Exam PCNSE topic 1 question 370 discussion

Incomplete --> App-ID labels traffic as incomplete when either the three-way TCP handshake does not complete or when the handshake completes but no data follows the handshake. Traffic labeled as incomplete by App-ID is not really an application.

1-3 packets exchanged ---> incomplete, because not even TCP handshake was completed 4-10 packets exchanged ---> insufficient data, because TCP was completed but we did not see enough packets to precisely determine what application is it 11-more packets exchanged ---> if we can't determine what is the app, it is marked as "unknown"

As per EDU-210: Classifying (Labeling) TCP Traffic incomplete: Three-way handshake did not complete or was followed by no data For A, the label will be "insufficient-data"

C is correct

Ignore the comment before, C is correct. Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

I believe A is correct. The key here is that the admin is reviewing traffic logs, if tcp handshake didnt complete then with default log settings it would not be recorded in the traffic log. The insufficient-data means that tcp session was established and logged after session ended but there wasnt enough data for the firewall to establish the application type.

why not B?

C. TCP 3 way handshake didnt complete. 99% sure I saw this on the exam in July 2023

"Incomplete" means that "either the three-way TCP handshake did not complete" or "the three-way TCP handshake **did** complete but there was no data after the handshake to identify the application." No data is the key.

Agree on C

https://live.paloaltonetworks.com/t5/blogs/discussion-of-the-week-application-incomplete/ba-p/286965

C insufficient data would be if TCP was established, but not enough data to identify App

C is correct as per URL https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.

most correct answer here is C as "Incomplete" is displayed in the application field if the three-way TCP handshake did not complete.

A - Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified.

It could be A or C "Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was not enough data after the handshake to identify the application. In other words that traffic being seen is not really an application." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

I think it is A https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC