CCNA Managing Troubleshooting Ha Questions

48 questions · Managing Troubleshooting Ha topic · All types, answers revealed

1
MCQmedium

An administrator runs 'show high-availability state' and sees that the local firewall is in 'passive' state, but the remote firewall shows 'active'. However, the HA1 link is up and the configuration is synchronized. What could cause the passive firewall to not take over after the active fails?

A.The configuration is not synchronized
B.Session synchronization is not fully complete
C.The HA2 link is down
D.Preemptive mode is disabled and the passive firewall has a lower priority
AnswerD

Without preemptive, the passive stays passive unless priority is higher.

Why this answer

Option A is correct because if preemptive mode is disabled, the passive firewall will not become active after the active fails, unless it has higher priority. Option B is wrong because session sync does not affect state. Option C is wrong because HA2 link failure does not prevent state transition.

Option D is wrong because config sync is not related.

2
Multi-Selectmedium

A network engineer is configuring an active/passive HA pair of Palo Alto Networks firewalls. The engineer wants to ensure that a specific interface failure triggers a failover, but only if the interface loses connectivity to its directly connected next-hop router. Which two configuration settings must be enabled to achieve this behavior?

Select 2 answers
A.Configure HA2 as a backup heartbeat link.
B.Enable link monitoring on the interface.
C.Set HA1 link monitoring to ping the peer firewall's management IP.
D.Enable path monitoring on the interface with a monitoring destination IP of the next-hop router.
E.Set the passive link state to 'auto'.
AnswersB, D

Link monitoring detects physical link state changes; combined with path monitoring, it triggers failover only when both conditions are met.

Why this answer

Path monitoring monitors connectivity to a specific IP (next-hop router) via the interface; link monitoring detects link state changes. Both are required to trigger failover on loss of connectivity to the next-hop router. Option A is for HA1 link, not interface; D is for heartbeat redundancy; E is for passive interface state.

3
MCQeasy

A network engineer needs to troubleshoot why a specific user cannot access a web application through a Palo Alto Networks firewall. The engineer has verified that the user's traffic reaches the firewall and that no security policy explicitly blocks the traffic. Which CLI command should be used to check if the traffic is being matched by a hidden or implicit rule?

A.show session all
B.debug dataplane packet-diag
C.test security-policy-match source <ip> destination <ip> destination-port <port> protocol <tcp>
D.show running security-policy
AnswerC

This command tests traffic against the security policy and shows the matching rule, including implicit denies.

Why this answer

Option C, 'test security-policy-match', is the correct command because it simulates a packet against the firewall's security policy rulebase, including any hidden or implicit rules (such as the default intra-zone allow or inter-zone deny rules). This allows the engineer to see exactly which rule the traffic matches, even if no explicit policy is configured, which is essential for troubleshooting implicit rule behavior.

Exam trap

The trap here is that candidates often assume 'show running security-policy' or 'show session all' can reveal implicit rule matches, but they only show explicit configurations or active sessions, respectively, missing the hidden default rules that are evaluated by the firewall's policy engine.

How to eliminate wrong answers

Option A is wrong because 'show session all' displays active sessions, not the policy matching decision for a specific traffic flow; it cannot reveal whether traffic is blocked by an implicit rule before a session is created. Option B is wrong because 'debug dataplane packet-diag' is used for deep packet-level debugging of dataplane forwarding, not for checking security policy matches against the rulebase. Option D is wrong because 'show running security-policy' only displays explicitly configured security rules; it does not show hidden or implicit rules (e.g., the default intra-zone allow or inter-zone deny), so it cannot confirm if traffic is being matched by such rules.

4
MCQmedium

After a failover event, some user sessions are reset. The HA pair is configured for Active/Active with session distribution using a hash algorithm. What is the most likely reason for session resets?

A.Session offload is not enabled on the passive firewall
B.Packet Buffer Protection threshold was exceeded
C.Session synchronization is not configured between the HA peers
D.The routing table is not redistributed after failover
AnswerC

Without session sync, active firewall's sessions are unknown to the other.

Why this answer

Option B is correct because in Active/Active, stateful failover requires session sync; if not enabled, sessions are not preserved. Option A is wrong because session offload is not a standard feature. Option C is wrong because route redistribution does not cause session resets.

Option D is wrong because Packet Buffer Protection affects drop behavior, not session state.

5
Multi-Selectmedium

An organization has configured an active/passive high availability pair of Palo Alto Networks firewalls. During a maintenance window, the active firewall was rebooted. After the reboot, the passive firewall became active, but the session table on the original active firewall is incomplete. The administrator notices that session synchronization is not working properly. Which two configuration checks should the technician perform to resolve this issue?

Select 2 answers
A.Check that the session synchronization encryption is disabled to reduce latency.
B.Validate that the heartbeat hold timer is set to a value greater than the failover delay.
C.Confirm that the HA1 link is using the correct IP address and is in the same subnet.
D.Verify that the HA2 link is operational and has sufficient bandwidth.
E.Ensure that the HA firewalls have the same software version and that session synchronization is enabled in the HA configuration.
AnswersD, E

The HA2 link is dedicated to session synchronization; if it is down or congested, sync fails.

Why this answer

Session synchronization uses the HA2 link, so verifying its operation (A) is critical. Additionally, session sync must be enabled in the HA configuration and the firewalls should run the same software version (C) to ensure compatibility. Option B (HA1) is for heartbeat, not synchronization.

Option D is incorrect because disabling encryption does not improve sync reliability. Option E (heartbeat hold timer) affects failover timing, not synchronization.

6
Multi-Selecteasy

Which TWO statements about active/active HA mode are true compared to active/passive mode? (Choose two.)

