50 SD-WAN Engineer Practice Questions: Question Bank 2025

An enterprise is planning an SD-WAN rollout across 60 branches. The security team requires that all internet-bound traffic be inspected by Palo Alto Networks security services, but the network team wants local breakout for Microsoft 365 to reduce latency. Which design best meets both requirements?

A branch has two WAN links: broadband and LTE. The requirement is: "Always prefer broadband, but automatically fail over to LTE if broadband becomes unavailable." Which SD-WAN construct most directly enforces this behavior?

During operations, you want to verify whether an SD-WAN policy is actually steering a given application (e.g., Zoom) over the intended path. What is the most effective way to validate this on a Palo Alto Networks SD-WAN-capable firewall?

A company is defining success criteria for SD-WAN application steering. Which set of metrics is most appropriate to evaluate WAN path quality for real-time applications?

You are deploying SD-WAN at a branch with two ISPs. The business wants voice traffic to prefer the lower-latency link, but if both links meet the SLA, it should load-share non-critical traffic. Which approach is most appropriate?

After enabling SD-WAN, several SaaS applications are being misclassified as "web-browsing" and are not matching the intended SD-WAN policy. What is the best first troubleshooting step?

An SD-WAN branch uses a cloud security service for internet egress. Users report intermittent access failures to a subset of websites only when SD-WAN steers traffic to the broadband link. LTE works. Logs show sessions are allowed, but connections reset. Which is the most likely cause?

You want a centralized operational view to quickly identify which branches are violating their voice SLA and which WAN link is responsible. Which practice best supports this goal?

A branch has two WAN links and uses SD-WAN for application steering. During failover tests, existing voice calls drop even though the secondary link is healthy. The requirement is to minimize disruption for in-progress sessions during link failure events. What is the most relevant design consideration?

An organization is integrating SD-WAN branches with a SASE service. They want consistent security enforcement for internet traffic regardless of which WAN link is used, while still allowing SD-WAN to choose the best path. Which approach best achieves this outcome?

An enterprise is planning an SD-WAN rollout to 60 small branches. Each branch has two internet circuits and should be able to keep local internet access, while still reaching data center applications over the best available link. Which design best aligns with Palo Alto Networks SD-WAN architecture?

You are deploying SD-WAN at a new branch. What is the primary purpose of defining an SD-WAN interface profile (or equivalent construct) for a WAN link?

An operator wants to confirm whether an SD-WAN policy is steering Microsoft Teams traffic away from a high-loss MPLS link and onto broadband. Which operational view is most directly useful?

A company has a hub-and-spoke WAN with two hubs. They want branches to prefer Hub A for most traffic but fail over to Hub B automatically during brownouts (intermittent loss/jitter) without waiting for the primary hub to go completely down. What SD-WAN approach best meets this requirement?

During deployment, a branch has dual WAN links. SD-WAN tunnels come up on WAN1 but not on WAN2. Routing to the internet works on both. What is the most likely configuration issue to check first?

A security team requires that guest Wi-Fi traffic at branches must always use local internet breakout, while corporate traffic to data center applications should use SD-WAN tunnels. Which design is the best practice to meet this requirement?

After an SD-WAN policy change, users report that a critical SaaS application is sometimes taking the backup link even though the primary link looks healthy. Which operational practice most directly helps validate and tune SD-WAN decision-making?

A branch integrates SD-WAN with a SASE service for secure internet access. The requirement is: corporate internet-bound traffic should go to SASE, but internal data center traffic should remain on private SD-WAN tunnels. What is the most appropriate routing/policy approach?

A global company wants centralized management for SD-WAN policy, including consistent application-based path selection and rapid rollout to many branches. They also want limited local changes at branches to reduce configuration drift. Which operating model best supports this?

In an SD-WAN + SASE deployment, users can reach internal data center apps but cannot reach the internet. SD-WAN tunnels are up, and local internet access is intentionally disabled so all internet traffic must go to SASE. What is the most likely cause?

An organization is planning an SD-WAN rollout to 40 branches. A key requirement is to keep critical applications reachable even if the SD-WAN overlay controller becomes temporarily unavailable. Which design approach best meets this requirement?

A branch has two internet circuits: a low-cost broadband link and a higher-quality DIA link. The business wants voice to prefer DIA but still work on broadband during DIA outages. Which SD-WAN policy construct is most appropriate?

During operations, an engineer needs to quickly identify whether a reported performance issue is affecting only a single application or all traffic across the SD-WAN overlay. Which data view is most directly useful?

A company is deploying an active/active dual-hub SD-WAN design. They want branches to use the closest hub under normal conditions but automatically switch to the other hub if the primary hub becomes unreachable. Which approach best supports this goal?

After adding a new WAN link at a branch, the engineer notices traffic is never steered to the new circuit, even though the interface is up. Which configuration item is MOST likely missing for SD-WAN to use the link for steering decisions?

An engineer is integrating SD-WAN branches with a cloud security service for internet-bound traffic. The requirement is to keep SD-WAN application steering at the branch but enforce consistent security inspection in the cloud. Which design best satisfies both?

