Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Managing Troubleshooting and High Availability practice sets

PCNSE Managing Troubleshooting and High Availability • Complete Question Bank

PCNSE Managing Troubleshooting and High Availability — All Questions With Answers

Complete PCNSE Managing Troubleshooting and High Availability question bank — all 0 questions with answers and detailed explanations.

48
Questions
Free
No signup
Certifications/PCNSE/Practice Test/Managing Troubleshooting and High Availability/All Questions
Question 1hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. During a failover test, the passive firewall becomes active, but traffic stops passing through the new active firewall. The management interface on the new active firewall is reachable. What is the most likely cause?

Question 2easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

A network engineer is troubleshooting an HA pair where both firewalls show as 'active' in the HA state. What is this condition called?

Question 3mediummultiple choice
Review the full routing breakdown →

An engineer notices that after an HA failover, the new active firewall is not passing traffic. The show running ip route command shows the default route is missing. What is the most likely cause?

Question 4mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

During an HA failover, the new active firewall's session table is empty, causing all existing connections to be dropped. Which configuration change would prevent this?

Question 5hardmulti select
Read the full Managing Troubleshooting and High Availability explanation →

Which TWO conditions can cause an HA pair to enter an 'active/active' state? (Choose two.)

Question 6mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

Based on the exhibit, what caused the last failover?

Exhibit

Refer to the exhibit.

admin@PA-5050> show high-availability state

HA state: active
peer HA state: passive
link status: up
HA1 link status: up
HA2 link status: up
last failure reason: peer HA1 keepalive lost
Question 7hardmultiple choice
Open the full VLAN trunking answer →

A large enterprise uses an active/passive HA pair of PA-5250 firewalls to secure their data center. The network team recently migrated from a flat network to a VXLAN-based overlay. After the migration, they notice that during failover tests, the new active firewall does not forward traffic for VXLAN-terminated VLANs, even though the physical interfaces are up and the HA state transitions correctly. The configuration uses subinterfaces on Ethernet1/1 for each VLAN, with VXLAN tunnel termination on the firewall. The passive firewall receives the configuration sync, but show vxlan tunnel shows no VXLAN tunnels on the new active firewall after failover. The sessions are synced via HA2. The ARP table is correct. Which course of action should the engineer take to resolve the issue?

Question 8mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

A company has two Palo Alto Networks firewalls configured in active/passive HA. During a failover test, the passive firewall becomes active but traffic is not passing. The active firewall shows the correct configuration and licenses. Which action is most likely to resolve the issue?

Question 9hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An active/active HA pair shows the local firewall as active-secondary. The last failover reason is 'path-group-down'. What should the administrator investigate first?

Exhibit

Refer to the exhibit.

admin@PA-5050> show high-availability state

Group 1 (active/active):
    Local HA state: active-secondary
    Peer HA state: active-primary
    Link monitoring: enabled
    Path monitoring: enabled
    Heartbeat: OK
    Last failover reason: path-group-down

admin@PA-5050> show high-availability link-monitoring

Link Group: uplink
    ethernet1/1: up
    ethernet1/2: down
    ethernet1/3: up
    ethernet1/4: up

admin@PA-5050> show high-availability path-monitoring

Path Group: internet
    10.0.0.1: up
    10.0.0.2: up
Question 10easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

A network engineer needs to troubleshoot why a specific user cannot access a web application through a Palo Alto Networks firewall. The engineer has verified that the user's traffic reaches the firewall and that no security policy explicitly blocks the traffic. Which CLI command should be used to check if the traffic is being matched by a hidden or implicit rule?

Question 11mediumdrag order
Read the full Managing Troubleshooting and High Availability explanation →

Arrange the steps to enable and configure GlobalProtect on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 12mediummatching
Read the full Managing Troubleshooting and High Availability explanation →

Match each CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays firewall model, version, and uptime

Lists currently active security rules

Reboots the firewall

Captures packets for troubleshooting

Enters configuration mode to make changes

Question 13easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

An HA pair is configured with Active/Passive mode. The passive firewall fails to become active after the active firewall's management interface goes down. What is the most likely cause?

