Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 399

An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output.

Which troubleshooting command should the engineer use to work around this issue?

Answer options

• A. set deviceconfig setting tcp asymmetric-path drop
• B. set session tcp-reject-non-syn yes
• C. set deviceconfig setting tcp asymmetric-path bypass
• D. set deviceconfig setting session tcp-reject-non-syn no

Correct answer: D

Explanation

The correct answer, D, allows non-SYN packets to be accepted, which can help mitigate the issue caused by the increase in the flow_tcp_non_syn_drop counter. Options A and C would further exacerbate the problem by dropping packets, while option B would reject non-SYN packets, which is not the desired solution in this scenario.