Top 45 High

Availability and
Redundancy
Interview Q&A
with Explanations
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

Contents
1. What is High Availability (HA) in Palo Alto Firewalls, and why is it important? ............ 4
2. What are the different HA modes in Palo Alto Firewalls? ........................................... 4
3. What are HA1 and HA2 links, and what role do they play in HA? ............................... 4
4. How do you configure HA in Palo Alto Firewalls? ....................................................... 4
5. What is the difference between path monitoring and link monitoring in HA? ............... 5
6. What happens during a failover in an Active-Passive setup? ..................................... 5
7. How do you check HA status in Palo Alto?................................................................. 5
8. What is stateful failover, and how does it work in HA? ............................................... 6
9. How does session synchronization work in HA? ........................................................ 6
10. What is preemption in HA, and should it be enabled? .............................................. 6
11. What is the role of Device-ID in Active-Active HA? ................................................... 7
12. How do you troubleshoot an HA failure in Palo Alto? ............................................... 7
13. What is a split-brain scenario in HA, and how can you prevent it?............................ 7
14. How do virtual firewalls work in an HA environment? ............................................... 8
15. How do you test a failover in an HA setup? .............................................................. 8
16. What are HA timers in Palo Alto, and how do they affect failover? ........................... 8
17. What happens if the HA1 link fails but HA2 is still active? ........................................ 9
18. How can you configure a backup HA1 interface? ..................................................... 9
19. What is the purpose of HA3 in Active-Active HA? .................................................... 9
20. Can HA failover cause traffic loss? ......................................................................... 10
21. How does a firewall determine which HA peer becomes Active?............................ 10
22. What is the significance of ‘tentative’ state in HA?.................................................. 10
23. What role does the heartbeat backup play in HA? .................................................. 11
24. How can you force a firewall to become Active in an HA pair? ............................... 11
25. What are the licensing considerations for HA in Palo Alto Firewalls? ..................... 11
26. What is ‘suspended’ state in HA, and how can you recover from it? ....................... 11
27. How does HA impact VPN tunnels? ....................................................................... 12
28. How do you troubleshoot asymmetric routing in an Active-Active HA setup? ......... 12
29. What is device priority in HA, and how does it affect failover? ................................ 12
30. How do you simulate a failover test in Palo Alto HA? ............................................. 13
31. How do you configure preemption in Palo Alto HA? ............................................... 13
32. What are the different HA link states in Palo Alto? ................................................. 13
33. How can you configure link and path monitoring in HA? ......................................... 14
34. How does the firewall decide when to trigger a failover? ........................................ 14
45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

35. How do you troubleshoot an HA failover that did not occur? .................................. 14
36. What is the purpose of session owner and session setup in Active-Active HA? ..... 15
37. How do you verify HA status using CLI? ................................................................ 15
38. What is graceful failover, and why is it important? .................................................. 15
39. How do you ensure that HA failover does not disrupt routing? ............................... 16
40. What are some best practices for HA configuration in Palo Alto? ........................... 16
41. Can both HA peers share the same management IP? ........................................... 16
42. How does HA work in a multi-VSYS environment?................................................. 16
43. What impact does a firmware upgrade have on HA?.............................................. 17
44. How can you check if session synchronization is working? .................................... 17
45. What happens if the HA2 link is down? .................................................................. 17
46. How do you change HA configuration without causing failover? ..... Error! Bookmark
not defined.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

1. What is High Availability (HA) in Palo Alto Firewalls, and why is it

important?

Answer:
HA allows two firewalls to operate together to ensure redundancy and failover. If one
firewall fails, the other takes over without disrupting traffic, ensuring network uptime.

Example:
A company with mission-critical applications deploys HA so that in case of a primary
firewall failure, the secondary firewall seamlessly takes over.

2. What are the different HA modes in Palo Alto Firewalls?

Answer:
Palo Alto supports:

1. Active-Passive: One firewall is active, the other remains on standby.

2. Active-Active: Both firewalls actively process traffic, often used in asymmetric
routing environments.

Example:
A financial institution may use Active-Active HA for load balancing across multiple ISPs.

3. What are HA1 and HA2 links, and what role do they play in HA?

Answer:

 HA1 (Control Link): Used for state synchronization, heartbeat, and failover
decisions.
 HA2 (Data Link): Synchronizes sessions, VPN tunnels, NAT tables, etc.

Example:
If HA1 fails, both firewalls may assume active roles (split-brain). If HA2 fails, session
synchronization is lost, affecting stateful failover.

4. How do you configure HA in Palo Alto Firewalls?

Answer:

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

1. Device → High Availability → General Settings

2. Enable HA and assign a Group ID
3. Configure HA1 and HA2 interfaces
4. Select HA Mode (Active-Passive or Active-Active)
5. Enable Session Synchronization for stateful failover
6. Commit and verify HA status

5. What is the difference between path monitoring and link monitoring in

HA?

