User-ID integration is configured for a Prisma SD-WAN deployment.

Paloalto Networks SD-WAN-Engineer Question Answer

User-ID integration is configured for a Prisma SD-WAN deployment. Branch-1 has the user-to-IP mappings available, and User-1 is mapped to IP-1.

To which two use cases can User-ID based zone-based firewall policies be applied? (Choose two.)

User-1 accessing a SaaS application on direct internet and source User-ID based zone-based firewall rules on Branch-1 ION

User-1 accessing a private application within Branch-1, and source User-ID based zone-based firewall rules on Branch-1 ION

User-1 accessing a private application in data center via SD-WAN overlay, and destination User-ID based zone-based firewall rules on DC ION

User-1 accessing a private application in Branch-2 via SD-WAN overlay, and destination User-ID based zone-based firewall rules on Branch-2 ION

Explanation:

Comprehensive and Detailed Explanation

In Prisma SD-WAN (CloudGenix), Zone-Based Firewall (ZBFW) policies rely on the device's ability to map an IP address to a User-ID to enforce identity-based rules. The key to this question is understanding where the mapping exists and which direction the policy attributes (Source User vs. Destination User) apply to.

1. Mapping Location (Branch-1): The prompt states that Branch-1 has the user-to-IP mapping for User-1. For the most effective and scalable security enforcement, policies should be applied at the source (ingress) device where the traffic originates and where the user identity is known. This prevents unauthorized traffic from consuming WAN bandwidth only to be dropped at the destination. Therefore, the Branch-1 ION is the correct enforcement point for User-1's traffic.

2. Source vs. Destination User:

User-1 is the Source: In all scenarios, User-1 is the initiator of the traffic. Therefore, the security rule must match on Source User-ID.

Options C and D are incorrect because they suggest using Destination User-ID based rules to control User-1. Destination User-ID rules are used when the target of the traffic is a known user (e.g., VoIP calls to a specific user's phone), not when filtering based on the sender. Furthermore, relying on the DC or Branch-2 ION to enforce policies for User-1 would require the propagation of User-ID mappings across the overlay, whereas local enforcement at Branch-1 is the standard architectural model.

3. Valid Use Cases (A and B):

Option A (SaaS/Internet): The Branch-1 ION acts as the internet gateway. It can use the local mapping (IP-1 = User-1) to allow or deny access to specific SaaS applications (Direct Internet Access) based on the user's identity (e.g., "Allow Marketing Group to access Social Media").

Option B (Internal Segmentation): The Branch-1 ION can enforce policies for traffic moving between local zones (e.g., from a "Users" VLAN to a "Servers" VLAN within the branch). Since the ION routes this traffic and holds the mapping, it can enforce Source User-ID policies to secure local private applications.

Paloalto Networks SD-WAN-Engineer View All Questions

Paloalto Networks SD-WAN-Engineer Summary

Vendor: Paloalto Networks
Product: SD-WAN-Engineer
Update on: Jan 1, 2026
Questions: 57

Price: $52.5 ~~$149.99~~

Buy Now SD-WAN-Engineer PDF + Testing Engine Pack

In a data center (DC) with two ION devices, all of the remote branch Prisma...

An administrator has configured a Path Policy for "ERP_Traffic".

New Year Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmasmnth

User-ID integration is configured for a Prisma SD-WAN deployment.

The Answer Is:

Explanation:

Paloalto Networks SD-WAN-Engineer Summary

Payments We Accept

Contact Us