Exam PCNSE topic 1 question 258 discussion

ACE is my thought. D is eliminated due to falling into "insufficient data" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

App-ID labels the traffic as insufficient-data when not enough data is received in the payload to identify the application. In this case, the three-way TCP handshake completes, but not enough data follows the handshake to identify the traffic.

A,C,E are the best options

Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.

D = insufficient data

C is most likely a cause of Unknown-tcp, TCP handshake, but the application was not identified. I presumed the correct answer is ADE. Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was "NO ENOUGH" data after the handshake to identify the application. In other words that traffic being seen is not really an application.

Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete. Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log.

ADE makes sense - from the KB : "Incomplete means that either the three-way TCP handshake did not complete (E) OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application." (A and D both)

A is wrong. If TCP connection was established yet App-ID still doesn't have enough data to identify the application. The application must be flag as unknown-tcp or unknown-udp.

WRONG - D - There is not enough application data after the TCP connection was established. | Not enough APP Data meaning - Insufficient data in the application field: B - Cant B So answer: ACE Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete. Insufficient data in the application field: Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log.

its ACE

ACE, just checked

ACE is my thought as well. E would come up as 'incomplete' in the logs because the tcp session never fully establishes; i.e., the firewall didn't capture the threeway handshake.