Select 2 answers
A.Active/active eliminates the need for failover
B.Active/active requires enabling asymmetric routing support
C.Active/active allows both firewalls to process traffic simultaneously
D.Active/active automatically synchronizes configuration changes
E.Active/active is the default and most commonly deployed mode
AnswersB, C

Needed to handle return traffic on different firewall.

Why this answer

Options B and D are correct. Active/active requires asymmetric routing support and loadbalances traffic. Option A is wrong because active/passive is more common.

Option C is wrong because active/active does not eliminate failover. Option E is wrong because config is not automatically synced differently.

7
Multi-Selecthard

Which TWO conditions can cause an HA pair to enter an 'active/active' state? (Choose two.)

Select 2 answers
A.Loss of HA keepalive on both sides
B.License expiration on one firewall
C.Session synchronization failure
D.Configuration mismatch between peers
E.HA1 link failure
AnswersA, E

If keepalives are lost, each firewall assumes the other is dead and becomes active.

Why this answer

A is correct because when both firewalls lose the HA keepalive (sent over HA1 link), each firewall assumes the peer is dead and transitions to active state to ensure traffic continuity. This is a fail-safe mechanism: without keepalive, each unit independently becomes active, resulting in an active/active condition that can cause duplicate IP addresses and traffic loops.

Exam trap

The trap here is that candidates often think only a complete HA1 link failure (option E) causes active/active, but they overlook that loss of keepalive on both sides (option A) is the underlying mechanism—and both conditions are correct because HA1 link failure directly causes loss of keepalive on both sides.

8
MCQhard

A medium-sized enterprise has two Palo Alto Networks PA-5250 firewalls configured in an active/passive HA pair with session synchronization and configuration synchronization enabled. The HA1 link is a direct copper cable, and the HA2 link is also a direct copper cable. The firewalls are connected to two upstream routers (R1 and R2) and two downstream switches (S1 and S2). The network uses OSPF for dynamic routing. The active firewall (FW-A) is connected to R1 and S1, while the passive firewall (FW-P) is connected to R2 and S2. The OSPF cost is set symmetrically on both sides. During a maintenance window, the network team shuts down the HA1 and HA2 links on both firewalls to test failover behavior. After the links are brought back up, the firewalls are in a state of 'non-functional' and 'suspended'. The team suspects the HA configuration is broken. What is the most likely cause and the best course of action to restore HA?

A.Upgrade both firewalls to the same software version and then re-initialize HA
B.Change the HA mode to active/active and enable asymmetric routing
C.Reboot both firewalls after verifying the HA configuration and that the links are operationally up
D.Configure a dedicated management interface for HA1 communication and ensure HA2 is on a different subnet
AnswerC

Rebooting recovers from suspended state; links are up now.

Why this answer

Option D is correct. When HA1 and HA2 links are shut down simultaneously, both firewalls may enter suspended state due to loss of all HA keepalives. The recommended recovery is to reboot both firewalls after verifying configuration.

Option A is wrong because changing preemptive mode does not address the suspension. Option B is wrong because creating a dedicated HA management network does not fix the current issue. Option C is wrong because different software versions are not allowed in HA.

9
MCQhard

During a network incident, an engineer notices that after an HA failover, some sessions are not active on the new active firewall. The 'show session all' command shows the sessions with state 'half-closed'. What is the most likely cause?

A.The firewall failed to properly synchronize the TCP sessions before the failover
B.The HA2 link failover timer is set too low
C.The ARP timeout on the next-hop router is too short
D.Asymmetric routing is causing the firewall to see only one direction of traffic
AnswerA

Incomplete sync leads to half-closed sessions.

Why this answer

Option B is correct because TCP session pickup may fail if the original firewall did not sync the session properly, leaving them in half-closed state. Option A is wrong because asymmetric routing affects new sessions, not existing. Option C is wrong because HA timer issues cause failover problems, not session state.

Option D is wrong because ARP timeout affects connectivity, not session state.

10
MCQeasy

A network engineer is troubleshooting an HA pair where both firewalls show as 'active' in the HA state. What is this condition called?

A.Link failure
B.Active/Active
C.Passive/Passive
D.Split brain
AnswerB

This is the correct term for both firewalls being active.

Why this answer

In an active/passive HA pair, only one firewall should be active at a time. When both firewalls show as 'active', this is known as a split-brain condition. It occurs when the HA heartbeat link fails and each firewall assumes the other is down, causing both to transition to the active state and process traffic independently.

Exam trap

The trap here is that candidates confuse 'split brain' with 'active/active' mode, but active/active is a legitimate configuration where both firewalls actively forward traffic for different virtual routers or security zones, whereas split brain is an unintended failure state.

How to eliminate wrong answers

Option A is wrong because a link failure is a potential cause of split brain, not the condition itself. Option C is wrong because passive/passive is not a valid HA state in Palo Alto Networks firewalls; the supported modes are active/passive and active/active (for specific use cases). Option D is wrong because split brain is the correct term for both firewalls being active simultaneously, not a separate option.

11
MCQmedium

An HA pair experiences split-brain after a brief network outage. Both firewalls become active and each starts forwarding traffic. What is the most effective way to prevent this in the future?

A.Increase the HA keepalive failover threshold to tolerate temporary packet loss
B.Decrease the HA1 hello interval
C.Enable link monitoring on all interfaces
D.Increase the session synchronization rate
AnswerA

Higher threshold allows brief outage without triggering failover.

Why this answer

Option D is correct because HA keepalive failover threshold with a higher value (more missed packets) reduces false failovers. Option A is wrong because session sync does not prevent split-brain. Option B is wrong because increasing hello interval would cause faster failover, not slower.

Option C is wrong because link monitoring does not address split-brain from temporary outage.

12
MCQeasy

Refer to the exhibit. What is the primary cause of the 'non-functional' state?

