Palo Alto Networks Certified Network Security Consultant (PCNSC) — Question 8

A company has deployed an Active/Passive 5280 HA pair with BGP configured to the company’s ISP. The lead firewall engineer has set the HA Timer to “Recommended”. Upon failing over the HA pair, there is a two-minute outage and internet traffic is dropped.
What should the engineer do to eliminate or minimize the outage in the future?

Answer options

• A. Change the HA Timer to “Aggressive”.
• B. Enable Path Monitoring to the ISP.
• C. Ensure that “Graceful Restart” has been enabled on all peers.
• D. Change the HA Timer to “Advanced” with “Preemption Hold Time” of one minute.

Correct answer: B

Explanation

Enabling Path Monitoring to the ISP allows for quicker detection of a failure in the network path, which can help in minimizing the outage during a failover. The other options may improve performance but do not specifically target the core issue of detecting ISP path failures, which is critical for reducing downtime.