An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID. Why would the application field display as incomplete?
A.
There is insufficient application data after the TCP connection was established.
B.
The TCP connection was terminated without identifying any application data.
C.
The TCP connection did not fully establish.
D.
The client sent a TCP segment with the PUSH flag set.
The ans is A, B & C.
Please refer to the question 258.
What are three reasons why an installed session can be identified with the "application incomplete" tag? CHOOSE THREE
There was no application data after the TCP connection was established.
The TCP connection was terminated without identifying any application data.
The TCP connection did not fully establish.
Incomplete --> App-ID labels traffic as incomplete when either the three-way TCP handshake does not complete or when the handshake completes but no data follows the handshake. Traffic labeled as incomplete by App-ID is not really an application.
Hello dude. Yea, indeed C is before A in that quote. However, most likely you will see incomplete as de application flag when you have sessions with packets sent to the server but without any response from it.
Another: "choose the best "right" thing. A common sucky way of PANW to write down their exams questions lmao.
1-3 packets exchanged ---> incomplete, because not even TCP handshake was completed
4-10 packets exchanged ---> insufficient data, because TCP was completed but we did not see enough packets to precisely determine what application is it
11-more packets exchanged ---> if we can't determine what is the app, it is marked as "unknown"
As per EDU-210: Classifying (Labeling) TCP Traffic
incomplete: Three-way handshake did not complete or was followed by no data
For A, the label will be "insufficient-data"
Ignore the comment before, C is correct.
Incomplete in the application field:
Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application.
One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
I believe A is correct. The key here is that the admin is reviewing traffic logs, if tcp handshake didnt complete then with default log settings it would not be recorded in the traffic log. The insufficient-data means that tcp session was established and logged after session ended but there wasnt enough data for the firewall to establish the application type.
"Incomplete" means that "either the three-way TCP handshake did not complete" or "the three-way TCP handshake **did** complete
but there was no data after the handshake to identify the application."
No data is the key.
C is correct as per URL https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
Incomplete in the application field:
Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application.
One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.
It could be A or C
"Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was not enough data after the handshake to identify the application. In other words that traffic being seen is not really an application."
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
That being said there's also 'insufficient data' where there's not enough data after the three way handshake so incomplete is probably 'best' as did not fully establish so I think C.
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
JackyCCK
1 month agoSCCUser
2 months, 3 weeks agoCarlosDV06
2 months, 2 weeks agoCro13
6 months, 4 weeks agoATRRHMN
9 months agoMarshpillowz
1 year, 2 months agoJRKhan
1 year, 2 months agoJRKhan
1 year, 2 months agodgonz
1 year, 7 months agojhenao89
1 year, 4 months agosov4
1 year, 8 months agoSpippolo
2 years, 1 month agooelsayed
2 years, 2 months agoLexus1323
2 years, 3 months agoconfusion
2 years, 5 months agoAlen
2 years, 5 months agobimyo
2 years, 6 months agomysteryzjoker
2 years, 6 months agomysteryzjoker
2 years, 5 months agosecdaddy
2 years, 6 months agosecdaddy
2 years, 6 months ago