A.The configuration sync operation has failed
B.One firewall is not running
C.HA1 link failure between 10.1.1.1 and 10.1.1.2
D.The configuration on the two firewalls is not identical
AnswerD

Configuration mismatch directly causes non-functional state.

Why this answer

Option B is correct because the reason is 'configuration mismatch'. Option A is wrong because HA1 is up (communication between IPs works). Option C is wrong because the output shows both are running.

Option D is wrong because no sync failure is indicated, just mismatch.

13
MCQmedium

An engineer notices that after an HA failover, the new active firewall is not passing traffic. The show running ip route command shows the default route is missing. What is the most likely cause?

A.Floating static routes were not configured on the passive firewall.
B.Static routes were not synchronized.
C.OSPF routes were not synchronized.
D.BGP routes were not synchronized.
AnswerA

Floating static routes are not synchronized and must be configured on both firewalls.

Why this answer

In an active/passive HA pair, static routes are not automatically synchronized from the active to the passive firewall. The passive firewall must have its own static routes configured, often as floating static routes with a higher administrative distance to avoid conflicts during normal operation. When a failover occurs, the new active firewall (formerly passive) lacks the default route because it was never configured or synchronized, causing traffic to fail.

Exam trap

The trap here is that candidates assume all routes are synchronized in HA, but PAN-OS only synchronizes dynamic routing protocol states and not static route configuration, requiring explicit configuration on both peers.

How to eliminate wrong answers

Option B is wrong because static routes are not synchronized by default in PAN-OS HA; they must be configured independently on each peer. Option C is wrong because OSPF routes are dynamically learned and would be re-established after failover via neighbor adjacencies, not missing due to synchronization issues. Option D is wrong because BGP routes are also dynamically learned and would be re-established via BGP sessions after failover, not missing from a synchronization failure.

14
MCQmedium

Based on the exhibit, what is the impact of the current HA state on the network?

A.Configuration changes are not synchronized
B.The passive firewall will preempt the active when the active fails
C.Sessions will not be preserved during a failover
D.The HA pair cannot perform a failover
AnswerC

Session sync is not synchronized due to HA2 down.

Why this answer

Option C is correct. The HA2 link is down, causing session synchronization to be not synchronized. Traffic continues to flow through the active firewall, but sessions will not be maintained during a failover.

Option A is wrong because HA1 is up so control traffic works. Option B is wrong because configuration sync is synchronized. Option D is wrong because preemptive is disabled.

15
MCQmedium

During an HA failover, the new active firewall's session table is empty, causing all existing connections to be dropped. Which configuration change would prevent this?

A.Configure HA3 for stateful inspection.
B.Increase HA1 keepalive timer.
C.Enable config sync on HA1.
D.Enable session sync on HA2.
AnswerD

Session sync ensures sessions are replicated to the passive firewall.

Why this answer

Option D is correct because enabling session sync on the HA2 link ensures that session state information is continuously replicated from the active firewall to the standby firewall. During a failover, the new active firewall already has the session table populated, so existing connections are preserved and not dropped. Without session sync, the standby firewall starts with an empty session table, causing all existing TCP/UDP sessions to be torn down.

Exam trap

The trap here is confusing configuration synchronization (config sync) with session state synchronization (session sync), leading candidates to incorrectly select config sync on HA1 as the solution for preserving active connections during failover.

How to eliminate wrong answers

Option A is wrong because HA3 is the management link used for control-plane traffic like configuration synchronization and keepalives, not for session state synchronization; stateful inspection is a firewall feature unrelated to HA session sync. Option B is wrong because increasing the HA1 keepalive timer only affects how quickly the firewall detects a peer failure, but does not prevent session loss after failover; it may actually delay failover detection. Option C is wrong because config sync on HA1 synchronizes configuration objects (policies, objects) between peers, not dynamic session state; session tables are not part of configuration sync.

16
Matchingmedium

Match each CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays firewall model, version, and uptime

Lists currently active security rules

Reboots the firewall

Captures packets for troubleshooting

Enters configuration mode to make changes

Why these pairings

These are common commands used in PAN-OS CLI.

17
Multi-Selectmedium

Which TWO of the following are prerequisites for configuring high availability on Palo Alto Networks firewalls? (Choose two.)

Select 2 answers
A.Both firewalls must have management IPs in different subnets
B.Both firewalls must have the same interface naming
C.Both firewalls must have the same licenses
D.Both firewalls must run the same software version
E.Both firewalls must be the same model
AnswersD, E

Same PAN-OS version is required.

Why this answer

Options B and D are correct. Identical model and software version are required. Option A is wrong because licensing can differ.

Option C is wrong because interface naming can be different as long as configuration is same. Option E is wrong because management IPs must be in the same subnet.

18
MCQhard

A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. During a failover test, the passive firewall becomes active, but traffic stops passing through the new active firewall. The management interface on the new active firewall is reachable. What is the most likely cause?

A.The ARP table was not synchronized during failover.
B.The HA2 link is down, causing session table mismatch.
C.The new active firewall does not have a valid license.
D.The session setup rate exceeded the new active firewall's capacity.
AnswerD

If the session setup rate is too high, the firewall may drop new sessions while still being manageable.

Why this answer

Option D is correct because when a passive firewall becomes active, it must process all new session setups from scratch. If the session setup rate exceeds the new active firewall's capacity (e.g., due to licensing limits on session count or throughput), traffic will be dropped even though the management interface remains reachable. The management plane is separate from the data plane, so management access can still work while forwarding fails.

Exam trap

The trap here is that candidates often assume a management interface being reachable means the data plane is fully operational, but in Palo Alto firewalls, the management plane and data plane are independent; a license or capacity limit can block data forwarding while management remains accessible.

