Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions

Palo Alto Networks Exam PCNSE Topic 11 Question 78 Discussion

Actual exam question for Palo Alto Networks's Palo Alto Networks Certified Security Engineer PAN-OS 11.0 exam
Question #: 78
Topic #: 11
[All Palo Alto Networks Certified Security Engineer PAN-OS 11.0 Questions]

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations.

The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes.

The engineer reviews the following CLI output for ethernet1/1.

Which setting should be modified on ethernet1/1 to remedy this problem?

Show Suggested Answer Hide Answer
Suggested Answer: D

The engineer should adjust the TCP maximum segment size (MSS) value on ethernet1/1 to remedy this problem. This is because the MTU on an upstream router interface is set to 1400 bytes, which is causing the return traffic from the web servers to not reach the users behind the firewall. By adjusting the TCP MSS value, the engineer can ensure that the return traffic is able to reach the users without any issues.

The TCP MSS is the maximum amount of data that can be transmitted in a single TCP segment, excluding the TCP and IP headers. The TCP MSS is usually derived from the MTU of the underlying network, which is the maximum packet size that can be transmitted without fragmentation. For example, if the MTU is 1500 bytes, which is the default value for ethernet interfaces, then the TCP MSS is 1460 bytes (1500 - 20 bytes for IP header - 20 bytes for TCP header).However, if there are intermediate devices or networks that have a lower MTU than the end-to-end path, then the TCP MSS may need to be adjusted accordingly to avoid packet loss or fragmentation1.

In this case, the firewall has an MTU of 1500 bytes on ethernet1/1, which is connected to a WAN link. However, an upstream router has an MTU of 1400 bytes on its interface, which means that any packet larger than 1400 bytes will be either dropped or fragmented by the router. This can cause problems for the return traffic from the web servers, which may have a TCP MSS of 1460 bytes or higher, depending on their MTU settings. If these packets have the Don't Fragment (DF) bit set in their IP header, which is common for TCP packets, then they will be dropped by the router and never reach the firewall or the users behind it.If they do not have the DF bit set, then they will be fragmented by the router and reassembled by the firewall, which can cause performance degradation and overhead2.

To avoid these problems, the engineer should adjust the TCP MSS value on ethernet1/1 to match or be lower than the MTU of the upstream router.This can be done by using the CLI command set network interface ethernet ethernet1/1 tcp-mss <value> , where <value> is an integer between 64 and 15003. For example, if the engineer sets the TCP MSS value to 1360 bytes (1400 - 20 - 20), then this will ensure that any TCP packet sent or received by ethernet1/1 will not exceed 1400 bytes in total size, and thus will not be dropped or fragmented by the router.This will allow the return traffic from the web servers to reach the users behind the firewall without any issues4.


Contribute your Thoughts:

Barney
6 months ago
Option B, enabling the Ignore IPv4 Don't Fragment (DF) setting, could also be a valid choice. That would allow the packets to be fragmented and reassembled at the destination, potentially bypassing the MTU issue.
upvoted 0 times
...
Erinn
6 months ago
I agree with Jani. Modifying the MSS value is the best solution here. That way, the TCP packets will be fragmented to a size that can be transmitted through the 1400-byte MTU link.
upvoted 0 times
...
Jani
6 months ago
Hmm, I think the answer is D. Adjusting the TCP maximum segment size (MSS) value should help resolve the issue. Since the upstream router's MTU is set to 1400 bytes, we need to ensure the TCP packets don't exceed that size, or they'll get dropped.
upvoted 0 times
Clorinda
6 months ago
D) Adjust the TCP maximum segment size (MSS) value.
upvoted 0 times
...
Tricia
6 months ago
C) Change the subnet mask from /23 to /24.
upvoted 0 times
...
Fairy
6 months ago
B) Enable the Ignore IPv4 Don't Fragment (DF) setting.
upvoted 0 times
...
Sean
6 months ago
A) Lower the interface MTU value below 1500.
upvoted 0 times
...
...
Cyril
6 months ago
This question seems tricky. The key information here is that the MTU on the upstream router is set to 1400 bytes, which is causing issues with the return traffic from the web servers. We need to find a way to remedy this problem.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77