Practice Free SD-WAN-Engineer Exam Online Questions
Question #11
An administrator is configuring a BGP peer on a Data Center ION to learn routes from the core switch. The goal is to have the ION learn these prefixes and then advertise them to all remote branch sites across the SD-WAN overlay.
Which setting must be configured on the BGP Peer to ensure these learned routes are redistributed into the SD-WAN fabric?
- A . Set the "Admin Distance" to 20.
- B . Enable "Graceful Restart".
- C . Set the "Scope" to "Global".
- D . Configure a "Prefix List" to deny all.
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN routing configuration, the Scope setting on a BGP Peer (or a Static Route) controls
the redistribution logic for the prefixes learned from that source.
Local Scope: If a BGP peer is configured with "Local" scope, the ION device will install the learned routes into its local routing table for its own reachability, but it will not advertise (redistribute) these routes to other ION devices via the Secure Fabric. They remain local to the site.
Global Scope: To advertise reachability to the rest of the network, the BGP peer must be configured with "Global" scope. This tells the ION that any prefixes learned from this specific neighbor (e.g., the DC Core Switch) should be propagated across the SD-WAN overlay to remote branches. This is the critical setting for enabling branch-to-DC communication for applications hosted behind that BGP peer. Without "Global" scope, the branches would never learn the routes to the data center subnets.
C
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN routing configuration, the Scope setting on a BGP Peer (or a Static Route) controls
the redistribution logic for the prefixes learned from that source.
Local Scope: If a BGP peer is configured with "Local" scope, the ION device will install the learned routes into its local routing table for its own reachability, but it will not advertise (redistribute) these routes to other ION devices via the Secure Fabric. They remain local to the site.
Global Scope: To advertise reachability to the rest of the network, the BGP peer must be configured with "Global" scope. This tells the ION that any prefixes learned from this specific neighbor (e.g., the DC Core Switch) should be propagated across the SD-WAN overlay to remote branches. This is the critical setting for enabling branch-to-DC communication for applications hosted behind that BGP peer. Without "Global" scope, the branches would never learn the routes to the data center subnets.
Question #12
Site templates are to be used for the large-scale deployment of 100 Prisma SD-WAN branch sites across different regions.
Which two statements align with the capabilities and best practices for Prisma SD-WAN site templates? (Choose two.)
- A . The use of Jinja conditional statements within a site template is not supported, thereby limiting dynamic customization options.
- B . Mandatory variables for any site template include the site name, ION software version, and at least one ION serial number /device name pair.
- C . Site templates offer the capability to pre-stage device configurations by creating a device shell.
- D . Once a site has been deployed using a template, its configuration can be updated or modified by applying an updated version of the template.
Correct Answer: B, C
B, C
Explanation:
Comprehensive and Detailed Explanation
Site Templates (often referred to as Site Configuration Templates) are a critical tool for the Zero Touch Provisioning (ZTP) of large-scale deployments in Prisma SD-WAN.
B, C
Explanation:
Comprehensive and Detailed Explanation
Site Templates (often referred to as Site Configuration Templates) are a critical tool for the Zero Touch Provisioning (ZTP) of large-scale deployments in Prisma SD-WAN.
Question #13
Which statements accurately describes how the Prisma SD-WAN zone-based firewall functions within a branch network?
- A . North-south traffic (internet/WAN egress) is handled by zone-based firewall and relies on external firewalls for east-west segmentation.1
- B . East-west traffic between the zones can be explicitly blocked, but traditional Access Control List (ACLs) are required to block north-south traffic.
- C . North-south traffic is handled by application-aware policies, while east-west traffic requires traditional Access Control List (ACLs).
- D . Security zones enable granular control over both WAN-to-LAN and LAN-to-WAN as well as east-west (LAN-to-LAN) traffic flows within the branch.
