Free Access Paloalto Networks SD-WAN-Engineer New Release

In a Prisma SD-WAN deployment, the routing of traffic between branches and Data Centers (DCs) relies on the proper synchronization between the AppFabric (the overlay) and the local routing protocols (the underlay/LAN side). In this scenario, the branch can successfully reach DC1, indicating the branch ION is correctly participating in the fabric. However, traffic to DC2 (10.2.2.22) is failing.

The DC2 site has the site prefix 10.2.2.0/23 configured. In Prisma SD-WAN, defining a site prefix informs the Controller that this specific subnet "belongs" to that site, causing the Controller to advertise reachability for this prefix to all other ION devices in the fabric. Consequently, when the branch ION (192.168.1.123) attempts to reach 10.2.2.22, it correctly identifies DC2 as the destination and encapsulates the traffic toward the DC2 ION.

The bottleneck occurs once the packet arrives at the DC2 ION. While the ION is advertising the branch subnet (192.168.1.0/24) to the DC Core (ensuring the return path), the ION itself must know how to forward the incoming traffic from the branch to the internal DC network. If the DC2 ION does not have a specific route in its local routing table for the 10.2.2.0/23 subnet pointing to the DC Core's internal interface, the packet will be dropped.

According to Palo Alto Networks best practices for Data Center ION deployment, a static default route (0.0.0.0/0) should be configured on the ION device pointing toward the DC Core’s next-hop IP address. This ensures that any traffic received from the AppFabric destined for internal DC resources—which are not directly connected to the ION—is successfully handed off to the core switching fabric for final delivery. Adding this default route (Option A) resolves the reachability issue by providing the "last-hop" routing instruction within the DC.

Comprehensive and Detailed Explanation

In a Prisma SD-WAN High Availability (HA) deployment, the HA Control Interface is the critical lifeline used to synchronize state, heartbeats, and flow information between the Active and Standby ION devices.

The strict requirement for this connection is that it must be Layer 2 adjacent.

Best Practice: A direct physical cable connection between the designated HA ports of the two devices (e.g., Port 2 on Device A to Port 2 on Device B).

Alternative: Connectivity through a switch on a dedicated, isolated VLAN is supported, provided the devices are in the same broadcast domain and subnet.

Routing (Layer 3) is not supported for the HA Control link because the keepalive mechanism relies on low-latency, multicast/broadcast-level adjacency to detect failures instantly (sub-second failover). If the HA link were routed (Option A), network latency or router convergence issues could cause "Split-Brain" scenarios where both devices assume the Active role, leading to IP conflicts and traffic loops. Option C is incorrect because the Controller is too slow to manage real-time failover; the decision must be local.

Prisma SD-WAN simplifies the integration with Prisma Access through a feature known as "CloudBlades," specifically the Prisma Access for Networks CloudBlade. The "easy onboarding" workflow is designed to automate the complex task of establishing secure tunnels between Branch ION devices and the SASE security processing nodes (SPNs).

When an administrator initiates this process, the system abstracts the manual configuration of IKE and IPSec parameters. Instead of manually defining an IPSec Crypto Profile or an IKE Profile (which are automatically handled by the CloudBlade orchestration), the user must specify where the traffic is going and which physical resources will handle the connection. The Prisma Access Primary Location (Option B) is a mandatory selection because it determines the geographical region and specific compute instance within the Prisma Access cloud that will serve as the primary security gateway for that branch.

Furthermore, the IPSec Termination Node (Option D) must be selected to define the specific endpoint within the Prisma Access infrastructure where the ION device's tunnels will terminate. This selection ensures that the Controller can properly orchestrate the site-to-site VPN tunnels, ensuring that the branch traffic is correctly routed to the SASE fabric for security inspection. By selecting these two options, the CloudBlade can automatically negotiate the rest of the tunnel parameters, significantly reducing the potential for human error and accelerating the deployment of a Secure Access Service Edge (SASE) architecture across multiple branch locations.

Comprehensive and Detailed Explanation

This behavior describes the "Best Available Path" logic inherent in Prisma SD-WAN's availability design.

SLA Thresholds: Path Quality Profiles act as filters to identify compliant paths.

Total Violation: If all configured "Active" paths violate the SLA (e.g., Path A has 2% loss, Path B has 5% loss, and the threshold is 1%), the system does not drop the traffic (Option A) because maintaining connectivity is prioritized over perfect quality.

Selection Logic: The system enters a fallback state where it compares the available active paths and selects the "Least Bad" one—the path that is closest to meeting the SLA (in this case, Path A with 2% loss).

Backup Paths: Traffic would only move to a Backup path (Option D) if the policy explicitly configures the backup path to engage upon SLA violation of the active set. However, strictly speaking, if only active paths are considered and all fail, it picks the best of the active group rather than blackholing the traffic.