Which three statements correctly describe Session 380280? (Choose three.)
Which three statements correctly describe Session 380280? (Choose three.)
Session 380280 involves traffic that was initially identified as
There is a lack of available documentation for this CLI command. I think the answer is ADE Cannot be B because session is still active, hence reason "unknown" I don't think it can be C because "session proxied" is true which I've only seen when SSL Decryption is being performed - regular HTTP traffic does not show this flag
I agree, ADE seems to be correct.
ADE is correct. Session is still active, hence 'unknown' end reason, as mentioned correctly by Shenanigans123.
With the destination port being 443 and the application being web-browsing, that means that this was decrypted. The session clearly says it ended as unknown.
on session id, we always have the end reason field fulfilled. "unknown means there is nothing. In other word, the session is still active. When the session is ended, you have different things such as INIT or other
Session Proxied : Yes means session is ssl decrypted Before decryption identified as ssl and after decryption identified as web browsing
unknown—This value applies in the following situations: Session terminations that the preceding reasons do not cover (for example, a clear session all command). For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall. In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown. BDE
The fact is that the session is still in the ACTIVE state, therefore the answer "the session has ended with the end-reason unknown" is not valid, because the session hasn't ended.
When the session ends the state changes to INIT.
end session unknow is a valid en reason
Should be ADE. "end reason: unknown" will show for all "ACTIVE" sessions. So B is not correct.
ADE is correct. As the initial traffic is on port 443 and after that application shift occurs and the session is still active.
ADE. The fact that the session is still active, it can't be B.
the sh session command only shows active sessions, can't be B
How do you know from this info that the session was decrypted? You can infer it from the question by a process of elimination, B&C are wrong
I believe from "Session Proxied : Yes"
Port 443 and app web-browsing is a clue as well.
when I had this question, it only asked for 2 things.
ADE is the correct option
Got his question in December 2023 only good two choices to answer. selected D and E as others already stated end-reason "unkown" is misleading look at the state = ACTIVE session table = actual sessions
Answers are A, D, E.
I perform this in lab.
Correct answers: ADE