Exam PCNSE topic 1 question 322 discussion

I think that it is A,B,E because configuration is fully sinchronized in a A/P too.

the other explanations are good.

Hello, if you look at the palo reference for HA Sync, you see that more things can be synced with A/P (i.e FIB,MFIB, ARP Table, MAC Table) so it is clear in Active/Active deployment full sync is beside the point.... https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchronization Here the question does not refer to firewall doing the load balancing, but the environment requires load balancing to allow the customer to send traffic through both firewalls.

Im guessing ADE, and not choosing B as Palo Alto explicitly dissuades configuring the firewalls to handle more traffic than one firewall is capable of handling. This would defeat the entire purpose of HA in the event of a failover, as the failover would result in network performance degradation from the newly created bottleneck.

Bros the A/A does not balance the traffic, you need an external load balancer to do so. So B cannot be an option. ADC sounds accurate.

Answer B is definetly wrong! The Palo Alto Firewall are not able to load balance traffic.

ABE, C is only possible on Active/Passive, and D is incorrect since the config is sync on Active/Passive too.

configuration is Synced in A/P too, answer is A B E.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/arp-load-sharing Firewall support ARP load sharing but not the load balancing.

ADE is correct

ABE. "Active/active mode has faster failover and can handle peak traffic flows better than active/passive mode because both firewalls are actively processing traffic." Source:https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-modes

Correct answer is ABE C makes no sense D can also be done with Active-Passive HA A is a little ambiguous since A/A HA doesn't guarantee that both fw will always be working, it just says that if one fails the other is still working, but A/P just guarantees that at least one will always be working so only A/A can achieve what A) describes B. Is the textbook definition of why Active/active HA can be useful E. Is one of the reasons why A/A HA can be faster.

A,B,E are the correct options

worth noting that A/A does not load balance traffic... it can load-share "An active/active configuration does not load-balance traffic. Although you can load-share by sending traffic to the peer, no load balancing occurs. Ways to load share sessions to both firewalls include using ECMP, multiple ISPs, and load balancers."

Voted ABE (D is applicable for both a/a and a/p)

Active/Active— Both firewalls in the pair are active and processing traffic and work synchronously to handle session setup and session ownership. Both firewalls individually maintain session tables and routing tables and synchronize to each other. ctive/active mode is recommended if each firewall needs its own routing instances and you require full, real-time redundancy out of both firewalls all the time. Active/active mode has faster failover and can handle peak traffic flows better than active/passive mode because both firewalls are actively processing traffic. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/ha-modes

A,D,E Yes A:Active/active mode is recommended ..if you require full, real-time redundancy out of both firewalls all the time. Not B:An active/active configuration does not load-balance traffic. Although you can load-share by sending traffic to the peer, no load balancing occurs. Not C: active/active mode does support Layer 2 deployment, Only L3 and Vwire Yes E:Active/Active firewalls individually maintain session tables and routing tables and synchronize to each other. Leaves D, left as 3rd answer