How to eliminate wrong answers

Option A is wrong because ARP tables are synchronized via HA1 (control link) during failover, and the new active firewall would learn ARP entries from the active firewall's forwarding table; a missing ARP table would cause local connectivity issues but not a complete traffic stop. Option B is wrong because the HA2 link is used for session synchronization, but even if it is down, the new active firewall would still have its own session table from before failover; a mismatch would not prevent all traffic from passing. Option C is wrong because license validity is checked at boot time and does not affect ongoing traffic forwarding; the firewall would still pass traffic even without a valid license, though it might restrict certain features.

19
MCQeasy

When configuring High Availability on a Palo Alto Networks firewall, which of the following is a best practice for the HA1 control link?

A.Use the management interface (MGT) for HA1
B.Configure HA1 as a subinterface on the HA2 link
C.Configure HA1 over a VLAN on a data interface to save ports
D.Use a dedicated physical interface for HA1, not shared with data traffic
AnswerD

Dedicated interface ensures stable heartbeat.

Why this answer

Option A is correct because a dedicated physical interface for HA1 ensures reliable heartbeat. Option B is wrong because using VLAN over data interface adds latency and risk. Option C is wrong because management interface is not recommended due to traffic load.

Option D is wrong because HA2 is for data sync, not heartbeat.

20
MCQeasy

An HA pair is configured with Active/Passive mode. The passive firewall fails to become active after the active firewall's management interface goes down. What is the most likely cause?

A.HA1 keepalive failure is not detected
B.Management interface failure is not a monitored condition by default
C.HA2 link monitoring is not enabled
D.Session synchronization is not complete
AnswerB

Management interface down does not trigger HA failover unless explicitly configured under device HA.

Why this answer

Option C is correct because by default, management interface failure does not trigger a failover. Option A is wrong because HA1 keepalive failure would trigger failover. Option B is wrong because HA2 link down would trigger if configured.

Option D is wrong because session synchronization failure does not cause failover.

21
MCQmedium

A company has two Palo Alto Networks firewalls configured in active/passive HA. During a failover test, the passive firewall becomes active but traffic is not passing. The active firewall shows the correct configuration and licenses. Which action is most likely to resolve the issue?

A.Enable preemption on the HA configuration.
B.Re-apply the licenses on the newly active firewall.
C.Perform a configuration synchronization from the original active firewall.
D.Disable the HA2 link to force stateful failover.
AnswerC

The passive may have an outdated or incomplete config; sync ensures it matches the active.

Why this answer

Option C is correct because the most likely cause of traffic failure after a failover is that the configuration on the newly active firewall is out of sync with the original active firewall. In active/passive HA, configuration synchronization (config sync) is typically enabled, but if it was not performed before the failover or if the passive device had a stale configuration, critical settings such as interface IPs, security policies, or routing entries may be missing or incorrect. Performing a configuration synchronization from the original active firewall ensures the new active device has the exact same configuration, restoring traffic flow.

Exam trap

The trap here is that candidates often assume a failover automatically includes full configuration synchronization, but in reality, config sync must be explicitly enabled and successfully completed beforehand, and a stale passive device will not pass traffic until a manual sync is performed.

How to eliminate wrong answers

Option A is wrong because preemption controls which device becomes active after a failure is resolved, not the ability to pass traffic during a failover; it does not fix a configuration mismatch. Option B is wrong because licenses are shared in an HA pair and do not need to be re-applied after failover; the passive firewall already has the same licenses as the active device. Option D is wrong because disabling the HA2 link would break the state synchronization and heartbeat path, potentially causing both firewalls to become active (split-brain) or losing session state, which would not resolve a configuration issue and would worsen the problem.

22
MCQhard

After a power failure, both firewalls in an HA pair come up and report 'active' state. The network team confirms that the two firewalls are connected via HA1 and HA2. What is the most likely cause of the split-brain condition?

A.The HA1 keepalive hold timer is set too low, causing both to become active before learning peer state
B.The active firewall has a higher software version
C.Preemption is enabled on both firewalls
D.HA2 link is configured but not used for election
AnswerA

A short hold timer can lead to premature failover during boot.

Why this answer

Option A is correct because the HA keepalive hold timer on HA1 is too short, causing each firewall to assume the other is dead during power-up. Option B is wrong because HA2 is for data sync. Option C is wrong because preempt is about becoming active.

Option D is wrong because version mismatch would show configuration mismatch, not dual active.

23
MCQhard

In an Active/Passive HA pair, the passive firewall reports 'non-functional' state. The 'show high-availability state' output on the passive shows 'state: non-functional' and 'reason: configuration mismatch'. The active firewall shows 'state: active' and 'reason: no reason'. Which action should be taken to resolve the issue without disrupting traffic?

A.Run 'request high-availability sync-to-remote' from the active firewall
B.Restart the HA process on the passive firewall with 'debug software restart high-availability'
C.Failover the active firewall to force re-sync
D.Upgrade both firewalls to the same PAN-OS version
AnswerA

This synchronizes the active configuration to the passive without downtime.

Why this answer

Option C is correct because 'request high-availability sync-to-remote' pushes the active config to the passive, resolving the mismatch. Option A is wrong because that would clear state but not sync config. Option B is wrong because it would disrupt traffic.

Option D is wrong because it's not a software upgrade issue.

24
MCQhard

An HA pair is configured with active/active mode and session sync enabled. After a failover, a network administrator notices that some new TCP connections fail. The firewall logs show no drops. What is the most likely issue?

A.The ARP cache on the firewalls is stale
B.Flow-based routing is misconfigured
C.Session synchronization is not functioning for TCP
D.Asymmetric routing is causing the SYN packet to be processed by one firewall and the SYN-ACK by the other
AnswerD

Active/active requires careful design to ensure symmetric traffic flows.

Why this answer

Option D is correct because in active/active mode with multiple virtual routers, asymmetric routing can cause session timeouts if the return traffic hits a different firewall than the one that saw the initial SYN. Option A is wrong because session sync is enabled. Option B is wrong because ARP cache is not the root cause.

Option C is wrong because flow-based routing is not a standard feature.

25
Drag & Dropmedium

Arrange the steps to enable and configure GlobalProtect on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

GlobalProtect setup involves portal, gateway, interface, and policy.

26
MCQhard

An HA pair is deployed with Active/Active mode. During a traffic spike, session table utilization reaches 90% on both firewalls. The engineer notices asymmetric routing and drops. What should be configured to optimize session distribution?

A.Change the HA mode to Active/Passive
B.Adjust the session distribution algorithm to match traffic patterns
C.Increase the HA2 link bandwidth using link aggregation
D.Enable session synchronization for all sessions
AnswerB

Proper distribution reduces asymmetric routing.

Why this answer

Option B is correct because Active/Active uses a distribution function (like IP hash) to assign sessions to a firewall; optimizing the hash algorithm for traffic profile reduces asymmetry. Option A is wrong because session syncing all sessions would increase load. Option C is wrong because passive mode defeats purpose.

Option D is wrong because link aggregation does not solve session distribution.

27
Multi-Selecthard

Which TWO troubleshooting steps are most effective when an HA pair is not synchronizing sessions between peers? (Assume HA1 and HA2 are up.)

Select 2 answers
A.Ensure session synchronization is enabled on both firewalls under Device > High Availability > Setup
B.Check HA1 link utilization
C.Increase the packet buffer protection threshold
D.Review the session synchronization configuration for mismatched parameters (e.g., encryption, timeout)
E.Restart the HA process on both firewalls
AnswersA, D

If disabled, no sync occurs.

Why this answer

Options C and D are correct. C: Check session sync parameters like timeout or encryption mismatch. D: Verify that the session synchronization setting is enabled on both firewalls, as it may be disabled.

A is wrong because HA1 is for control, not session data; but it's used for control messages, so if HA1 is up, that's not the issue. B is wrong because restarting HA process is disruptive and not first step. E is wrong because packet buffer protection does not affect sync.

28
MCQhard

The firewall is in passive state. The network team reports that during a recent maintenance window, the active firewall lost its upstream link but the passive firewall did not take over. Based on the exhibit, what is the most likely reason?

A.HA2 heartbeat link is down, preventing the passive from detecting the active's failure.
B.The fail-holdup timer is set to 0, causing immediate failover but not triggered.
C.Link monitoring is enabled but not configured to monitor the specific interface that failed.
D.Path monitoring is disabled so the passive does not monitor connectivity to the upstream router.
AnswerC

Link monitoring must include the interface; otherwise, its state change is ignored for failover decisions.

Why this answer

The exhibit shows link monitoring enabled but path monitoring disabled. Link monitoring only detects link state changes, but if the specific interface that lost link is not included in the link monitoring group, the failure is not considered. The passive did not take over because the interface that failed was not being monitored.

Option A is wrong because HA1 is up, HA2 is optional; B is wrong because path monitoring is not related to link state; D is wrong because fail-holdup is 0, which would not delay.

29
Multi-Selecthard

An engineer is troubleshooting an HA pair where session synchronization is not working. Which THREE steps should be taken to diagnose the issue? (Choose three.)

Select 3 answers
A.Verify that the HA2 link is operationally up
B.Check the session synchronization status using 'show running session-sync'
C.Check the HA1 link status using 'show high-availability state'
D.Review the system logs for session sync errors
E.Enable flow-based routing on both firewalls
AnswersA, B, D

HA2 is used for session synchronization.

Why this answer

Options A, B, and E are correct. Checking HA2 link status, verifying session sync status, and reviewing logs help identify sync issues. Option C is wrong because HA1 is for control, not session sync.

Option D is wrong because flow-based routing is not a standard feature for session sync.

30
MCQmedium

A firewall in an HA pair is being upgraded. The administrator wants to minimize traffic loss. What is the recommended procedure for upgrading the passive firewall in an active/passive pair?

A.Upgrade the active firewall first, then failover to the passive
B.Upgrade the passive firewall, failover to it, then upgrade the original active
C.Suspend HA, upgrade both, then re-enable HA
D.Upgrade both firewalls simultaneously after disconnecting HA links
AnswerB

This ensures minimal traffic loss.

Why this answer

Option A is correct because you should upgrade the passive firewall first, then perform a manual failover, then upgrade the new passive firewall. Option B is wrong because upgrading both at once causes downtime. Option C is wrong because you should upgrade passive first, not active.

Option D is wrong because suspending HA is unnecessary.

31
MCQhard

Refer to the exhibit. Based on the log, what triggered the failover?

A.Loss of HA1 heartbeat from the peer
B.A link failure on ethernet1/1
C.An administrator manually triggered a failover
D.A path monitoring group determined that the upstream ISP is unreachable
AnswerD

The log explicitly states path monitoring group failure.

Why this answer

Option C is correct because the log indicates path monitoring group 'ISP1' failed, causing state change. Option A is wrong because no interface down log. Option B is wrong because no HA1 heartbeat failure.

Option D is wrong because it's not a manual admin action.

32
Multi-Selectmedium

Which THREE steps should be taken to verify that an HA pair is ready for a scheduled failover?

Select 3 answers
A.Stop all logging to reduce CPU load
B.Perform a 'show high-availability sync-status' to confirm config synchronization
C.Verify HA2 link status is up
D.Confirm that session synchronization is enabled
E.Disable preemption on the active firewall
AnswersB, C, D

Config sync must be complete for consistency.

Why this answer

Options A, C, and E are correct. A: Ensure session synchronization is enabled to preserve sessions. C: Verify HA2 link is up for session sync.