Correct Answer: D
D
Explanation:
The Prisma SD-WAN (ION) device includes a native, application-aware Zone-Based Firewall (ZBFW) that provides comprehensive security within the branch without the mandatory requirement for additional hardware.2 The fundamental principle of this architecture is the grouping of interfaces and sub-interfaces into logical Security Zones.3 Once these zones are defined (e.g., LAN, WAN, Guest, IoT), the administrator can create security policies that govern the traffic permitted to flow between them.4
Unlike traditional routers that rely on stateless Access Control Lists (ACLs) which are difficult to manage and lack application visibility, the Prisma SD-WAN ZBFW is stateful and application-aware.5 This means it can apply granular control over North-South traffic (flows moving between the LAN and the WAN/Internet) and East-West traffic (flows moving between different segments within the LAN, such as from a Guest zone to a Corporate zone).6
By using security zones, an ION device can ensure that even if two local networks are connected to the same physical appliance, they remain completely isolated unless a specific policy explicitly allows communication. This "Zero Trust" approach at the branch edge allows organizations to segment vulnerable devices (like IoT) from critical internal resources and strictly control how users access the internet or the corporate data center.7 The ZBFW works in tandem with the global controller to ensure that security postures are consistent across all branch locations, eliminating the complexity of manual ACL management at each site.8
D
Explanation:
The Prisma SD-WAN (ION) device includes a native, application-aware Zone-Based Firewall (ZBFW) that provides comprehensive security within the branch without the mandatory requirement for additional hardware.2 The fundamental principle of this architecture is the grouping of interfaces and sub-interfaces into logical Security Zones.3 Once these zones are defined (e.g., LAN, WAN, Guest, IoT), the administrator can create security policies that govern the traffic permitted to flow between them.4
Unlike traditional routers that rely on stateless Access Control Lists (ACLs) which are difficult to manage and lack application visibility, the Prisma SD-WAN ZBFW is stateful and application-aware.5 This means it can apply granular control over North-South traffic (flows moving between the LAN and the WAN/Internet) and East-West traffic (flows moving between different segments within the LAN, such as from a Guest zone to a Corporate zone).6
By using security zones, an ION device can ensure that even if two local networks are connected to the same physical appliance, they remain completely isolated unless a specific policy explicitly allows communication. This "Zero Trust" approach at the branch edge allows organizations to segment vulnerable devices (like IoT) from critical internal resources and strictly control how users access the internet or the corporate data center.7 The ZBFW works in tandem with the global controller to ensure that security postures are consistent across all branch locations, eliminating the complexity of manual ACL management at each site.8
Question #14
In a data center (DC) with two ION devices, all of the remote branch Prisma SD-WAN VPNs are active only on DC ION-1.
Why are no VPNs active on DC ION-2?
- A . The BGP core peer is down.
- B . The static route to core as a next hop is missing.
- C . The ION device is behind a NAT.
- D . The DC and branches are in a different domain.
Correct Answer: A
A
Explanation:
Comprehensive and Detailed Explanation
In a Prisma SD-WAN Data Center deployment, the operational state of the Secure Fabric VPNs (overlay tunnels) is directly tied to the health of the BGP Core Peer configuration.4
Core Peer Dependency: DC ION devices typically peer with the data center core switch (Core Router) via BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller monitors this BGP peering status.5
Controller Logic: If the BGP Core Peer on a DC ION goes down (or is not established), the controller automatically marks the VPN tunnels terminating at that specific ION as "Inactive".6 This is a fail-safe mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost conne7ctivity to the internal data center network (and thus the applications).
Scenario Analysis: In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is successfully advertising reachability. DC ION-2 has no active VPNs, which strongly indicates that its BGP Core Peer is down.8 Because the controller sees the peer is down, it suppresses the tunnel establishment or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).
A
Explanation:
Comprehensive and Detailed Explanation
In a Prisma SD-WAN Data Center deployment, the operational state of the Secure Fabric VPNs (overlay tunnels) is directly tied to the health of the BGP Core Peer configuration.4
Core Peer Dependency: DC ION devices typically peer with the data center core switch (Core Router) via BGP to learn the subnets (prefixes) for the applications hosted in the DC. The Prisma SD-WAN controller monitors this BGP peering status.5
Controller Logic: If the BGP Core Peer on a DC ION goes down (or is not established), the controller automatically marks the VPN tunnels terminating at that specific ION as "Inactive".6 This is a fail-safe mechanism designed to prevent remote branches from sending traffic to a DC ION that has lost conne7ctivity to the internal data center network (and thus the applications).
Scenario Analysis: In this scenario, DC ION-1 has active VPNs, meaning its BGP Core Peer is UP and it is successfully advertising reachability. DC ION-2 has no active VPNs, which strongly indicates that its BGP Core Peer is down.8 Because the controller sees the peer is down, it suppresses the tunnel establishment or marks existing tunnels as inactive to ensure traffic is only directed to the healthy node (ION-1).
Question #15
In the Prisma SD-WAN portal, an administrator is viewing the "Media" analytics for a branch site to troubleshoot complaints about poor voice quality.
