Question 10 - Palo Alto Networks PCNSE (PAN OS 11) Real Exam Questions [Jan 2026 Update]

Q: 10

A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.)

Options

Correct Answer:

A, D

Explanation

Asymmetric routing causes the firewall to see only one direction of a traffic flow. This results in the firewall dropping packets for two main reasons: the initial packet it sees may not be a TCP SYN, and subsequent packets will not match an existing session.

To permanently allow this traffic, two actions can be taken:

1. Configure a Zone Protection Profile to apply to the affected zone(s). In this profile, setting Asymmetric Path to Bypass and Reject Non-syn-TCP to No instructs the firewall to permit asymmetrically routed traffic for that specific zone (Option A).

2. Globally disable the setting that rejects TCP sessions not initiated with a SYN packet. This is done using the configuration mode CLI command set deviceconfig setting session tcp-reject-non-syn no and then committing the change (Option D).

Why Incorrect

B: The > prompt indicates an operational mode command. This change is temporary and will not persist after a firewall reboot, failing the "permanently" requirement.

C: Setting the options to "Global" in a Zone Protection Profile instructs the firewall to use the system-wide default setting, which is to drop this traffic. This does not change the behavior to allow it.

References

1. Palo Alto Networks PAN-OS® Administrator's Guide 10.2

"Configure Zone Protection for Packet-Based Attack Protection": This section details the settings within a Zone Protection Profile. It states for "Reject Non-SYN TCP

" you can select "no to disable this protection." For "Asymmetric Path

" it states

"Select bypass to allow asymmetric routing." This validates the settings described in option A.

2. Palo Alto Networks PAN-OS® Administrator's Guide 10.2

"Session Settings": This document describes the global session settings. It confirms that tcp-reject-non-syn is a global setting that is enabled by default to protect against TCP session spoofing attacks. Disabling it is a common solution for asymmetric routing issues.

3. Palo Alto Networks CLI Reference Guide

"set deviceconfig setting session": This guide confirms that set deviceconfig setting session tcp-reject-non-syn no is the correct command syntax for permanently modifying the firewall's global session configuration. The # prompt signifies configuration mode

where changes can be committed and made permanent.

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE