The answer looks to be A or B, if the article is still valid. It was last modified 2 years ago.
From the article (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC): Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application.
Insufficient data means not enough data to identify the application.
Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified.
Not-applicable means that the Palo Alto device has received data that will be discarded because the port or service that the traffic is coming in on is not allowed, or there is no rule or policy allowing that port or service.
According to the KB article ans A is alos correct. it says "Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application" Can someone clarify
I thought it could be A at first, but reading PaloSteve's comment, it looks like A has the wrong language. "Observed" rather than "complete" and left out "not enough data."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
PaloSteve
Highly Voted 1 year, 2 months agowest33637
Highly Voted 1 year, 11 months agobeac9a4
Most Recent 2 weeks, 1 day agoMarshpillowz
8 months, 1 week agoFrightened_Acrobat
1 year, 2 months agoyazid0016
1 year, 9 months ago