A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. After a recent maintenance window, the passive firewall fails to synchronize its configuration from the active. The active firewall shows the HA1 link as down. Which two configuration settings must be verified to resolve this issue?
The HA1 link status depends on correct IP/port configuration and matching keepalive timers; mismatches can cause link down and sync failure.
Why this answer
The HA1 link is used for control-plane communication, including configuration synchronization and heartbeats. If the active firewall shows the HA1 link as down, the most likely cause is a mismatch in the HA1 IP address, port settings, or the HA keepalive timer between the two peers. Verifying and correcting these settings ensures the HA1 link can establish and maintain connectivity, allowing the passive firewall to synchronize its configuration.
Exam trap
The trap here is that candidates often confuse the roles of HA1 and HA2 links, assuming HA2 is required for configuration sync, or they assume HA1 encryption is mandatory for the link to be operational.
How to eliminate wrong answers
Option A is wrong because the HA2 link is used for session and state synchronization, not for configuration synchronization or heartbeat; a down HA2 link would not prevent configuration sync. Option B is wrong because the session setup mode (active-active vs active-passive) is a separate configuration that affects session ownership and forwarding, not the HA1 control link or configuration synchronization. Option C is wrong because HA1 encryption is optional and not required for basic HA1 link operation or configuration sync; enabling it would not resolve a link-down issue caused by IP/port or timer mismatches.