Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 532

After some firewall configuration changes, an administrator discovers that application identification has started failing. The administrator investigates further and notices that a high number of sessions were going to a discard state with the application showing as unknown-tcp.
Which possible firewall change could have caused this issue?

Answer options

• A. enabling Forward segments that exceed the TCP App-ID inspection queue in Device > Setup > Content-ID > Content-ID Settings
• B. enabling Forward segments that exceed the TCP content inspection queue in Device > Setup > Content-ID > Content-ID Settings
• C. Jumbo frames were enabled on the firewall, which reduced the App-ID queue size and the number of available packet buffers.
• D. Jumbo frames were disabled on the firewall, which reduced the queue sizes dedicated for out-of-order and application identification.

Correct answer: A

Explanation

The correct answer is A because enabling Forward segments that exceed the TCP App-ID inspection queue would lead to sessions being discarded if they cannot be processed in time, resulting in unknown-tcp applications. The other options either refer to the content inspection queue or incorrectly describe the impact of Jumbo frames, which do not directly relate to application identification failure.