Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Palo-Alto-Networks Discussions

Exam PCNSE topic 1 question 561 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 561
Topic #: 1
[All PCNSE Questions]

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.



Which setting should be modified on ethernet1/1 to remedy this problem?

  • A. Change the subnet mask from /23 to /24.
  • B. Lower the interface MTU value below 1500.
  • C. Adjust the TCP maximum segment size (MSS) value.
  • D. Enable the Ignore IPv4 Don't Fragment (DF) setting.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by pavtoor at Sept. 2, 2023, 7:42 p.m.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
hcir
2 weeks, 1 day ago
C is the answer. It says that some upstream router has a low mtu, it does not say that the directly connected router does. Lowering the mtu would have the FW send ICMP need to fragment messages which might work but probably not.
upvoted 1 times
...
Bubu3k
2 months, 2 weeks ago
The question is stupid, but so are some of the answers here. MTU= max data inside a frame (layer 2 packet) size. MSS max TCP payload. MTU = MSS + 40 (IP header + TCP header). Setting a lower MTU would force a lower MSS. Decreasing MSS also lowers the MTU. Based on how vague B is I would go with C, but, in my book either can work and this question is just dumb the listed answers aren't correct. And for what is worth I'm pretty sure D might work as well
upvoted 2 times
...
Marshpillowz
3 months, 1 week ago
Selected Answer: C
C is correct
upvoted 1 times
...
Kaifus
3 months, 4 weeks ago
Selected Answer: C
Such a wack question and any network guy would troubleshoot this easily if we had hands on the network and could see the messages. My issue with adjusting the MTU is that it doesn't state that we have control over the entire WAN. What happens if the next router in the path has the same problem? Ideally you want to fragment (D) or lower your MSS (C). https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-release-notes/pan-os-9-1-release-information/features-introduced-in-pan-os-9-1/networking-features#:~:text=Ignore%20DF%20(don't%20fragment)%20Bit&text=You%20can%20configure%20the%20firewall,when%20enabled%20through%20the%20CLI. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN0gCAG Gonna go with C but could argue that D would possibly work as well if we had access to the client's command window :)
upvoted 2 times
...
JRKhan
3 months, 4 weeks ago
Selected Answer: C
C is correct as per the link from pavtoor. If just MTU is lowered down on the firewall, the firewall will start dropping the packets since it cant fragment them. MSS will need to be lowered down to decrease the overall MTU size of the packets.
upvoted 1 times
...
brian7857ffs45
5 months, 2 weeks ago
Selected Answer: C
I don't like the wording of B, it says below 1500, well 1480 is below 1500 but would still not fix an MTU IP fragmentation issue as an example. It should say "lower the interface MTU value below 1400" for B to be correct.
upvoted 4 times
...
Shaun919
5 months, 3 weeks ago
Selected Answer: B
MTU has to match just like in networking for routing/switching. At least from my experience.
upvoted 1 times
...
anonymous1334232
6 months, 3 weeks ago
It must be B as it’s the pipe that determines the data that can be put through. The tcp segment determines the buffers which is applicable only if the data is reachable.
upvoted 1 times
...
Artbrut
8 months, 1 week ago
Selected Answer: C
Agree with pavtoor -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAolCAG&lang=en_US%E2%80%A9
upvoted 2 times
...
pavtoor
8 months, 2 weeks ago
Option C is correct. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN0gCAG "Please note that even though adjusting the MSS value on the PA firewall solves the issue, the issue is not caused by the Firewall. The issue is caused by other hosts in the path that have lower MTU setting."
upvoted 3 times
...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel