What are three reasons why an installed session can be identified with the "application incomplete" tag? (Choose three.)
What are three reasons why an installed session can be identified with the "application incomplete" tag? (Choose three.)
An installed session can be identified with the 'application incomplete' tag for three main reasons. First, if there was no application data after the TCP connection was established, it means there was insufficient information to identify the application over that session. Second, if the TCP connection was terminated without identifying any application data, it shows that the session ended before any meaningful application traffic could be analyzed. Finally, if the TCP connection did not fully establish, such as if the three-way handshake was incomplete, it indicates that the session itself was not properly set up to handle and recognize application traffic. Insufficient data after connection establishment generally falls under a different categorization and is not relevant to an 'application incomplete' tag.
ACE is my thought. D is eliminated due to falling into "insufficient data" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC
Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete. Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log.
ACE is my thought as well. E would come up as 'incomplete' in the logs because the tcp session never fully establishes; i.e., the firewall didn't capture the threeway handshake.
I meant ACD*.
Ugh...just reread the question. ACE is right because of incomplete. Need more coffee...
ACE is right! D falls under Insufficient data and the question is for "application incomplete".
E is out because the session was installed per the question text.
As per palo document: Incomplete means that either the three-way TCP handshake did not complete That means - session will be created after initial SYN packet. If no packets were seen and session expired with only 1 SYN app will be incomplete. So E is the correct option.
A is wrong. If TCP connection was established yet App-ID still doesn't have enough data to identify the application. The application must be flag as unknown-tcp or unknown-udp.
I gotta ask...how many TCP connections you see established yet get flagged as unknown-udp ?
but A doesn´t say "not enough", it says "no application data" at all. So it is a different scenery
WRONG - D - There is not enough application data after the TCP connection was established. | Not enough APP Data meaning - Insufficient data in the application field: B - Cant B So answer: ACE Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete. Insufficient data in the application field: Insufficient data means not enough data to identify the application. So for example, if the three-way TCP handshake completed and there was one data packet after the handshake but that one data packet was not enough to match any of our signatures, then user will see insufficient data in the application field of the traffic log.
its ACE
A,C,E are the best options
Incomplete in the application field: Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application. One example is, if a client sends a server a SYN and the Palo Alto Networks device creates a session for that SYN , but the server never sends a SYN ACK back to the client, then that session is incomplete.
D = insufficient data
C is most likely a cause of Unknown-tcp, TCP handshake, but the application was not identified. I presumed the correct answer is ADE. Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was "NO ENOUGH" data after the handshake to identify the application. In other words that traffic being seen is not really an application.
Reading it again. I'm going for ACE.
ADE makes sense - from the KB : "Incomplete means that either the three-way TCP handshake did not complete (E) OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application." (A and D both)
Never mind - I see your point re D = insufficient data.
ACE, just checked