View all questions & answers for the Palo Alto Network Security Professional (NetSec-Pro) Exam Materials exam
Question 41 Discussion
Comments
Selected Answers: A
In a Next-Generation Firewall (NGFW) deployment:
• Active/Passive design supports a single floating IP address, which is used to maintain seamless failover. The passive firewall takes over the floating IP when the active firewall fails, ensuring uninterrupted traffic flow.
• Active/Active design, however, does not support a single floating IP because both firewalls are actively processing traffic. Instead, each device uses its own IPs and synchronizes session and configuration data.
❌ Why the Other Options Are Incorrect:
• B. ARP load-sharing on Layer 3: This is a feature used in active/active setups to distribute traffic.
• C. Using a DHCP client: Supported in both designs, depending on interface configuration.
• D. Route-based redundancy: Available in both active/passive and active/active designs.
-
Brave-Dumps Admin
2025-11-03 15:21:05
please write your reference with the answer
Selected Answers: C
In active/active HA mode, the firewall does not support the DHCP client functionality. Additionally, only the active-primary firewall can operate as a DHCP Relay; any DHCP broadcast packets received by the active-secondary firewall are dropped .
In contrast:
Single floating IP address is supported in active/active HA configurations for failover purposes .
Configuring ARP load-sharing on Layer 3 is supported in active/active HA to allow firewalls to share an IP address and provide gateway services .
Route-based redundancy is a supported method in active/active HA for Layer 3 interface deployments, where firewalls use dynamic routing protocols to handle rerouting in case of a failure .
Which component of NGFW is supported in active/passive design but not in active/active design? (Choose one answer)
Brave-Dump Clients Votes