A company has two Palo Alto Networks firewalls configured in an active/passive HA pair. During a failover test, the passive firewall becomes active, but traffic stops passing through the new active firewall. The management interface on the new active firewall is reachable. What is the most likely cause?
Trap 1: The ARP table was not synchronized during failover.
ARP entries are synchronized via HA1 backup, so this is unlikely.
Trap 2: The HA2 link is down, causing session table mismatch.
HA2 is for session synchronization, not for traffic forwarding.
Trap 3: The new active firewall does not have a valid license.
Licenses are shared in HA; both firewalls inherit the same license.
- A
The ARP table was not synchronized during failover.
Why wrong: ARP entries are synchronized via HA1 backup, so this is unlikely.
- B
The HA2 link is down, causing session table mismatch.
Why wrong: HA2 is for session synchronization, not for traffic forwarding.
- C
The new active firewall does not have a valid license.
Why wrong: Licenses are shared in HA; both firewalls inherit the same license.
- D
The session setup rate exceeded the new active firewall's capacity.
If the session setup rate is too high, the firewall may drop new sessions while still being manageable.