Question 14easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

After upgrading the software on an HA pair, the two firewalls report different HA states. Which command should be used to quickly verify the HA configuration synchronization status?

Question 15easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

When configuring High Availability on a Palo Alto Networks firewall, which of the following is a best practice for the HA1 control link?

Question 16mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

An HA pair experiences split-brain after a brief network outage. Both firewalls become active and each starts forwarding traffic. What is the most effective way to prevent this in the future?

Question 17mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

After a failover event, some user sessions are reset. The HA pair is configured for Active/Active with session distribution using a hash algorithm. What is the most likely reason for session resets?

Question 18mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

An engineer notices that the HA pair is not synchronizing configuration changes. The 'show high-availability sync-status' output shows 'sync-failure'. What is the first step to troubleshoot?

Question 19hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

In an Active/Passive HA pair, the passive firewall reports 'non-functional' state. The 'show high-availability state' output on the passive shows 'state: non-functional' and 'reason: configuration mismatch'. The active firewall shows 'state: active' and 'reason: no reason'. Which action should be taken to resolve the issue without disrupting traffic?

Question 20hardmultiple choice
Review the full routing breakdown →

An HA pair is deployed with Active/Active mode. During a traffic spike, session table utilization reaches 90% on both firewalls. The engineer notices asymmetric routing and drops. What should be configured to optimize session distribution?

Question 21hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

After a power failure, both firewalls in an HA pair come up and report 'active' state. The network team confirms that the two firewalls are connected via HA1 and HA2. What is the most likely cause of the split-brain condition?

Question 22easymulti select
Read the full Managing Troubleshooting and High Availability explanation →

Which TWO conditions can cause an HA pair to show a state of 'suspended'?

Question 23mediummulti select
Read the full Managing Troubleshooting and High Availability explanation →

Which THREE steps should be taken to verify that an HA pair is ready for a scheduled failover?

Question 24hardmulti select
Read the full Managing Troubleshooting and High Availability explanation →

Which TWO troubleshooting steps are most effective when an HA pair is not synchronizing sessions between peers? (Assume HA1 and HA2 are up.)

Question 25easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

Refer to the exhibit. What is the primary cause of the 'non-functional' state?

Exhibit

Refer to the exhibit.

admin@PA-220> show high-availability state

High-Availability State: non-functional
  State: non-functional
  Reason: configuration mismatch
  Local: functional, sync-pending
  Peer: running, sync-pending
  Active: 10.1.1.1
  Passive: 10.1.1.2
  Last failure reason: configuration mismatch
Question 26mediummultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An engineer configures HA with link monitoring and path monitoring. However, failover does not occur when ethernet1/2 goes down. What is the likely reason?

Exhibit

Refer to the exhibit.

config shared {
    high-availability {
        mode active-passive;
        group-id 10;
        state-synchronization enable;
        link-monitoring {
            interfaces [ ethernet1/1 ethernet1/2 ];
            failure-condition any;
        }
        path-monitoring {
            enable yes;
            groups {
                group1 {
                    source-ip 10.0.0.1;
                    destination-ip [ 10.0.0.254 ];
                    interval 5;
                    threshold 10;
                }
            }
        }
    }
}
Question 27hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

Refer to the exhibit. Based on the log, what triggered the failover?

Exhibit

Refer to the exhibit.

2019-03-15 10:30:15.123 high-availability: HA state change from active to passive (reason: path-monitor-group-down)
2019-03-15 10:30:15.124 high-availability: Path monitoring group 'ISP1' failed: 0 out of 1 destinations reachable
Question 28easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

An administrator notices that the HA pair shows a state mismatch: one firewall reports active, the other reports passive, but traffic is not flowing through the active firewall. What is the most likely cause?

Question 29mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

During a failover test, an engineer observes that after the active firewall fails, the passive firewall takes over, but existing UDP sessions are not maintained. What is the most likely reason?