When calculating the Mean Opinion Score (MOS) for voice traffic, which two metrics does the system prioritize active monitoring for, even when no user voice traffic is present on the link? (Choose two.)
- A . Latency (One-Way)
- B . Jitter
- C . Throughput
- D . Packet Loss
Correct Answer: B, D
B, D
Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN calculates the Mean Opinion Score (MOS) to provide a standardized metric (1-5) for voice quality. To ensure the system always knows the "voice readiness" of a path―even before a call starts―it uses Active Probes (synthetic UDP packets).
While latency is measured, the MOS calculation algorithm is most heavily penalized by Packet Loss (D) and Jitter (B).
Packet Loss: Even a small amount of loss (e.g., >1%) dramatically reduces voice clarity, causing dropouts.
Jitter: High variance in packet arrival time (jitter) causes the "robotic" voice effect and buffer underruns.
The system continuously measures these specific metrics on all WAN links using synthetic probes. If the packet loss or jitter exceeds the threshold defined in the "Path Quality Profile" (e.g., Voice Profile), the path is marked as non-compliant, and the MOS score drops, triggering a policy action to move the flow. Throughput (C) is less critical for voice as calls consume very little bandwidth (e.g., 64-100 Kbps), making congestion (loss/jitter) the primary enemy, not raw speed.
B, D
Explanation:
Comprehensive and Detailed Explanation
Prisma SD-WAN calculates the Mean Opinion Score (MOS) to provide a standardized metric (1-5) for voice quality. To ensure the system always knows the "voice readiness" of a path―even before a call starts―it uses Active Probes (synthetic UDP packets).
While latency is measured, the MOS calculation algorithm is most heavily penalized by Packet Loss (D) and Jitter (B).
Packet Loss: Even a small amount of loss (e.g., >1%) dramatically reduces voice clarity, causing dropouts.
Jitter: High variance in packet arrival time (jitter) causes the "robotic" voice effect and buffer underruns.
The system continuously measures these specific metrics on all WAN links using synthetic probes. If the packet loss or jitter exceeds the threshold defined in the "Path Quality Profile" (e.g., Voice Profile), the path is marked as non-compliant, and the MOS score drops, triggering a policy action to move the flow. Throughput (C) is less critical for voice as calls consume very little bandwidth (e.g., 64-100 Kbps), making congestion (loss/jitter) the primary enemy, not raw speed.
Question #16
A branch manager reports slow network performance, and the network administrator wants to use Prisma SD-WAN Copilot to quickly identify if a specific user, by source IP address, is consuming excessive bandwidth as well as which applications are contributing to this consumption.
How can Copilot assist in this investigation?
- A . It will automatically generate and email a “User Bandwidth Consumption” report for the specified
branch, which the administrator can use to find the top user and the application details. - B . It can identify the top applications being used across the entire branch and can be correlated with Flow Browser to attribute specific application usage or total bandwidth consumption to individual source IPs.
- C . It can directly process a natural language query such as “Show top bandwidth source IPs at SD-WAN Branch X over last 3 hours,” provide summarized views of the top-consuming source IPs, and view the primary applications they are using.
- D . It will redirect the administrator to the WAN Clarity “Top N: Source IPs” report and the “Flow Browser” utility, suggesting correlation between these tools to determine a user’s specific application usage.
Correct Answer: C
C
Explanation:
Prisma SD-WAN Copilot is an AI-powered operational tool designed to simplify network management through Natural Language Processing (NLP). Traditionally, identifying a bandwidth "hog" required manual navigation through multiple dashboards, such as WAN Clarity and the Flow Browser, to correlate source IP addresses with specific application flows and timestamps. Copilot transforms this workflow by allowing administrators to interact with the system using conversational queries.
When an administrator inputs a query like “Show top bandwidth source IPs at SD-WAN Branch X over last 3 hours,” Copilot leverages its underlying machine learning models and integrated data lake to aggregate telemetry across the entire fabric. It instantly identifies the specific source IPs responsible for the highest throughput and correlates that data with application visibility. Instead of providing a static report or redirecting the user to other tools, Copilot presents an interactive, summarized view directly within the interface. This view highlights the top-consuming users and breaks down their consumption by application, such as YouTube, Netflix, or business-critical SaaS tools.
This capability significantly reduces the Mean Time to Resolution (MTTR) for performance issues. By bypassing the need for manual data correlation, Copilot provides immediate "Day 2" operational insights. It effectively acts as a virtual assistant that understands the context of the network topology, site names, and time ranges, allowing the administrator to quickly determine if a branch’s slow performance is due to an individual user’s behavior or a broader infrastructure issue.
C
Explanation:
Prisma SD-WAN Copilot is an AI-powered operational tool designed to simplify network management through Natural Language Processing (NLP). Traditionally, identifying a bandwidth "hog" required manual navigation through multiple dashboards, such as WAN Clarity and the Flow Browser, to correlate source IP addresses with specific application flows and timestamps. Copilot transforms this workflow by allowing administrators to interact with the system using conversational queries.
When an administrator inputs a query like “Show top bandwidth source IPs at SD-WAN Branch X over last 3 hours,” Copilot leverages its underlying machine learning models and integrated data lake to aggregate telemetry across the entire fabric. It instantly identifies the specific source IPs responsible for the highest throughput and correlates that data with application visibility. Instead of providing a static report or redirecting the user to other tools, Copilot presents an interactive, summarized view directly within the interface. This view highlights the top-consuming users and breaks down their consumption by application, such as YouTube, Netflix, or business-critical SaaS tools.
This capability significantly reduces the Mean Time to Resolution (MTTR) for performance issues. By bypassing the need for manual data correlation, Copilot provides immediate "Day 2" operational insights. It effectively acts as a virtual assistant that understands the context of the network topology, site names, and time ranges, allowing the administrator to quickly determine if a branch’s slow performance is due to an individual user’s behavior or a broader infrastructure issue.
Question #17
A site has two internet circuits: Circuit A with 500 Mbps capacity and Circuit B with 100 Mbps capacity.
Which path policy configuration will ensure traffic is automatically shifted from a saturated circuit to the circuit with available bandwidth?
- A . Circuit A as an active, Circuit B as a backup
- B . Circuit B as an active, Circuit A as a backup
- C . Both circuits under active path
- D . Circuit B as an L3 failure path
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN (CloudGenix), Path Policies control how application traffic is steered across WAN links. To ensure that traffic is automatically shifted from a saturated circuit to another circuit with available bandwidth, both circuits must be configured as Active Paths within the policy rule.
When multiple paths are designated as "Active," the ION device treats them as a shared pool of available resources. The system continuously monitors the bandwidth utilization (capacity) and health (latency, jitter, loss) of all active links. If "Circuit A" (500 Mbps) becomes saturated or approaches its defined bandwidth limit, the ION’s intelligent scheduler will automatically direct new application flows to "Circuit B" (100 Mbps) because it is a valid, healthy Active path with available capacity. This achieves effective load balancing and bandwidth aggregation.
In contrast, configuring "Circuit B" as a Backup Path (Option A or B) creates a strict priority relationship. Traffic would only move to the Backup path if the Active path completely failed or violated its configured SLA (Path Quality Profile) significantly enough to be considered "down." Mere bandwidth saturation might not trigger an SLA failure immediately, potentially leading to dropped packets on the saturated link while the backup link remains idle. Therefore, placing Both circuits under active path is the correct configuration for dynamic capacity management.
C
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN (CloudGenix), Path Policies control how application traffic is steered across WAN links. To ensure that traffic is automatically shifted from a saturated circuit to another circuit with available bandwidth, both circuits must be configured as Active Paths within the policy rule.
When multiple paths are designated as "Active," the ION device treats them as a shared pool of available resources. The system continuously monitors the bandwidth utilization (capacity) and health (latency, jitter, loss) of all active links. If "Circuit A" (500 Mbps) becomes saturated or approaches its defined bandwidth limit, the ION’s intelligent scheduler will automatically direct new application flows to "Circuit B" (100 Mbps) because it is a valid, healthy Active path with available capacity. This achieves effective load balancing and bandwidth aggregation.
In contrast, configuring "Circuit B" as a Backup Path (Option A or B) creates a strict priority relationship. Traffic would only move to the Backup path if the Active path completely failed or violated its configured SLA (Path Quality Profile) significantly enough to be considered "down." Mere bandwidth saturation might not trigger an SLA failure immediately, potentially leading to dropped packets on the saturated link while the backup link remains idle. Therefore, placing Both circuits under active path is the correct configuration for dynamic capacity management.
Question #17
A site has two internet circuits: Circuit A with 500 Mbps capacity and Circuit B with 100 Mbps capacity.
Which path policy configuration will ensure traffic is automatically shifted from a saturated circuit to the circuit with available bandwidth?
