An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out. Which two fields could help in determining if this is normal? (Choose two.)
Answer: AB
When monitoring the traffic logs using Monitor > logs > Traffic, some traffic is seen with the Session End Reason as aged-out. Any traffic that uses UDP or ICMP is seen will have session end reason as aged-out in the traffic log. This is because unlike TCP, there is there is no way for a graceful termination of UDP session and so aged-out is a legitimate session-end reason for UDP (and ICMP) sessions.
Link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW
When investigating a log entry for a session that is allowed and has the end reason of “aged-out”, the following two fields could help in determining if this is normal:
IP Protocol: The protocol used can give insight into whether an “aged-out” session end reason is expected or not12. For example, it’s normal for UDP and ICMP sessions, which are stateless protocols, to have an “aged-out” session end reason12.
Packets sent/received: This can help determine if packets are correctly leaving the firewall1. If the ‘Packets Sent’ count in the traffic log is high, but there’s no corresponding ‘Packets Received’, it could indicate an issue such as the destination server not having an open port for the requested service, asymmetric routing, or a network path issue1.
So, the correct options from your list would be A. IP Protocol and B. Packets sent/received. Always refer to the latest documentation for the most accurate information.
tcp is ok only if "paket sent" and paket "received" is equal.
otherwise there is an anomaly and it must be investigated.
That is why the number of packets is important. On the other hand, the "action" must always be "allow" otherwise no traffic is possible.
Although I got it wrong at the time, reading the question again plus the discussion and this provided article : (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW) leads me to believe that the answer is actually "AD". This is because there are no such fields as "packets sent / packets received" in the detailed log view of a session. But the fields for "Action" and "Protocol" does exist. Based on the article, if protocol is UDP then aged out reason is ok and can be ignored, the opposite is true for TCP which a session of aged out warrants further investigation.
Action for 'allowed' session is always Allow. IP Protocol shows e.g. in case of UDP. Packets send/receive also indicate the reason for 'aged-out' traffic.
I would chose A and B as correct answers.
For example:
-- DNS traffic will show up as aged-out (answer A)
-- TCP traffic can show 100 bytes sent, 0 bytes received which can mean that traffic is dropped after the firewall, or destination IP is nor responding (answer B)
upvoted 4 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Alex48694
Highly Voted 1 year, 8 months agocjace
Most Recent 1 month, 3 weeks agoKalender
1 year, 2 months agoDatITGuyTho1337
1 year, 3 months agoOhEmGee
1 year, 5 months agoJ2J2J2J
1 year, 5 months agomushi4ka
1 year, 10 months ago