Passed Exam Today SD-WAN-Engineer

In modern enterprise environments, maintaining a consistent security posture across disparate network domains is a major challenge. Prisma SD-WAN addresses this by supporting Secure Group Tag (SGT) propagation. SGTs are a key component of Cisco’s TrustSec architecture, used to classify traffic based on the identity of the source (users, devices, or groups) rather than just IP addresses. By supporting SGT propagation, Prisma SD-WAN allows organizations to integrate with external identity-based security solutions seamlessly.

When traffic enters an ION device from a LAN segment where SGTs are already applied (typically by an access layer switch or an Identity Services Engine), the ION device can be configured to preserve or "propagate" these tags as the traffic traverses the SD-WAN fabric.6 This ensures that the identity context remains intact even after the traffic has crossed the WAN.7 When the traffic reaches its destination—whether that is a data center, another branch, or a security gateway—the receiving device can use the SGT to enforce granular security policies.

This integration is vital for organizations moving toward a Zero Trust architecture. Instead of rewriting complex firewall rules at every hop, the SGT acts as a portable identity badge. Prisma SD-WAN's ability to handle these tags allows it to participate in a larger security ecosystem, ensuring that a "Finance" user is treated with the same security restrictions at a remote branch as they would be at the corporate headquarters. This eliminates the need for manual IP-to-Group mapping across the WAN, reducing administrative overhead and minimizing the risk of security gaps during lateral movement of traffic.

Comprehensive and Detailed Explanation

To defend against volumetric attacks such as TCP SYN Floods, UDP Floods, or ICMP Floods, Prisma SD-WAN (like PAN-OS) utilizes Zone Protection Profiles.

Function: A Zone Protection Profile is a specific security object designed to screen traffic for protocol anomalies and flood behaviors before it is processed by the complex firewall policy engine. It sets thresholds (e.g., "Max 1000 SYNs/sec"). If the traffic rate exceeds this threshold, the system triggers an action (Alarm, Drop, or SYN Cookies) to protect the device's resources.

Application: Unlike a standard ZBFW Rule (A) which filters based on Source/Destination/App-ID (which might still allow the initial handshake packets that cause the flood), a Zone Protection Profile is applied to the Zone object itself (in this case, the LAN Zone). This ensures that the flood is mitigated at the ingress stage, preventing the ION's session table and CPU from being exhausted by the attack.

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes Link Quality Monitoring (LQM) to maintain a real-time health score for every WAN path.

To ensure the system knows the quality of a path before sending critical user traffic onto it, the ION device uses Active Probing.

Mechanism: The ION sends synthetic probe packets (typically UDP) across the Secure Fabric (VPN tunnels) and Direct Internet paths to its peers. These probes measure Latency, Jitter, and Packet Loss.

Active vs. Passive: While the system does use Passive Monitoring (observing actual user flows) when traffic is present to reduce overhead, Active Probes are essential for idle links or backup paths. Without active probing, the ION would have no data to make an intelligent steering decision for the first packet of a new video call. This ensures that "Real-Time" policies always have up-to-date metrics to select the best path immediately.

Comprehensive and Detailed Explanation

Prisma SD-WAN utilizes a hierarchical QoS model (typically based on Hierarchical Token Bucket or similar shaping algorithms) to manage bandwidth contention.

Guaranteed Bandwidth: The "Platinum" class (used for Real-Time voice/video) is assigned a guaranteed bandwidth percentage (floor) in the QoS profile. This ensures that even if "Gold" (Transactional) or "Silver" (Bulk) traffic is trying to consume 100% of the link, the scheduler reserves the specific portion (e.g., 30%) for Platinum traffic, preventing starvation.

Shaping, not Policing: Unlike simple policing which drops excess traffic hard, the ION device shapes the egress traffic. If the link is congested, the scheduler delays the lower-priority packets (buffering) to allow the high-priority Platinum packets to exit immediately.

Why not Strict Priority (A)? While Platinum behaves like a priority queue, pure Strict Priority can completely starve lower queues if the high-priority traffic is misbehaving or voluminous. Prisma SD-WAN typically uses bandwidth guarantees (floors) and limits (ceilings) to ensure fair sharing while protecting critical apps.