Exam PCNSE topic 1 question 322 discussion

I think that it is A,B,E because configuration is fully sinchronized in a A/P too.

Active/active mode requires advanced design concepts that can result in more complex networks. Depending on how you implement active/active HA, it might require additional configuration such as activating networking protocols on both firewalls, replicating NAT pools, and deploying floating IP addresses to provide proper failover. Because both firewalls are actively processing traffic, the firewalls use additional concepts of session owner and session setup to perform Layer 7 content inspection. Active/active mode is recommended if each firewall needs its own routing instances and you require full, real-time redundancy out of both firewalls all the time. Active/active mode has faster failover and can handle peak traffic flows better than active/passive mode because both firewalls are actively processing traffic.

as per https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-modes An active/active configuration does not load-balance traffic. Although you can load-share by sending traffic to the peer, no load balancing occurs.

Going with A,D,E. Based on this docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-modes

There's a lot left there to unpack with D. It is A, B and E

It is not a good practice to handle peaks using both firewall capacities. This defeats the purpose of Full redundancy, so B can't be right.

the other explanations are good.

Hello, if you look at the palo reference for HA Sync, you see that more things can be synced with A/P (i.e FIB,MFIB, ARP Table, MAC Table) so it is clear in Active/Active deployment full sync is beside the point.... https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/reference-ha-synchronization Here the question does not refer to firewall doing the load balancing, but the environment requires load balancing to allow the customer to send traffic through both firewalls.

Im guessing ADE, and not choosing B as Palo Alto explicitly dissuades configuring the firewalls to handle more traffic than one firewall is capable of handling. This would defeat the entire purpose of HA in the event of a failover, as the failover would result in network performance degradation from the newly created bottleneck.

Bros the A/A does not balance the traffic, you need an external load balancer to do so. So B cannot be an option. ADC sounds accurate.

Answer B is definetly wrong! The Palo Alto Firewall are not able to load balance traffic.

ABE, C is only possible on Active/Passive, and D is incorrect since the config is sync on Active/Passive too.

configuration is Synced in A/P too, answer is A B E.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/arp-load-sharing Firewall support ARP load sharing but not the load balancing.

ADE is correct

ABE. "Active/active mode has faster failover and can handle peak traffic flows better than active/passive mode because both firewalls are actively processing traffic." Source:https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-modes

Correct answer is ABE C makes no sense D can also be done with Active-Passive HA A is a little ambiguous since A/A HA doesn't guarantee that both fw will always be working, it just says that if one fails the other is still working, but A/P just guarantees that at least one will always be working so only A/A can achieve what A) describes B. Is the textbook definition of why Active/active HA can be useful E. Is one of the reasons why A/A HA can be faster.