E: Check that both firewalls have the same configuration. B is wrong because disabling preemption is not a readiness check, it's a configuration choice. D is wrong because stopping logging is not necessary and may hide issues.

33
MCQeasy

An administrator notices that the HA pair shows a state mismatch: one firewall reports active, the other reports passive, but traffic is not flowing through the active firewall. What is the most likely cause?

A.Session synchronization is incomplete
B.The HA2 link is down
C.The passive firewall has a higher priority
D.The HA1 link is down and preemptive mode is enabled
AnswerD

With HA1 down and preemptive, both may attempt to become active, leading to mismatch.

Why this answer

Option B is correct because a HA1 link failure can cause both firewalls to think they are active (split-brain), but the state mismatch indicates one sees active, one sees passive; this is often due to a preemptive configuration or hold timer issue. Option A is wrong because HA2 link failure does not cause state mismatch; it only affects session sync.

34
MCQmedium

An engineer notices that the HA pair is not synchronizing configuration changes. The 'show high-availability sync-status' output shows 'sync-failure'. What is the first step to troubleshoot?

A.Verify HA1 link status and IP connectivity between peers
B.Disable preemption on the active firewall
C.Check the HA2 link session synchronization status
D.Reboot both firewalls to clear the failure
AnswerA

HA1 is used for configuration synchronization.

Why this answer

Option A is correct because the first step is to check the HA1 link connectivity, as config sync uses HA1. Option B is wrong because HA2 is for data sync. Option C is wrong because after checking connectivity.

Option D is wrong because preempt is about active/passive role.

35
MCQhard

In an HA active/passive setup, the engineer wants to ensure that during a failover, existing FTP data sessions are not interrupted. What additional configuration is required beyond default session synchronization?

A.Use HA3 link for session synchronization
B.Enable asymmetric routing support
C.Enable UDP session synchronization
D.Configure an application layer gateway (ALG) for FTP
AnswerD

ALG ensures FTP control and data sessions remain intact.

Why this answer

Option C is correct because FTP is an application-layer protocol that requires ALG support; session sync alone does not handle FTP data connections. Option A is wrong because asymmetric routing is not related. Option B is wrong because UDP session sync is not needed for FTP.

Option D is wrong because HA3 is for packet forwarding, not session sync.

36
MCQhard

Refer to the exhibit. An active/active HA pair shows the local firewall as active-secondary. The last failover reason is 'path-group-down'. What should the administrator investigate first?

A.Inspect the session table for asymmetric routing between the firewalls.
B.Verify the link status of interface ethernet1/2 and its association with the path monitoring group.
C.Ensure the HA2 link is properly connected and firewalls can synchronize sessions.
D.Check the HA priority settings to ensure the local firewall should be active-secondary.
AnswerB

The link is down, and if it is used for path monitoring, it could cause the path group to go down.

Why this answer

The 'path-group-down' failover reason indicates that the firewall detected a failure in a monitored path group, which is associated with specific interfaces. Option B is correct because the administrator should first verify the link status of interface ethernet1/2 and its association with the path monitoring group, as this directly addresses the root cause of the failover trigger. Path monitoring is used to detect upstream connectivity loss and can cause a firewall to transition to active-secondary if the monitored path fails.

Exam trap

The trap here is that candidates often confuse 'path-group-down' with HA link failures or session synchronization issues, leading them to investigate HA2 links or session tables instead of the specific interface and path monitoring configuration.

How to eliminate wrong answers

Option A is wrong because asymmetric routing between firewalls would typically cause session setup failures or session timeouts, not a 'path-group-down' failover reason; path monitoring is independent of session table symmetry. Option C is wrong because the HA2 link is used for session synchronization and state propagation, but a 'path-group-down' failover is triggered by path monitoring, not by HA2 link failure; an HA2 link failure would show a different failover reason such as 'ha2-link-down'. Option D is wrong because HA priority settings determine which firewall becomes active-primary or active-secondary during initial election or preemption, but the 'path-group-down' reason indicates a dynamic failover due to a path monitoring event, not a priority mismatch.

37
MCQhard

Based on the exhibit, what is the most likely cause of the warnings?

A.The HA3 link is misconfigured
B.Configuration synchronization is failing
C.Both the primary and backup HA2 links are down
D.The HA2 keepalive timer is set too low
AnswerC

Warnings for both indicate link failure.

Why this answer

Option A is correct. The HA2 link (ethernet1/3) is down, and the backup link (ethernet1/5) also shows missing keepalive, indicating both primary and backup HA2 links are down. Option B is wrong because HA3 is for packet forwarding, not session sync.

Option C is wrong because HA2 timers are default. Option D is wrong because configuration sync uses HA1, not HA2.

38
MCQeasy

What is the recommended best practice for the HA2 keepalive timer in an active/passive HA configuration?

A.2000 ms
B.It should be left at the default value and not changed
C.500 ms
D.1000 ms
AnswerD

Default and recommended for stability.

Why this answer

Option B is correct because the default HA2 keepalive timer is 1000 ms (1 second). Option A is wrong because 500 ms is too aggressive. Option C is wrong because 2000 ms may cause delayed failover.

Option D is wrong because the timer is configurable, not automatic.

39
Multi-Selecteasy

Which TWO conditions can cause an HA pair to show a state of 'suspended'?

Select 2 answers
A.Software version mismatch between peers
B.HA2 link failure
C.License mismatch between peers
D.Configuration synchronization failure
E.HA1 link failure
AnswersD, E

If config sync fails, firewall may suspend to avoid inconsistency.

Why this answer

Options A and C are correct. A: When HA1 link is down, the pair may go suspended if no alternative keepalive path. C: If the passive firewall cannot sync its configuration, it may enter suspended state.

