ION offering does NOT support fail-to-wire?

ION 3000

ION 1000

ION 7000

ION 2000
Total Points:
20/30

67%

You might also like