Answer:

 Link Monitoring: Monitors interface status; failure triggers failover.

 Path Monitoring: Monitors reachability of a critical IP (e.g., next-hop router, ISP
gateway).

Example:
If an interface connected to an ISP goes down, Link Monitoring triggers failover. If a
remote gateway becomes unreachable, Path Monitoring initiates failover.

6. What happens during a failover in an Active-Passive setup?

Answer:

1. The primary firewall detects a failure (e.g., power loss, link failure).
2. The secondary firewall becomes active.
3. The HA2 link ensures stateful session synchronization (if configured).
4. Traffic resumes with minimal disruption.

Example:
A failover occurs when a power outage affects the active firewall. The passive firewall takes
over, ensuring no loss of internet connectivity.

7. How do you check HA status in Palo Alto?

Answer:

 GUI:
Device → High Availability → General → State
 CLI:
 show high-availability state

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

Example Output:

State: Active
Peer State: Passive
Connection: Up

8. What is stateful failover, and how does it work in HA?

Answer:
Stateful failover ensures active connections are maintained during a failover event. The HA2
link synchronizes session details so that ongoing sessions (e.g., SSH, VoIP calls) continue
uninterrupted.

Example:
During failover, an active SSL VPN session remains connected because session details were
synchronized over the HA2 link.

9. How does session synchronization work in HA?

Answer:
Session synchronization allows firewalls to share active session states over the HA2 link.

 If the active firewall fails, the passive firewall retains all active session details.
 Session sync covers NAT tables, VPN tunnels, and active connections.

Example:
An ongoing FTP file transfer remains active after failover because session details were
synchronized.

10. What is preemption in HA, and should it be enabled?

Answer:
Preemption allows a firewall to reclaim its active role after recovering from a failure.

Pros: Ensures primary firewall always becomes active.

Cons: Can cause unnecessary failovers if the firewall keeps flapping.

Example:
A firewall with preemption enabled resumes as the active device after recovering from a
reboot.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

11. What is the role of Device-ID in Active-Active HA?

Answer:

 Device 0 and Device 1 are assigned to differentiate between firewalls.

 It helps distribute traffic evenly across both firewalls.

Example:
In Active-Active mode, Device 0 handles VPN traffic while Device 1 manages general
internet traffic.

12. How do you troubleshoot an HA failure in Palo Alto?

Answer:

1. Check HA state:
2. show high-availability state
3. Check HA logs:
4. less mp-log ha_agent.log
5. Verify HA1 and HA2 link status
6. Check if both devices have identical configurations

13. What is a split-brain scenario in HA, and how can you prevent it?

Answer:
A split-brain scenario occurs when HA communication fails, causing both firewalls to
assume the Active role.

Prevention:

 Use a dedicated HA1 link with a backup HA1 interface.

 Configure heartbeat backup over the management interface.
 Use path monitoring to prevent incorrect failovers.

Example:
If HA1 fails due to a cable issue, both firewalls may become active, leading to network
disruptions.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

14. How do virtual firewalls work in an HA environment?

Answer:
Virtual firewalls in an HA environment share the same redundancy and failover capabilities.
They sync configurations, policies, and session states between HA peers.

Example:
A service provider using multiple virtual firewalls (VSYS) ensures that failover occurs
without affecting customer traffic.

15. How do you test a failover in an HA setup?

Answer:
Method 1: Manually suspend the active firewall:

request high-availability state suspend

Method 2: Disable an HA-monitored interface.

Method 3: Power off the active firewall and check if the passive firewall takes over.

Example:
An HA test confirms that when the primary firewall is powered off, the secondary firewall
becomes active within milliseconds, ensuring seamless failover.

16. What are HA timers in Palo Alto, and how do they affect failover?

Answer:
HA timers define the detection and failover time intervals. Important timers include:

 Heartbeat Interval: Time between HA heartbeats (default: 1000ms).

 Hello Interval: Time between hello messages (default: 8000ms).
 Monitor Hold Time: Time before HA deems a failure valid (default: 3000ms).

Example:
Lowering the Monitor Hold Time from 3s to 1s speeds up failover but may increase false
positives.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

17. What happens if the HA1 link fails but HA2 is still active?

Answer:

 HA1 failure means the firewalls cannot communicate status updates.

 Both firewalls may become Active, leading to a split-brain scenario.
 If HA2 is working, session synchronization still occurs, but failover may not be
handled properly.

Example:
If HA1 is on a faulty cable and no backup HA1 is configured, both firewalls might process
traffic simultaneously, causing duplicate packets and routing issues.

