Practice PCNSE Managing Troubleshooting and High Availability questions with full explanations on every answer.
Start practicing
Managing Troubleshooting and High Availability — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. During a failover test, the passive firewall becomes active, but traffic stops passing through the new active firewall. The management interface on the new active firewall is reachable. What is the most likely cause?
2A network engineer is troubleshooting an HA pair where both firewalls show as 'active' in the HA state. What is this condition called?
3An engineer notices that after an HA failover, the new active firewall is not passing traffic. The show running ip route command shows the default route is missing. What is the most likely cause?
4During an HA failover, the new active firewall's session table is empty, causing all existing connections to be dropped. Which configuration change would prevent this?
5Which TWO conditions can cause an HA pair to enter an 'active/active' state? (Choose two.)
6Based on the exhibit, what caused the last failover?
7A large enterprise uses an active/passive HA pair of PA-5250 firewalls to secure their data center. The network team recently migrated from a flat network to a VXLAN-based overlay. After the migration, they notice that during failover tests, the new active firewall does not forward traffic for VXLAN-terminated VLANs, even though the physical interfaces are up and the HA state transitions correctly. The configuration uses subinterfaces on Ethernet1/1 for each VLAN, with VXLAN tunnel termination on the firewall. The passive firewall receives the configuration sync, but show vxlan tunnel shows no VXLAN tunnels on the new active firewall after failover. The sessions are synced via HA2. The ARP table is correct. Which course of action should the engineer take to resolve the issue?
8A company has two Palo Alto Networks firewalls configured in active/passive HA. During a failover test, the passive firewall becomes active but traffic is not passing. The active firewall shows the correct configuration and licenses. Which action is most likely to resolve the issue?
9Refer to the exhibit. An active/active HA pair shows the local firewall as active-secondary. The last failover reason is 'path-group-down'. What should the administrator investigate first?
10A network engineer needs to troubleshoot why a specific user cannot access a web application through a Palo Alto Networks firewall. The engineer has verified that the user's traffic reaches the firewall and that no security policy explicitly blocks the traffic. Which CLI command should be used to check if the traffic is being matched by a hidden or implicit rule?
11Arrange the steps to enable and configure GlobalProtect on a Palo Alto Networks firewall.
12Match each CLI command to its function.
13An HA pair is configured with Active/Passive mode. The passive firewall fails to become active after the active firewall's management interface goes down. What is the most likely cause?
14After upgrading the software on an HA pair, the two firewalls report different HA states. Which command should be used to quickly verify the HA configuration synchronization status?
15When configuring High Availability on a Palo Alto Networks firewall, which of the following is a best practice for the HA1 control link?
16An HA pair experiences split-brain after a brief network outage. Both firewalls become active and each starts forwarding traffic. What is the most effective way to prevent this in the future?
17After a failover event, some user sessions are reset. The HA pair is configured for Active/Active with session distribution using a hash algorithm. What is the most likely reason for session resets?
18An engineer notices that the HA pair is not synchronizing configuration changes. The 'show high-availability sync-status' output shows 'sync-failure'. What is the first step to troubleshoot?
19In an Active/Passive HA pair, the passive firewall reports 'non-functional' state. The 'show high-availability state' output on the passive shows 'state: non-functional' and 'reason: configuration mismatch'. The active firewall shows 'state: active' and 'reason: no reason'. Which action should be taken to resolve the issue without disrupting traffic?
20An HA pair is deployed with Active/Active mode. During a traffic spike, session table utilization reaches 90% on both firewalls. The engineer notices asymmetric routing and drops. What should be configured to optimize session distribution?
21After a power failure, both firewalls in an HA pair come up and report 'active' state. The network team confirms that the two firewalls are connected via HA1 and HA2. What is the most likely cause of the split-brain condition?
22Which TWO conditions can cause an HA pair to show a state of 'suspended'?
23Which THREE steps should be taken to verify that an HA pair is ready for a scheduled failover?
24Which TWO troubleshooting steps are most effective when an HA pair is not synchronizing sessions between peers? (Assume HA1 and HA2 are up.)
25Refer to the exhibit. What is the primary cause of the 'non-functional' state?
26Refer to the exhibit. An engineer configures HA with link monitoring and path monitoring. However, failover does not occur when ethernet1/2 goes down. What is the likely reason?
27Refer to the exhibit. Based on the log, what triggered the failover?
28An administrator notices that the HA pair shows a state mismatch: one firewall reports active, the other reports passive, but traffic is not flowing through the active firewall. What is the most likely cause?
29During a failover test, an engineer observes that after the active firewall fails, the passive firewall takes over, but existing UDP sessions are not maintained. What is the most likely reason?