Question 30hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

An HA pair is configured with active/active mode and session sync enabled. After a failover, a network administrator notices that some new TCP connections fail. The firewall logs show no drops. What is the most likely issue?

Question 31easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

What is the recommended best practice for the HA2 keepalive timer in an active/passive HA configuration?

Question 32mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

An administrator runs 'show high-availability state' and sees that the local firewall is in 'passive' state, but the remote firewall shows 'active'. However, the HA1 link is up and the configuration is synchronized. What could cause the passive firewall to not take over after the active fails?

Question 33hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

In an HA active/passive setup, the engineer wants to ensure that during a failover, existing FTP data sessions are not interrupted. What additional configuration is required beyond default session synchronization?

Question 34easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

An administrator needs to verify the health of HA links. Which CLI command displays the current status of HA1, HA2, and HA3 links?

Question 35mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

A firewall in an HA pair is being upgraded. The administrator wants to minimize traffic loss. What is the recommended procedure for upgrading the passive firewall in an active/passive pair?

Question 36hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

During a network incident, an engineer notices that after an HA failover, some sessions are not active on the new active firewall. The 'show session all' command shows the sessions with state 'half-closed'. What is the most likely cause?

Question 37mediummulti select
Read the full Managing Troubleshooting and High Availability explanation →

Which TWO of the following are prerequisites for configuring high availability on Palo Alto Networks firewalls? (Choose two.)

Question 38hardmulti select
Read the full Managing Troubleshooting and High Availability explanation →

An engineer is troubleshooting an HA pair where session synchronization is not working. Which THREE steps should be taken to diagnose the issue? (Choose three.)

Question 39easymulti select
Read the full Managing Troubleshooting and High Availability explanation →

Which TWO statements about active/active HA mode are true compared to active/passive mode? (Choose two.)

Question 40mediummultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

Based on the exhibit, what is the impact of the current HA state on the network?

Exhibit

Refer to the exhibit.

admin@PA-5020> show high-availability state
  Group: 1
  State: passive
  Active State: active
  Passive State: passive
  Last operational state change: 2025-02-10 10:15:23
  HA1 link: up
  HA2 link: down
  HA3 link: up
  Session sync: not synchronized
  Configuration sync: synchronized
  Priority: 100
  Preemptive: no
Question 41hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

Based on the exhibit, what is the most likely cause of the warnings?

Exhibit

Refer to the exhibit.

Configuration snippet:

HA configuration:
  mode: active-passive
  ha2 link: ethernet1/3
  ha2 keepalive timer: 1000
  ha3 link: ethernet1/4
  ha3 keepalive timer: 1000
  ha2 backup link: ethernet1/5
  ha3 backup link: none
  session synchronization: enabled
  configuration synchronization: enabled

Log entry:
2025/02/15 14:23:45 WARNING: HA2 keepalive missing from peer
2025/02/15 14:24:15 WARNING: HA2 backup link keepalive missing
Question 42hardmultiple choice
Review the full OSPF breakdown →

A medium-sized enterprise has two Palo Alto Networks PA-5250 firewalls configured in an active/passive HA pair with session synchronization and configuration synchronization enabled. The HA1 link is a direct copper cable, and the HA2 link is also a direct copper cable. The firewalls are connected to two upstream routers (R1 and R2) and two downstream switches (S1 and S2). The network uses OSPF for dynamic routing. The active firewall (FW-A) is connected to R1 and S1, while the passive firewall (FW-P) is connected to R2 and S2. The OSPF cost is set symmetrically on both sides. During a maintenance window, the network team shuts down the HA1 and HA2 links on both firewalls to test failover behavior. After the links are brought back up, the firewalls are in a state of 'non-functional' and 'suspended'. The team suspects the HA configuration is broken. What is the most likely cause and the best course of action to restore HA?

