Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Palo-Alto-Networks Discussions

Exam PCNSE topic 1 question 142 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 142
Topic #: 1
[All PCNSE Questions]

An administrator has been asked to configure active/active HA for a pair of firewalls. The firewalls use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario?

  • A. The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP.
  • B. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP.
  • C. The firewalls do not use floating IPs in active/active HA.
  • D. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/floating-ip-address-and-virtual-mac-address
by eyelasers1 at Feb. 23, 2022, 1:21 a.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
eyelasers1
Highly Voted 2 years, 4 months ago
ANSWER: A https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address.html "each HA firewall interface has its own IP address and floating IP address. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure. .... If a link or firewall fails or a path monitoring event causes a failover, the floating IP address and virtual MAC address move over to the functional firewall. ... The functioning firewall sends a gratuitous ARP to update the MAC tables of the connected switches to inform them of the change in floating IP address
upvoted 7 times
...
TAKUM1y
Highly Voted 1 year, 8 months ago
Selected Answer: A
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address
upvoted 5 times
...
ATRRHMN
Most Recent 1 day ago
Selected Answer: B
https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/11-0/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address.html https://docs.paloaltonetworks.com/content/techdocs/en_US/pan-os/11-0/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case/use-case-configure-activeactive-ha-with-floating-ip-addresses.html
upvoted 1 times
...
evilCorpBot7494
3 months, 1 week ago
Selected Answer: B
Each firewall has its own floating IP. The fact they both send information to a same gateway doesn't mean they need to have just one floating IP, and the use case Palo Alto pushes is 1 floating IP for each Firewall, that can at any moment go to the other firewall in case the original owner of one of them fails. Study Guide Page 180 and https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case/use-case-configure-activeactive-ha-with-floating-ip-addresses
upvoted 2 times
...
Marshpillowz
5 months, 2 weeks ago
Selected Answer: A
A is correct
upvoted 1 times
...
Xuzi
7 months, 4 weeks ago
Selected Answer: A
The active/active HA firewalls share a single floating IP address that you bind to whichever firewall is in the active-primary state. With only one floating IP address, network traffic flows predominantly to a single firewall, so this active/active deployment functions like an active/passive deployment. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case/use-case-configure-activeactive-ha-with-floating-ip-address-bound-to-active-primary-firewall#id93973f10-2001-4ae4-b475-faa7e70967c1
upvoted 1 times
...
gc999
8 months, 1 week ago
Selected Answer: B
I will choose B. "Each HA firewall interface has its own IP address and floating IP address. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure". That means each firewall has it own floating IP https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/floating-ip-address-and-virtual-mac-address#:~:text=each%20HA%20firewall%20interface%20has%20its%20own%20IP%20address%20and%20floating%20IP%20address
upvoted 1 times
...
Spaz_6
1 year, 3 months ago
Selected Answer: A
answer is A. I got this in practice pcnse
upvoted 1 times
...
daytonadave2011
1 year, 3 months ago
Selected Answer: A
A is the correct answer. This question is on Palo Alto Beacon.
upvoted 1 times
...
Gab99
1 year, 4 months ago
Selected Answer: A
It depends, 1. With L3 Szenario with Active/Active deployment that behaves like Active/Passive deployment (Use Case: Configure Active/Active HA with Floating IP Address Bound to Active-Primary Firewall, https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/determine-your-activeactive-use-case#id726797f4-7d7b-4204-b86c-42589d19e8ac) there is only ONE FLOATING IP. 2. There is also a use case with TWO FLOATING IPs, so please be careful with your assumptions. From the descritpion I would say "Standard L3 use case" (with active/active for faster failover), so only ONE FLOATING IP. >>>> ANSWER A But maybe the use case is the other, not 100% sure.
upvoted 2 times
...
DenskyDen
1 year, 5 months ago
B. each HA firewall interface has its own IP address and floating IP address. The interface IP address remains local to the firewall, but the floating IP address moves between the firewalls upon firewall failure.
upvoted 2 times
...
mohr22
1 year, 5 months ago
A https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/arp-load-sharing
upvoted 1 times
mohr22
1 year, 4 months ago
In such a scenario, all hosts are configured with a single gateway IP address. One of the firewalls responds to ARP requests for the gateway IP address with its virtual MAC address. Each firewall has a unique virtual MAC address generated for the shared IP address. The load-sharing algorithm that controls which firewall will respond to the ARP request is configurable; it is determined by computing the hash or modulo of the source IP address of the ARP request. After the end host receives the ARP response from the gateway, it caches the MAC address and all traffic from the host is routed via the firewall that responded with the virtual MAC address for the lifetime of the ARP cache. The lifetime of the ARP cache depends on the end host operating system.
upvoted 1 times
...
...
djedeen
1 year, 5 months ago
Selected Answer: B
B:, one floating IP per firewall, moved around via gratuitous ARP upon failure.
upvoted 2 times
...
Bobhope
1 year, 5 months ago
Selected Answer: B
VickiF is correct. The docs say that each HA interface has its own IP and floating IP. That makes two floating IPs. Answer A says there is only one shared IP and is thus false.
upvoted 2 times
...
VickiF
1 year, 5 months ago
Selected Answer: B
It should be B. Each firewall has it's own floating IP, so that traffic can flow to both. When something happens to one firewall, it's floating IP will failover to the other firewall, and that firewall will have both floating IPs.
upvoted 2 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
ex Want to SAVE BIG on Certification Exam Prep?
close
ex Unlock All Exams with ExamTopics Pro 75% Off
  • arrow Choose From 1000+ Exams
  • arrow Access to 10 Exams per Month
  • arrow PDF Format Available
  • arrow Inline Discussions
  • arrow No Captcha/Robot Checks
Limited Time Offer
Ends in

Claim Offer Now
286 people claimed it in the last 6 hours