Palo Alto Networks NGFW Engineer — Question 54

A network security engineer at a 24/7 online retailer is upgrading an active/passive high availability (HA) cluster of PAN-OS firewalls. The primary goal is to perform the upgrade with no service interruption to online transactions. The engineer has already downloaded the new software to both devices.

Which sequence of actions will meet this requirement?

Answer options

• A. From Panorama, create a scheduled software update job targeting both firewalls in the HA pair to run at the same time, then rely on the HA election process to manage the failover automatically.
• B. Upgrade the passive firewall first while it is still in the passive state. Once it reboots and is operational, suspend the active firewall to fail over to the newly upgraded device. Then, upgrade the remaining firewall.
• C. Force the active firewall into a suspended state to trigger a failover, then upgrade and reboot it. Suspend the currently active firewall to fail traffic back to the upgraded unit. Upgrade the remaining firewall.
• D. Disable HA synchronization on the active firewall, upgrade the passive firewall, and then re-enable synchronization. Once synchronized, repeat the process on the other firewall.

Correct answer: B

Explanation

The correct answer is B because upgrading the passive firewall first ensures that it can take over without interruption once operational. This method allows for seamless failover to the upgraded device while maintaining service. The other options either risk service interruption or do not follow the best practices for upgrading HA clusters.