Question 43mediummulti select
Read the full Managing Troubleshooting and High Availability explanation →

An organization has configured an active/passive high availability pair of Palo Alto Networks firewalls. During a maintenance window, the active firewall was rebooted. After the reboot, the passive firewall became active, but the session table on the original active firewall is incomplete. The administrator notices that session synchronization is not working properly. Which two configuration checks should the technician perform to resolve this issue?

Question 44easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

A company has deployed two PA-3220 firewalls in an active/passive high availability configuration. During normal operation, the active firewall (FW-A) handles all traffic. The network team notices that after a brief power outage, both firewalls report as active in the HA pair, causing network instability. The administrator needs to resolve this issue and prevent it from recurring. Which course of action should the administrator take?

Question 45hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

A large enterprise uses a pair of PA-5250 firewalls in an active/passive high availability configuration to protect their data center. The firewalls are connected to two upstream switches via aggregate Ethernet (AE) interfaces. The network team recently replaced the upstream switches, and since then, the passive firewall has gone into a 'non-functional' state. The active firewall shows no issues. The HA1 link is a direct cable connection between the firewalls, and HA2 is an out-of-band dedicated link. The administrative status of both firewalls is 'active-active' in the HA monitoring, but only one firewall is actually forwarding traffic. The team needs to restore proper HA operation. Which action should the team take first?

Question 46mediummulti select
Review the full routing breakdown →

A network engineer is configuring an active/passive HA pair of Palo Alto Networks firewalls. The engineer wants to ensure that a specific interface failure triggers a failover, but only if the interface loses connectivity to its directly connected next-hop router. Which two configuration settings must be enabled to achieve this behavior?

Question 47hardmultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

The firewall is in passive state. The network team reports that during a recent maintenance window, the active firewall lost its upstream link but the passive firewall did not take over. Based on the exhibit, what is the most likely reason?

Exhibit

Refer to the exhibit.
```
admin@PA-5050> show high-availability state

Local:
  mode: active-passive
  state: passive
  link monitoring: enabled
  path monitoring: disabled
  monitor fail-holdup: 0
  HA1 link status: up
  HA2 link status: down

Peer:
  mode: active-passive
  state: active
  link monitoring: enabled
  path monitoring: disabled
  monitor fail-holdup: 0

Group state: complete
```
Question 48easymultiple choice
Read the full Managing Troubleshooting and High Availability explanation →

A company operates a pair of PA-3220 firewalls in an active/passive HA configuration. The passive firewall is experiencing intermittent HA keepalive failures, causing unnecessary failovers every few minutes. The network engineer checks the HA1 interface statistics and notices packet loss on the dedicated HA1 link. The engineer suspects a physical layer issue. However, the engineer also wants to reduce the sensitivity of the HA keepalive mechanism to tolerate occasional packet loss without triggering a failover. The firewalls are currently using default HA keepalive settings. What should the engineer do to reduce the frequency of false failovers without compromising the ability to detect a true failure?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCNSE Practice Test 1 — 10 Questions→PCNSE Practice Test 2 — 10 Questions→PCNSE Practice Test 3 — 10 Questions→PCNSE Practice Test 4 — 10 Questions→PCNSE Practice Test 5 — 10 Questions→PCNSE Practice Exam 1 — 20 Questions→PCNSE Practice Exam 2 — 20 Questions→PCNSE Practice Exam 3 — 20 Questions→PCNSE Practice Exam 4 — 20 Questions→Free PCNSE Practice Test 1 — 30 Questions→Free PCNSE Practice Test 2 — 30 Questions→Free PCNSE Practice Test 3 — 30 Questions→PCNSE Practice Questions 1 — 50 Questions→PCNSE Practice Questions 2 — 50 Questions→PCNSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage, Monitor and OperateSecuring Traffic and App-IDSecuring Users and Applications with AuthenticationDecryption and SSL InspectionManaging Troubleshooting and High AvailabilityDeploy and Configure FirewallsCore Concepts and ArchitectureSecure Access and VPNTroubleshoot

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Managing Troubleshooting and High Availability setsAll Managing Troubleshooting and High Availability questionsPCNSE Practice Hub