A company has two Palo Alto Networks firewalls in active/passive HA. The passive firewall failed and was replaced with a new unit. The network administrator initiates a configuration sync from the active to the new passive. After the sync, the passive unit shows as 'Active' instead of 'Passive'. What is the most likely cause?
Missing serial number prevents authentication, causing passive to become active.
Why this answer
Option C is correct because in an active/passive HA pair, the active firewall maintains a list of allowed peer serial numbers. If the new passive unit's serial number is not included in the active firewall's HA configuration, the active will not recognize the passive as a valid peer. Consequently, the passive unit, lacking a proper HA heartbeat from the active, will assume the active role (become 'Active') due to a loss of the HA link or misidentification, as it defaults to active state when it cannot establish a proper HA relationship.
Exam trap
The trap here is that candidates often assume a configuration sync will automatically update the peer serial number or that the HA role is determined solely by the 'device priority' setting, overlooking the explicit serial number validation required for HA peer authentication.
How to eliminate wrong answers
Option A is wrong because a misconfigured HA link (e.g., incorrect IP addresses or subnet masks on the HA control/data interfaces) would prevent the units from communicating, but it would not specifically cause the passive to become 'Active'—both units would likely show as 'Active' or 'Non-Functional' due to loss of heartbeat, not a targeted role flip. Option B is wrong because 'Stateful Inspection' is not an HA role setting; HA roles are 'Active' or 'Passive', and 'Stateful Inspection' refers to a firewall feature for session tracking, not an HA configuration option. Option D is wrong because Panorama template version differences affect policy and object synchronization, not the HA state or role election; the HA state is determined by local HA configuration and peer serial number validation, not Panorama templates.