Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 535

An engineer has been tasked with reviewing traffic logs to find applications the firewall is unable to identify with App-ID.
Why would the application field display as incomplete?

Answer options

• A. There is insufficient application data after the TCP connection was established.
• B. The TCP connection was terminated without identifying any application data.
• C. The TCP connection did not fully establish.
• D. The client sent a TCP segment with the PUSH flag set.

Correct answer: C

Explanation

The correct answer is C because if the TCP connection did not fully establish, the firewall wouldn't have the necessary data to identify the application. Options A and B suggest that application data was present at some point, which contradicts the scenario of an incomplete application field. Option D refers to a specific TCP behavior that does not affect the ability to identify applications.