- A . Circuit A as an active, Circuit B as a backup
- B . Circuit B as an active, Circuit A as a backup
- C . Both circuits under active path
- D . Circuit B as an L3 failure path
Correct Answer: C
C
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN (CloudGenix), Path Policies control how application traffic is steered across WAN links. To ensure that traffic is automatically shifted from a saturated circuit to another circuit with available bandwidth, both circuits must be configured as Active Paths within the policy rule.
When multiple paths are designated as "Active," the ION device treats them as a shared pool of available resources. The system continuously monitors the bandwidth utilization (capacity) and health (latency, jitter, loss) of all active links. If "Circuit A" (500 Mbps) becomes saturated or approaches its defined bandwidth limit, the ION’s intelligent scheduler will automatically direct new application flows to "Circuit B" (100 Mbps) because it is a valid, healthy Active path with available capacity. This achieves effective load balancing and bandwidth aggregation.
In contrast, configuring "Circuit B" as a Backup Path (Option A or B) creates a strict priority relationship. Traffic would only move to the Backup path if the Active path completely failed or violated its configured SLA (Path Quality Profile) significantly enough to be considered "down." Mere bandwidth saturation might not trigger an SLA failure immediately, potentially leading to dropped packets on the saturated link while the backup link remains idle. Therefore, placing Both circuits under active path is the correct configuration for dynamic capacity management.
C
Explanation:
Comprehensive and Detailed Explanation
In Prisma SD-WAN (CloudGenix), Path Policies control how application traffic is steered across WAN links. To ensure that traffic is automatically shifted from a saturated circuit to another circuit with available bandwidth, both circuits must be configured as Active Paths within the policy rule.
When multiple paths are designated as "Active," the ION device treats them as a shared pool of available resources. The system continuously monitors the bandwidth utilization (capacity) and health (latency, jitter, loss) of all active links. If "Circuit A" (500 Mbps) becomes saturated or approaches its defined bandwidth limit, the ION’s intelligent scheduler will automatically direct new application flows to "Circuit B" (100 Mbps) because it is a valid, healthy Active path with available capacity. This achieves effective load balancing and bandwidth aggregation.
In contrast, configuring "Circuit B" as a Backup Path (Option A or B) creates a strict priority relationship. Traffic would only move to the Backup path if the Active path completely failed or violated its configured SLA (Path Quality Profile) significantly enough to be considered "down." Mere bandwidth saturation might not trigger an SLA failure immediately, potentially leading to dropped packets on the saturated link while the backup link remains idle. Therefore, placing Both circuits under active path is the correct configuration for dynamic capacity management.
Question #19
An organization has provided the following technical requirements and details:
High availability (HA) at all data center and branch locations
Two geographically separate main data center locations
One small data center location that contains local users and applications requiring policies
50 branch locations
ISP capacities for all branch locations but no accurate measurement of the actual bandwidth consumption
Based on Palo Alto Networks best practices and recommendations, which two licensing options will meet the customer objectives? (Choose two.)
- A . Six data center subscriptions
- B . Aggregate bandwidth subscription
- C . Four data center subscriptions
- D . Branch subscription per site
Correct Answer: AB
AB
Explanation:
Prisma SD-WAN licensing is structured to provide flexibility while ensuring that all components of the secure fabric are correctly accounted for. To meet the requirements of this organization, we must calculate the necessary subscriptions for both the data center hubs and the distributed branch network.
First, we address the Data Center Subscriptions. The organization has two main geographically separate data centers and one small data center, all of which require High Availability (HA). In a Prisma SD-WAN deployment, HA at a site is achieved by deploying two ION devices in a cluster. Palo Alto Networks licensing requires a separate Data Center subscription for each ION device acting as a hub. Therefore, with three data center locations (2 main + 1 small) each requiring an HA pair (2 devices per site), a total of six data center subscriptions (Option A) are required to license all six hub appliances.
Second, we address the Branch Subscriptions. The organization has 50 branches but lacks accurate measurements of actual bandwidth consumption. Palo Alto Networks’ best practice for such scenarios is the Aggregate Bandwidth Subscription model (Option B). Instead of purchasing a fixed "Branch subscription per site" (Option D)―which requires knowing the exact throughput needs for every individual location―the aggregate model allows the customer to purchase a total pool of bandwidth (e.g., 5 Gbps) that is shared across all 50 branch sites.
This "pay-as-you-grow" approach is ideal when consumption patterns are unknown or inconsistent. As branches utilize the bandwidth, it is deducted from the central pool. This avoids the risk of over-provisioning licenses at low-usage sites or under-provisioning at high-usage sites. Together, the six DC subscriptions and the aggregate bandwidth pool provide a fully licensed, HA-capable SD-WAN environment that aligns with Palo Alto Networks’ scaling recommendations.
AB
Explanation:
Prisma SD-WAN licensing is structured to provide flexibility while ensuring that all components of the secure fabric are correctly accounted for. To meet the requirements of this organization, we must calculate the necessary subscriptions for both the data center hubs and the distributed branch network.
First, we address the Data Center Subscriptions. The organization has two main geographically separate data centers and one small data center, all of which require High Availability (HA). In a Prisma SD-WAN deployment, HA at a site is achieved by deploying two ION devices in a cluster. Palo Alto Networks licensing requires a separate Data Center subscription for each ION device acting as a hub. Therefore, with three data center locations (2 main + 1 small) each requiring an HA pair (2 devices per site), a total of six data center subscriptions (Option A) are required to license all six hub appliances.
Second, we address the Branch Subscriptions. The organization has 50 branches but lacks accurate measurements of actual bandwidth consumption. Palo Alto Networks’ best practice for such scenarios is the Aggregate Bandwidth Subscription model (Option B). Instead of purchasing a fixed "Branch subscription per site" (Option D)―which requires knowing the exact throughput needs for every individual location―the aggregate model allows the customer to purchase a total pool of bandwidth (e.g., 5 Gbps) that is shared across all 50 branch sites.
This "pay-as-you-grow" approach is ideal when consumption patterns are unknown or inconsistent. As branches utilize the bandwidth, it is deducted from the central pool. This avoids the risk of over-provisioning licenses at low-usage sites or under-provisioning at high-usage sites. Together, the six DC subscriptions and the aggregate bandwidth pool provide a fully licensed, HA-capable SD-WAN environment that aligns with Palo Alto Networks’ scaling recommendations.
Question #20
A network administrator notices that a branch ION device is experiencing high CPU utilization due to a suspected TCP SYN Flood attack originating from a compromised host on the local LAN.
Which specific security feature should be configured and applied to the "LAN" zone to mitigate this Denial of Service (DoS) attack?
- A . Zone-Based Firewall (ZBFW) Rule with a "Deny" action
- B . Zone Protection Profile
- C . Application Quality Profile (AQP)
- D . Access Control List (ACL) on the WAN interface
Correct Answer: B
B
Explanation:
Comprehensive and Detailed Explanation
To defend against volumetric attacks such as TCP SYN Floods, UDP Floods, or ICMP Floods, Prisma SD-WAN (like PAN-OS) utilizes Zone Protection Profiles.
Function: A Zone Protection Profile is a specific security object designed to screen traffic for protocol anomalies and flood behaviors before it is processed by the complex firewall policy engine. It sets thresholds (e.g., "Max 1000 SYNs/sec"). If the traffic rate exceeds this threshold, the system triggers an action (Alarm, Drop, or SYN Cookies) to protect the device’s resources.
Application: Unlike a standard ZBFW Rule (A) which filters based on Source/Destination/App-ID (which might still allow the initial handshake packets that cause the flood), a Zone Protection Profile is applied to the Zone object itself (in this case, the LAN Zone). This ensures that the flood is mitigated at the ingress stage, preventing the ION’s session table and CPU from being exhausted by the attack.
B
Explanation:
Comprehensive and Detailed Explanation
To defend against volumetric attacks such as TCP SYN Floods, UDP Floods, or ICMP Floods, Prisma SD-WAN (like PAN-OS) utilizes Zone Protection Profiles.
Function: A Zone Protection Profile is a specific security object designed to screen traffic for protocol anomalies and flood behaviors before it is processed by the complex firewall policy engine. It sets thresholds (e.g., "Max 1000 SYNs/sec"). If the traffic rate exceeds this threshold, the system triggers an action (Alarm, Drop, or SYN Cookies) to protect the device’s resources.
Application: Unlike a standard ZBFW Rule (A) which filters based on Source/Destination/App-ID (which might still allow the initial handshake packets that cause the flood), a Zone Protection Profile is applied to the Zone object itself (in this case, the LAN Zone). This ensures that the flood is mitigated at the ingress stage, preventing the ION’s session table and CPU from being exhausted by the attack.