30An HA pair is configured with active/active mode and session sync enabled. After a failover, a network administrator notices that some new TCP connections fail. The firewall logs show no drops. What is the most likely issue?
31What is the recommended best practice for the HA2 keepalive timer in an active/passive HA configuration?
32An administrator runs 'show high-availability state' and sees that the local firewall is in 'passive' state, but the remote firewall shows 'active'. However, the HA1 link is up and the configuration is synchronized. What could cause the passive firewall to not take over after the active fails?
33In an HA active/passive setup, the engineer wants to ensure that during a failover, existing FTP data sessions are not interrupted. What additional configuration is required beyond default session synchronization?
34An administrator needs to verify the health of HA links. Which CLI command displays the current status of HA1, HA2, and HA3 links?
35A firewall in an HA pair is being upgraded. The administrator wants to minimize traffic loss. What is the recommended procedure for upgrading the passive firewall in an active/passive pair?
36During a network incident, an engineer notices that after an HA failover, some sessions are not active on the new active firewall. The 'show session all' command shows the sessions with state 'half-closed'. What is the most likely cause?
37Which TWO of the following are prerequisites for configuring high availability on Palo Alto Networks firewalls? (Choose two.)
38An engineer is troubleshooting an HA pair where session synchronization is not working. Which THREE steps should be taken to diagnose the issue? (Choose three.)
39Which TWO statements about active/active HA mode are true compared to active/passive mode? (Choose two.)
40Based on the exhibit, what is the impact of the current HA state on the network?
41Based on the exhibit, what is the most likely cause of the warnings?
42A medium-sized enterprise has two Palo Alto Networks PA-5250 firewalls configured in an active/passive HA pair with session synchronization and configuration synchronization enabled. The HA1 link is a direct copper cable, and the HA2 link is also a direct copper cable. The firewalls are connected to two upstream routers (R1 and R2) and two downstream switches (S1 and S2). The network uses OSPF for dynamic routing. The active firewall (FW-A) is connected to R1 and S1, while the passive firewall (FW-P) is connected to R2 and S2. The OSPF cost is set symmetrically on both sides. During a maintenance window, the network team shuts down the HA1 and HA2 links on both firewalls to test failover behavior. After the links are brought back up, the firewalls are in a state of 'non-functional' and 'suspended'. The team suspects the HA configuration is broken. What is the most likely cause and the best course of action to restore HA?
43An organization has configured an active/passive high availability pair of Palo Alto Networks firewalls. During a maintenance window, the active firewall was rebooted. After the reboot, the passive firewall became active, but the session table on the original active firewall is incomplete. The administrator notices that session synchronization is not working properly. Which two configuration checks should the technician perform to resolve this issue?
44A company has deployed two PA-3220 firewalls in an active/passive high availability configuration. During normal operation, the active firewall (FW-A) handles all traffic. The network team notices that after a brief power outage, both firewalls report as active in the HA pair, causing network instability. The administrator needs to resolve this issue and prevent it from recurring. Which course of action should the administrator take?
45A large enterprise uses a pair of PA-5250 firewalls in an active/passive high availability configuration to protect their data center. The firewalls are connected to two upstream switches via aggregate Ethernet (AE) interfaces. The network team recently replaced the upstream switches, and since then, the passive firewall has gone into a 'non-functional' state. The active firewall shows no issues. The HA1 link is a direct cable connection between the firewalls, and HA2 is an out-of-band dedicated link. The administrative status of both firewalls is 'active-active' in the HA monitoring, but only one firewall is actually forwarding traffic. The team needs to restore proper HA operation. Which action should the team take first?
46A network engineer is configuring an active/passive HA pair of Palo Alto Networks firewalls. The engineer wants to ensure that a specific interface failure triggers a failover, but only if the interface loses connectivity to its directly connected next-hop router. Which two configuration settings must be enabled to achieve this behavior?
47The firewall is in passive state. The network team reports that during a recent maintenance window, the active firewall lost its upstream link but the passive firewall did not take over. Based on the exhibit, what is the most likely reason?
48A company operates a pair of PA-3220 firewalls in an active/passive HA configuration. The passive firewall is experiencing intermittent HA keepalive failures, causing unnecessary failovers every few minutes. The network engineer checks the HA1 interface statistics and notices packet loss on the dedicated HA1 link. The engineer suspects a physical layer issue. However, the engineer also wants to reduce the sensitivity of the HA keepalive mechanism to tolerate occasional packet loss without triggering a failover. The firewalls are currently using default HA keepalive settings. What should the engineer do to reduce the frequency of false failovers without compromising the ability to detect a true failure?
The Managing Troubleshooting and High Availability domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.
The Courseiva PCNSE question bank contains 48 questions in the Managing Troubleshooting and High Availability domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Managing Troubleshooting and High Availability domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included