An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.
Which two fields could help in determining if this is normal? (Choose two.)
An administrator is investigating a log entry for a session that is allowed and has the end reason of aged-out.
Which two fields could help in determining if this is normal? (Choose two.)
To determine if a session end reason of 'aged-out' is normal, checking the IP Protocol and Packets sent/received fields can be insightful. The IP Protocol field helps identify the type of protocol used, such as UDP or ICMP, which are expected to end with 'aged-out' since they are stateless. The Packets sent/received field can indicate if the session was actively exchanging data. A typical 'aged-out' session might show activity or a pattern which is expected for certain protocols, thus helping to ascertain if it is normal behavior.
Answer: AB When monitoring the traffic logs using Monitor > logs > Traffic, some traffic is seen with the Session End Reason as aged-out. Any traffic that uses UDP or ICMP is seen will have session end reason as aged-out in the traffic log. This is because unlike TCP, there is there is no way for a graceful termination of UDP session and so aged-out is a legitimate session-end reason for UDP (and ICMP) sessions. Link: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW
I would chose A and B as correct answers. For example: -- DNS traffic will show up as aged-out (answer A) -- TCP traffic can show 100 bytes sent, 0 bytes received which can mean that traffic is dropped after the firewall, or destination IP is nor responding (answer B)
Although I got it wrong at the time, reading the question again plus the discussion and this provided article : (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMjLCAW) leads me to believe that the answer is actually "AD". This is because there are no such fields as "packets sent / packets received" in the detailed log view of a session. But the fields for "Action" and "Protocol" does exist. Based on the article, if protocol is UDP then aged out reason is ok and can be ignored, the opposite is true for TCP which a session of aged out warrants further investigation.
When investigating a log entry for a session that is allowed and has the end reason of “aged-out”, the following two fields could help in determining if this is normal: IP Protocol: The protocol used can give insight into whether an “aged-out” session end reason is expected or not12. For example, it’s normal for UDP and ICMP sessions, which are stateless protocols, to have an “aged-out” session end reason12. Packets sent/received: This can help determine if packets are correctly leaving the firewall1. If the ‘Packets Sent’ count in the traffic log is high, but there’s no corresponding ‘Packets Received’, it could indicate an issue such as the destination server not having an open port for the requested service, asymmetric routing, or a network path issue1. So, the correct options from your list would be A. IP Protocol and B. Packets sent/received. Always refer to the latest documentation for the most accurate information.
tcp is ok only if "paket sent" and paket "received" is equal. otherwise there is an anomaly and it must be investigated. That is why the number of packets is important. On the other hand, the "action" must always be "allow" otherwise no traffic is possible.
Action for 'allowed' session is always Allow. IP Protocol shows e.g. in case of UDP. Packets send/receive also indicate the reason for 'aged-out' traffic.
Answer: AB For a session which is allowed, the action will be allow...