18. How can you configure a backup HA1 interface?

Answer:

1. Navigate to Device → High Availability → General Settings.

2. Enable HA1 Backup and assign an interface (e.g., management).
3. Ensure IP connectivity exists between both HA peers.

Example:
Using the management interface as an HA1 Backup ensures HA communication even if the
main HA1 interface fails.

19. What is the purpose of HA3 in Active-Active HA?

Answer:

 HA3 (Packet Forwarding Link) is used in Active-Active mode for session

synchronization and asymmetric traffic flow.
 HA3 allows packet forwarding between both firewalls to maintain stateful session
information.

Example:
In Active-Active mode, firewall A might receive traffic and forward it to firewall B via the
HA3 link to ensure correct packet flow.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

20. Can HA failover cause traffic loss?

Answer:
Failover in Active-Passive mode is stateful, meaning sessions are retained. However, brief
packet loss may occur due to:

 ARP table updates.

 Routing protocol reconvergence (OSPF, BGP).
 HA timers not optimized.

Example:
A VoIP call may drop for 1-2 seconds if the failover process takes too long, especially if
session synchronization is not configured correctly.

21. How does a firewall determine which HA peer becomes Active?

Answer:
Palo Alto uses the following election process:

1. Priority Value (Lower wins) – Default: 100.

2. Firewall with the most operational links.
3. Firewall with the most monitored paths available.
4. Serial Number (Lower wins).

Example:
If firewall A has a priority of 50 and firewall B has 100, firewall A becomes active.

22. What is the significance of ‘tentative’ state in HA?

Answer:
The tentative state occurs when a firewall is not ready to become Active or Passive due to:

 Incomplete HA configuration.
 Configuration mismatch between peers.
 Hardware issues.

Example:
After a firewall reboot, it may enter a tentative state until it fully syncs with the Active peer.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

23. What role does the heartbeat backup play in HA?

Answer:

 Used to detect HA1 failures and prevent split-brain scenarios.

 Configured over the management interface or a separate interface.

Example:
If the primary HA1 link fails, the heartbeat backup ensures that the secondary firewall
remains Passive instead of becoming Active unexpectedly.

24. How can you force a firewall to become Active in an HA pair?

Answer:
Use the CLI command:

request high-availability state primary

This manually sets a firewall to Active state.

Example:
After maintenance on the primary firewall, an admin forces it back to Active once it is
stable.

25. What are the licensing considerations for HA in Palo Alto Firewalls?

Answer:

 Both firewalls in an HA pair must have the same licenses (Threat Prevention, URL
Filtering, etc.).
 The passive firewall does not require a license unless it becomes active.

Example:
If the secondary firewall lacks a Threat Prevention license, IPS/IDS features may not
function correctly after failover.

26. What is ‘suspended’ state in HA, and how can you recover from it?

Answer:
A firewall enters suspended state when:

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

 An admin manually suspends HA.

 A critical HA error occurs (configuration mismatch, interface failure).

Recovery:
Run:

request high-availability state functional

Example:
A firewall was put into suspended mode for troubleshooting. Once resolved, the admin
resumes HA operations.

27. How does HA impact VPN tunnels?

Answer:

 HA ensures IPSec and GlobalProtect VPN sessions persist across failovers.

 If session synchronization is enabled, VPN users do not need to reconnect.

Example:
A GlobalProtect VPN user stays connected even if the primary firewall fails, because
session details were synced.

28. How do you troubleshoot asymmetric routing in an Active-Active HA

setup?

Answer:

 Use session browser in the GUI to check traffic flow.

 Verify that Session Owner and Session Setup settings are correct.
 Enable HA3 link for session synchronization.

Example:
A VoIP call drops intermittently because return traffic is handled by a different firewall
without session sync. Enabling HA3 fixes the issue.

29. What is device priority in HA, and how does it affect failover?

Answer:

 Lower priority value wins (default: 100).

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

 A firewall with a lower priority becomes active unless it fails.

Example:
If firewall A has a priority of 50 and firewall B has 100, firewall A becomes active by
default.

30. How do you simulate a failover test in Palo Alto HA?

Answer:

 Method 1: Manually suspend the Active firewall:

 request high-availability state suspend
 Method 2: Disable a monitored interface (e.g., WAN).
 Method 3: Unplug the power cable of the Active firewall.

Example:
A network admin tests failover by shutting down the primary firewall to confirm that the
Passive firewall takes over without impacting services.

31. How do you configure preemption in Palo Alto HA?

Answer:
Preemption ensures that the original Active firewall automatically resumes control once it
recovers.

 Navigate to Device → High Availability → General Settings.

 Check Enable Preemption.
 Set a preemption hold timer (default: 60s).

Example:
If the primary firewall fails and recovers, preemption ensures it resumes control after
stabilization.

