Palo Alto Networks NGFW Engineer — Question 50

An organization is deploying VM-Series firewalls in Microsoft Azure to secure its VNets. A key requirement is that the security infrastructure must be resilient to the failure of an entire Azure Availability Zone.

What is the recommended method to achieve this goal?

Answer options

• A. Deploy multiple, independent VM-Series firewalls in different Availability Zones and use an Azure Load Balancer to distribute traffic to them.
• B. Implement a Terraform configuration that automatically redeploys the firewall in a new zone if the original one fails.
• C. Use Azure Traffic Manager to direct traffic to a primary VM-Series firewall, with a second firewall in another zone as a failover target.
• D. Configure PAN-OS active/passive high availability (HA) between two VM-Series instances in separate Availability Zones using HA links over a VNet peering connection.

Correct answer: A

Explanation

The correct answer is A because deploying multiple, independent VM-Series firewalls in different Availability Zones allows for continuous availability even if one zone fails. The other options do not provide the same level of resilience; for instance, B relies on redeployment, which may not be immediate, C has a single point of failure in the primary firewall, and D requires a specific configuration that does not guarantee availability across zones.