An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID.
Why would the application field display as incomplete?
An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID.
Why would the application field display as incomplete?
The application field would display as incomplete if the TCP connection did not fully establish. This situation occurs when the three-way TCP handshake fails to complete, which prevents the firewall from gathering enough information to identify the application. Without a fully established connection, the firewall cannot identify any application data, thus marking it as incomplete.
It could be A or C "Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was not enough data after the handshake to identify the application. In other words that traffic being seen is not really an application." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
That being said there's also 'insufficient data' where there's not enough data after the three way handshake so incomplete is probably 'best' as did not fully establish so I think C.
C is correct as per URL https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.
Ignore the comment before, C is correct. Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
C. TCP 3 way handshake didnt complete. 99% sure I saw this on the exam in July 2023
"Incomplete" means that "either the three-way TCP handshake did not complete" or "the three-way TCP handshake **did** complete but there was no data after the handshake to identify the application." No data is the key.
most correct answer here is C as "Incomplete" is displayed in the application field if the three-way TCP handshake did not complete.
I think it is A https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
As per EDU-210: Classifying (Labeling) TCP Traffic incomplete: Three-way handshake did not complete or was followed by no data For A, the label will be "insufficient-data"
C is correct
I believe A is correct. The key here is that the admin is reviewing traffic logs, if tcp handshake didnt complete then with default log settings it would not be recorded in the traffic log. The insufficient-data means that tcp session was established and logged after session ended but there wasnt enough data for the firewall to establish the application type.
why not B?
B will be unknown-tcp
Agree on C
https://live.paloaltonetworks.com/t5/blogs/discussion-of-the-week-application-incomplete/ba-p/286965
C insufficient data would be if TCP was established, but not enough data to identify App
A - Unknown-tcp means the firewall captured the three-way TCP handshake, but the application was not identified.
change my mind! C. A would show as "unknown tcp"
C should be C