B is wrong because HA2 failure does not cause suspended; it only affects session sync. D is wrong because version mismatch typically shows 'non-functional' or 'reconnect'. E is wrong because license mismatch does not affect HA state directly.

40
MCQeasy

A company has deployed two PA-3220 firewalls in an active/passive high availability configuration. During normal operation, the active firewall (FW-A) handles all traffic. The network team notices that after a brief power outage, both firewalls report as active in the HA pair, causing network instability. The administrator needs to resolve this issue and prevent it from recurring. Which course of action should the administrator take?

A.Reboot both firewalls simultaneously to reset the HA state.
B.Disable link speed and duplex settings on the HA interfaces to force a failover.
C.Configure the HA mode with the 'preemptive' option and set the device priority higher on the intended active firewall.
D.Set the HA mode to 'active/active' to allow both firewalls to process traffic.
AnswerC

Preemptive ensures the higher-priority device becomes active after recovery, preventing both firewalls from staying active.

Why this answer

The issue is likely caused by both firewalls becoming active after the power outage due to lack of preemptive behavior. Configuring the 'preemptive' option and setting FW-A with higher device priority ensures it reclaims the active role when both are healthy, preventing split-state.

41
MCQeasy

An administrator needs to verify the health of HA links. Which CLI command displays the current status of HA1, HA2, and HA3 links?

A.show session info
B.show running np-ips
C.show device-info
D.show high-availability state
AnswerD

Displays HA status including link states.

Why this answer

Option D is correct because 'show high-availability state' displays HA link statuses. Option A is wrong because 'show device-info' does not show HA links. Option B is wrong because 'show running np-ips' shows management plane info.

Option C is wrong because 'show session info' shows sessions.

42
MCQeasy

After upgrading the software on an HA pair, the two firewalls report different HA states. Which command should be used to quickly verify the HA configuration synchronization status?

A.show high-availability pending-changes
B.show high-availability state
C.show high-availability sync-status
D.show high-availability link-monitoring
AnswerC

Displays config sync status between peers.

Why this answer

Option B is correct because 'show high-availability sync-status' displays the configuration sync state. Option A shows general HA state, not sync. Option C shows pending changes.

Option D shows HA2 link status.

43
MCQmedium

During a failover test, an engineer observes that after the active firewall fails, the passive firewall takes over, but existing UDP sessions are not maintained. What is the most likely reason?

A.The HA pair is in active/active mode
B.The failover delay timer is too long
C.UDP sessions are not synchronized by default in active/passive mode
D.Session synchronization is disabled on the passive firewall
AnswerC

Only TCP sessions are synced by default; UDP sessions require additional configuration.

Why this answer

Option C is correct because UDP sessions are not synchronized by default in active/passive mode; TCP sessions are synced. Option A is wrong because session sync is enabled by default. Option B is wrong because failover is immediate.

Option D is wrong because asymmetric routing does not prevent session sync.

44
MCQmedium

Based on the exhibit, what caused the last failover?

A.The HA2 link went down.
B.A preemption event occurred.
C.The peer firewall was rebooted.
D.The HA1 keepalive from the peer was lost.
AnswerD

The output shows 'last failure reason: peer HA1 keepalive lost'.

Why this answer

The exhibit shows 'HA1 keepalive from the peer was lost' as the last failover reason. In an active/passive HA pair, the passive firewall monitors HA1 keepalive messages from the active peer. When these keepalives are not received within the configured hello interval (default 1 second) and hold timer (default 3 seconds), the passive firewall assumes the active peer has failed and initiates a failover to become active.

Exam trap

The trap here is that candidates often confuse the HA1 link (control link for keepalives) with the HA2 link (data link for session sync), leading them to incorrectly select Option A when the actual failover trigger is loss of HA1 keepalive, not HA2 link failure.

How to eliminate wrong answers

Option A is wrong because the HA2 link is used for session synchronization and state propagation, not for keepalive monitoring; a HA2 link failure alone does not trigger a failover unless it also causes HA1 keepalive loss. Option B is wrong because a preemption event would be logged as 'Preempted by local firewall' or 'Preempted by peer firewall', not as a keepalive loss; preemption is a configuration-based event that occurs when the higher-priority firewall comes back online. Option C is wrong because if the peer firewall was rebooted, the failover reason would typically show 'Peer firewall rebooted' or 'HA1 keepalive from the peer was lost' only if the reboot caused keepalive failure, but the direct cause logged is the keepalive loss, not the reboot itself.

45
MCQmedium

Refer to the exhibit. An engineer configures HA with link monitoring and path monitoring. However, failover does not occur when ethernet1/2 goes down. What is the likely reason?

A.The HA group-id is not unique in the network
B.HA2 link is down preventing failover
C.Path monitoring interval is set too high, causing delayed failover
D.'link-monitoring' is configured under the high-availability hierarchy but not explicitly enabled
AnswerD

In PAN-OS, link monitoring must be enabled with 'enable yes' under high-availability; interfaces alone do not enable it.

Why this answer

Option A is correct because only failed interfaces are shown? Wait the exhibit shows link-monitoring with interfaces ethernet1/1 and ethernet1/2, but the failure condition is 'any' so if either goes down, failover should occur. But the question says failover does not occur when ethernet1/2 goes down. Possibly the interface is not included? Actually the config includes both.

Perhaps the issue is that path monitoring might override? No. Option C seems plausible: the group-id might be missing? But it's there. Let's think: The most common mistake is that link monitoring must be enabled globally.

Option A is about global enable. Option B: HA2 misconfigured? irrelevant. Option C: group-id missing? But it's present.

Option D: path monitoring interval too high? doesn't affect link monitoring. So the correct answer is A: Link monitoring is not enabled globally. The exhibit shows 'link-monitoring { interfaces ...' but global 'enable' for link monitoring is missing? Actually in Palo Alto config, you need to set 'link-monitoring enable yes' at the high-availability level.

The snippet shows 'link-monitoring { interfaces ...' but no 'enable yes' before that. That is a common pitfall. So option A is correct.

46
MCQhard

A large enterprise uses an active/passive HA pair of PA-5250 firewalls to secure their data center. The network team recently migrated from a flat network to a VXLAN-based overlay. After the migration, they notice that during failover tests, the new active firewall does not forward traffic for VXLAN-terminated VLANs, even though the physical interfaces are up and the HA state transitions correctly. The configuration uses subinterfaces on Ethernet1/1 for each VLAN, with VXLAN tunnel termination on the firewall. The passive firewall receives the configuration sync, but show vxlan tunnel shows no VXLAN tunnels on the new active firewall after failover. The sessions are synced via HA2. The ARP table is correct. Which course of action should the engineer take to resolve the issue?

A.Add static routes for the VXLAN tunnel endpoints on the passive firewall.
B.Enable VXLAN tunnel synchronization under HA setup.
C.Reboot the new active firewall to reload the VXLAN configuration.
D.Configure a policy to send a small amount of traffic through each VXLAN tunnel to trigger tunnel establishment on the new active firewall.
AnswerD

This will cause the firewall to re-establish the VXLAN tunnels dynamically.

Why this answer

Option D is correct because VXLAN tunnels on Palo Alto Networks firewalls are dynamically established based on data-plane traffic. After a failover, the new active firewall does not automatically rebuild the tunnels; it requires traffic to trigger the tunnel establishment. Sending a small amount of traffic through each VXLAN tunnel forces the firewall to initiate the VXLAN tunnel setup, populating the 'show vxlan tunnel' output and restoring traffic forwarding.

Exam trap

The trap here is that candidates assume configuration sync includes dynamic tunnel state, but Palo Alto Networks firewalls do not synchronize VXLAN tunnel state across HA peers, requiring traffic to trigger tunnel establishment on the new active firewall.

How to eliminate wrong answers

Option A is wrong because static routes for VXLAN tunnel endpoints are not required; the firewall learns the tunnel endpoints via the VXLAN configuration and ARP, and adding static routes does not address the dynamic tunnel establishment issue. Option B is wrong because VXLAN tunnel synchronization is not a configurable feature under HA setup; Palo Alto Networks firewalls do not synchronize VXLAN tunnel state via HA2, only session and configuration sync occur. Option C is wrong because rebooting the firewall would not resolve the issue; the VXLAN configuration is already present from the sync, but the tunnels are not established until data traffic triggers them, and a reboot would cause unnecessary downtime without fixing the root cause.

47
MCQhard

A large enterprise uses a pair of PA-5250 firewalls in an active/passive high availability configuration to protect their data center. The firewalls are connected to two upstream switches via aggregate Ethernet (AE) interfaces. The network team recently replaced the upstream switches, and since then, the passive firewall has gone into a 'non-functional' state. The active firewall shows no issues. The HA1 link is a direct cable connection between the firewalls, and HA2 is an out-of-band dedicated link. The administrative status of both firewalls is 'active-active' in the HA monitoring, but only one firewall is actually forwarding traffic. The team needs to restore proper HA operation. Which action should the team take first?

A.Verify the physical connectivity and configuration of the HA2 link, as session synchronization failure can cause the passive node to be non-functional.
B.Reboot the passive firewall to attempt to re-establish HA communication.
C.Check the logs on the passive firewall for new critical events during the switch replacement.
D.Review the path monitoring configuration on both firewalls to ensure that the AE link to the new switches is correctly monitored for failover.
AnswerD

Path monitoring checks data plane connectivity; if the monitored interface is down or misconfigured, the passive firewall goes non-functional. The switch replacement likely altered link characteristics, making the monitored path appear failed.

Why this answer

The passive firewall went non-functional after the switch replacement, suggesting that path monitoring (which tracks data plane connectivity) is misconfigured or the new switches cause the monitored path to appear down. The first step is to review path monitoring on both firewalls to ensure the AE interface to the new switches is correctly monitored. Checking HA2 (A) is less likely since it is dedicated and unchanged; checking logs (B) is a secondary step; rebooting (C) is disruptive and may not fix the root cause.

48
MCQeasy

A company operates a pair of PA-3220 firewalls in an active/passive HA configuration. The passive firewall is experiencing intermittent HA keepalive failures, causing unnecessary failovers every few minutes. The network engineer checks the HA1 interface statistics and notices packet loss on the dedicated HA1 link. The engineer suspects a physical layer issue. However, the engineer also wants to reduce the sensitivity of the HA keepalive mechanism to tolerate occasional packet loss without triggering a failover. The firewalls are currently using default HA keepalive settings. What should the engineer do to reduce the frequency of false failovers without compromising the ability to detect a true failure?

A.Disable HA1 link monitoring and rely solely on path monitoring.
B.Change the HA mode to active/active to balance traffic and reduce load on the active unit.
C.Enable HA2 and configure it as a second heartbeat link for redundancy.
D.Increase the HA timer (keepalive interval) and increase the number of missed keepalives allowed.
AnswerD

This makes the HA detection less sensitive to sporadic packet loss while still recognizing persistent failure.

Why this answer

Increasing the keepalive interval (making it less frequent) and increasing the number of missed keepalives before declaring a failure allows the firewall to tolerate occasional packet loss, reducing false failovers. Option B would not address keepalive loss; C changes the HA mode but does not reduce sensitivity; D adds redundancy but does not reduce sensitivity; it might even add complexity.

Ready to test yourself?

Try a timed practice session using only Managing Troubleshooting Ha questions.