Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 257

A session in the Traffic log is reporting the application as `incomplete.`
What does `incomplete` mean?

Answer options

• A. The three-way TCP handshake was observed, but the application could not be identified.
• B. The three-way TCP handshake did not complete.
• C. The traffic is coming across UDP, and the application could not be identified.
• D. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.

Correct answer: B

Explanation

The correct answer is B because an `incomplete` session indicates that the three-way TCP handshake did not finish, which means the connection was not fully established. Option A is incorrect as it implies the handshake was completed, while options C and D refer to different scenarios not related to the TCP handshake completion.