After some firewall configuration changes, an administrator discovers that application identification has started failing. The administrator investigates further and notices that a high number of sessions were going to a discard state with the application showing as unknown-tcp.
Which possible firewall change could have caused this issue?
Enabling the option to forward segments that exceed the TCP App-ID inspection queue causes the firewall to forward those segments and classify the application as unknown-tcp when the App-ID queue exceeds its segment limit. This is likely what leads to a high number of sessions going to the discard state with the application showing as unknown-tcp.
First, here is why it is NOT C: As others have pointed out, there is a link to a Palo Alto knowledge base describing the exact same behavior when enabling jumbo frames. There's one caveat, this issue is only seen in versions preceeding PAN-OS 9.0.10. "Resolution: Upgrade to PanOS version 9.0.10". Thus, this cannot be the a possible cuase in post PAN-OS 10.0.0. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAZMCA4&lang=en_US%E2%80%A9 Argument for A: "Enable this option to forward segments and classify an application as unknown-tcp when the App-ID queue exceeds the 64-segment limit." Taken directly from https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/device/device-setup-content-id
So why can't it be C, everything seems to fit and I've seen it in live environment. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAZMCA4&lang=en_US%E2%80%A9
see the comment by froghtened_acrobat
Enable this option to forward segments and classify the application as unknown-tcp when the App-ID queue exceeds the 64-segment limit. Use the following global counter to view the number of segments in excess of this queue regardless of whether you enabled or disabled this option: appid_exceed_queue_limit Disable this option to prevent the firewall from forwarding TCP segments and skipping App-ID inspection when the App-ID inspection queue is full. This option is disabled by default and you should leave it disabled for maximum security. When you disable this option, you may notice increased latency on streams where more than 64 segments were queued awaiting App-ID processing.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/device/device-setup-content-id
A B is default it seems
The link from bimyo has the exact wording from the question. "You will observe that a large number of sessions will go to *DISCARD* state with the application showing as unknown-tcp". Keyword, "discard state".
comment by millosz222 with reference URL https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-content-id
Here's why I think the answer is (A). The "enabling Forward segments that exceed the TCP App-ID inspection queue" is DISABELD by default, which means if you enable Jumbo frames on the firewall, and send large amount of traffic, the firewall should start dropping these packets with the default setting. I've seen the comments that there was a bug in previous PAN-OS versions where enabling Jumbo frames would display the same symptoms, but I don't think we can/should answer based on previous bugs, especially that the exam focuses on recent PAN-OS versions.
I think A
I would go with option A as C is only applicable to earlier OS versions. For people who are getting confused with question mentioning session discard, please read below. If the session is in discard state, then the firewall discards the packet. The firewall can mark a session as being in the discard state due to a policy action change to deny (this could also occur if firewall has started to mark the app as unknown-tcp and there is no security policy to cater for unknown tcp traffic which means it will match the default interzone deny rule), or threat detection.
it is answer C. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAZMCA4&lang=en_US%E2%80%A9 this link is describing the exact same behavior when enabling jumbo frames in this link https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-content-id here the PA wil still forward the traffic and the qeustion says "failing"
Question asks for which config change is causing application to fail. Bypassing application queue will not cause it to fail. C is correct
A is the correct option, TCP App-ID inspection queue in Device > Setup > Content-ID > Content-ID Settings
The answer should be A based on https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/device/device-setup-content-id Section:Forward Segments Exceeding TCP App-ID Inspection Queue comment: Enable this option to forward segments and classify an application as unknown-tcp when the App-ID queue exceeds the 64-segment limit. Interestingly, when revealing the answer: Answer B is suggested to be correct one.
A Forward Segments Exceeding TCP App-ID™ Inspection Queue "Enable this option to forward segments and classify the application as unknown-tcp when the App-ID queue exceeds the 64-segment limit."
A: Forward Segments Exceeding TCP App-ID™ Inspection Queue: Enable this option to forward segments and classify an application as unknown-tcp when the App-ID queue exceeds the 64-segment limit . . Disable this option to prevent the firewall from forwarding TCP segments and skipping App-ID inspection when the App-ID inspection queue is full.
Should be B