Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 513

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this.
Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Answer options

• A. #set deviceconfig setting session tcp-reject-non-syn no
• B. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set ג€Asymmetric Path" to Global
• C. Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass
• D. > set session tcp-reject-non-syn no

Correct answer: A, C

Explanation

Option A and Option C are correct because they modify the firewall's configuration to allow traffic that doesn't follow the expected TCP session initiation. Option B is incorrect as it sets the rejection of non-SYN packets to a global setting, which would continue to drop the traffic. Option D is also incorrect because it uses an invalid command syntax that does not match the required configuration for this scenario.