A helpdesk ticket reports that video conferencing quality degrades only during business hours. Path health metrics show intermittent packet loss on one ISP circuit. Which operational action is the most appropriate first step to reduce user impact without immediately changing the circuit provider?

A branch uses two WAN circuits. After deploying an SD-WAN policy for SaaS traffic, users report that the SaaS application intermittently logs them out when traffic switches paths. What is the MOST likely underlying cause, and what is the best mitigation?

An enterprise wants to minimize blast radius when changing SD-WAN policies and provide a clear rollback path. Which operational best practice best meets this objective?

A branch is connected to two ISPs. The SD-WAN overlay tunnels come up on both links, but only one link is ever considered 'healthy' even though standard pings to the internet succeed on the other link. Which issue is MOST likely preventing the second link from meeting SD-WAN SLA health checks?

An enterprise is planning an SD-WAN rollout and wants to ensure that critical SaaS applications remain usable during brownouts on a single ISP, without immediately failing all traffic to another link. Which design goal best matches this requirement?

A branch has two internet circuits. The SD-WAN Engineer wants business-critical voice traffic to use the circuit with the lowest jitter, while bulk backup traffic should use the cheaper circuit regardless of performance. Which configuration approach best meets this requirement?

An administrator wants to confirm which WAN path SD-WAN selected for a specific application session between a branch user and Microsoft 365. Which operational view is most appropriate to validate the chosen path for that session?

A company integrates SD-WAN with a cloud-delivered security service to provide consistent security for internet-bound branch traffic. What is the primary benefit of this SASE-aligned design?

A branch uses two ISPs. During peak hours, user experience degrades even though both links are up. Monitoring shows packet loss spikes on one link. SD-WAN policies are configured to avoid loss above a threshold, but traffic continues to use the lossy link. What is the most likely cause?

An SD-WAN Engineer is defining path selection intent. The business wants to prioritize video conferencing quality, and the WAN team can only guarantee bandwidth but not latency. Which metric should be emphasized in the SD-WAN policy to best protect video quality under these constraints?

A deployment uses a hub-and-spoke topology with two hubs. The requirement is that each branch should automatically fail over to the other hub if the preferred hub becomes unreachable, without requiring static route changes at each branch. Which approach best satisfies this requirement?

An operations team wants to standardize SD-WAN policies across 50 branches while allowing a small number of site-specific exceptions (for example, one branch has only LTE). What is the best practice to achieve this at scale?

After integrating branch internet egress with a cloud security service, users report that some SaaS applications randomly prompt for re-authentication when traffic switches links. The SD-WAN policy is allowed to change paths based on performance. Which change most directly addresses this symptom while maintaining SD-WAN benefits?

A branch has two WAN links: one is high-bandwidth with moderate latency; the other is low-bandwidth with very low latency. The business requires that transactional apps always prefer the low-latency link, but must fail over if available bandwidth drops below a minimum threshold. How should the SD-WAN policy be designed to meet BOTH requirements reliably?

A branch has two WAN links: broadband and MPLS. The design goal is to keep voice stable by preferring the lower-latency path, but automatically move voice to the other link if latency or jitter exceeds a threshold. Which SD-WAN mechanism best meets this requirement?

You are planning a new SD-WAN rollout and want to minimize risk during initial cutover at remote branches. Which approach is a recommended best practice for the first site migrations?

An operations engineer wants a quick way to confirm which WAN path SD-WAN selected for a specific application session from a branch. Where is the most direct place to verify this on the firewall?

A branch has two internet circuits. The business requirement is to prefer Circuit 1 for Microsoft 365 and prefer Circuit 2 for bulk backups, while still failing over if the preferred circuit becomes unhealthy. Which SD-WAN policy construct most directly enables this?

After enabling SD-WAN, users report intermittent slowness for a SaaS application. Link utilization is low, but there are spikes in loss on one circuit. What is the most appropriate first troubleshooting step to validate whether SD-WAN is reacting to the loss as expected?

You need to integrate SD-WAN branches with a cloud security service so that internet-bound traffic is inspected in the cloud, but private WAN traffic remains local. Which design best matches this requirement?

A company uses template-based configuration management for hundreds of SD-WAN branches. They want to ensure that local circuit details (ISP IPs, next-hops) can vary per site while SD-WAN policy remains consistent. Which approach best supports this operational model?

A branch uses SD-WAN and dual uplinks. Users report that a business-critical application sometimes takes the higher-latency path even when the preferred link looks healthy. The SD-WAN rule is configured with an application match, but the application is frequently seen as "unknown-tcp" initially. What is the most likely reason and best mitigation?

Two WAN links are both up. SD-WAN is configured to use the better-quality link for a set of applications. However, the firewall rarely changes paths even when one link is clearly worse for several minutes. Which configuration issue most plausibly explains the behavior?

You are designing SD-WAN for a set of remote sites that must maintain connectivity even if the central hub is unreachable. The sites need to continue using local internet breakout for SaaS and reach each other directly when required. Which architecture best supports this resiliency goal?