32. What are the different HA link states in Palo Alto?

Answer:

 Init: HA initialization.
 Passive: Standby state, monitoring the Active firewall.
 Active: Processing traffic.
 Tentative: Temporary state after boot-up or configuration changes.
 Non-Functional: Critical error detected.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

Example:
If a firewall boots up and enters tentative state, it may have a configuration mismatch with
its HA peer.

33. How can you configure link and path monitoring in HA?

Answer:

1. Navigate to Device → High Availability → Link & Path Monitoring.

2. Add critical interfaces under Link Monitoring.
3. Add ICMP-based paths under Path Monitoring.

Example:
If a WAN link goes down, link monitoring triggers a failover to ensure connectivity.

34. How does the firewall decide when to trigger a failover?

Answer:
Failover occurs if:

 HA1 (control link) fails.

 HA2 (data link) fails.
 Monitored interface goes down.
 Monitored path (ping test) fails.
 Firewall software crashes or hardware fails.

Example:
If path monitoring is set for 8.8.8.8, and it stops responding, failover occurs even if the
interfaces are up.

35. How do you troubleshoot an HA failover that did not occur?

Answer:

1. Check System Logs for HA events.

2. Verify that HA1 and HA2 are up.
3. Ensure preemption is enabled if needed.
4. Confirm that interface monitoring is correctly configured.
5. Run CLI commands:
6. show high-availability state
7. show high-availability link-monitoring

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

Example:
A firewall failed, but no failover occurred because interface monitoring was disabled.

36. What is the purpose of session owner and session setup in Active-
Active HA?

Answer:

 Session Owner: Handles flow lookup and enforcement.

 Session Setup: Creates new sessions.

Example:
If firewall A owns the session, but firewall B sets up the session, HA3 synchronization is
needed to prevent asymmetric routing.

37. How do you verify HA status using CLI?

Answer:
Run:

show high-availability all

This command displays HA state, link status, session sync, and priority.

Example:
If a firewall is in non-functional state, logs will show the cause (e.g., hardware failure).

38. What is graceful failover, and why is it important?

Answer:
Graceful failover ensures minimal disruption when switching between firewalls.

 Ensures session synchronization is complete.

 Prevents sudden connection drops for VPN and TCP sessions.

Example:
Without graceful failover, VoIP calls and SSH sessions may disconnect during a failover.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

39. How do you ensure that HA failover does not disrupt routing?

Answer:

 Enable Graceful Restart for OSPF/BGP.

 Configure HA session synchronization.
 Set HA preemption hold time to allow route updates.

Example:
If a firewall in Active-Passive HA fails, the new Active firewall should have pre-learned
OSPF/BGP routes to prevent blackholing traffic.

40. What are some best practices for HA configuration in Palo Alto?

Answer:

1. Use dedicated interfaces for HA1 and HA2.

2. Configure HA1 Backup over the management port.
3. Enable preemption with a hold timer.
4. Ensure interface and path monitoring are enabled.
5. Use HA3 for Active-Active deployments.

Example:
A customer experienced split-brain because they did not configure HA1 Backup.

41. Can both HA peers share the same management IP?

Answer:
No, each firewall needs its own management IP.

 The Active firewall uses its assigned management IP.

 The Passive firewall uses its separate management IP.

Example:
If 192.168.1.10 is the Active firewall’s management IP, the Passive firewall might use
192.168.1.11.

42. How does HA work in a multi-VSYS environment?

Answer:

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

 HA synchronizes VSYS (Virtual Systems) configurations.

 Session sync happens across all VSYS instances.
 Interface mapping must be identical on both peers.

Example:
A firewall with 3 VSYS instances will failover completely, ensuring that all virtual firewalls
remain available.

43. What impact does a firmware upgrade have on HA?

Answer:

 Best practice: Use "Suspend Local" to force failover before upgrading.

 Upgrade the Passive firewall first, then the Active firewall.
 After both are upgraded, resume HA.

Example:
If an admin upgrades both firewalls at the same time, it may cause a brief outage.

44. How can you check if session synchronization is working?

Answer:
Run:

show session info

Check for:

 Session setup rate

 Session sync status

Example:
If session sync is broken, long-lived TCP sessions (e.g., SSH, VPN) may drop during
failover.

45. What happens if the HA2 link is down?

Answer:

 No session synchronization occurs.

 Failover will result in session loss.
 Both firewalls might process traffic independently, causing duplicate packets.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088
 45 Interview Q&A for High Availability and Redundancy | [email protected] | +91 9739521088

Example:
A user reported that VoIP calls dropped after failover. The issue was a broken HA2 cable,
preventing session sync.

45 Interview Q&A for High Availability and Redundancy| [email protected] | +91 9739521088