Exam PCNSE topic 1 question 252 discussion

I believe A is correct.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection "The firewall is a session-based device that isn’t designed to scale to millions of connections-per-second (CPS) to defend against large volumetric DoS attacks"

B is wrong, it's specifically about DoS protection. D is correct, it's about deploying multiple firewalls for network segmentation.

D is the only reasonable one

I think it's B. Let's see: Option A tells you something that is not true, because the Palo Alto does not protect your network at all cyberattack lifecycle (for example, if you don't block an exploit delivery, then only endpoint protection could stop the next step which is exploitation and installation). Option D is not true because Zone Protection Profiles protect System (Firewall) Resources within the complete zone on which it's applied (remember ZP is granular, you decide where and where not to place it). Option C could be true, but assuming the question, the admin already has fws in the perimeter area, if he didn't, the SE wouldn't suggest to put the fws close to the servers and organizational systems. Regards.

Answer is B. The firewall is a session-based device that isn’t designed to scale to millions of connections-per-second (CPS) to defend against large volumetric DoS attacks. For the best DoS protection, place firewalls as close to the resources you’re protecting as possible. This reduces the number of sessions the firewall needs to handle and therefore the amount of firewall resources required to provide DoS protection.

I will choose D. The question said "purchase more firewall", but not "purchase a higher ended model firewall". Multiple Firewalls put on the core network? How can it be connected? If for "more" firewalls which run the same security posture, it should be put as closes as the resources (i.e. servers sides). So it must be "Yes". Then Firewalls are session-based and it is truth, then so? "D" should be more correct so it can define specific security policy for the specific protected resource.

B is correct always place firewalls behind high-volume devices.

Definitevely B

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection

B This was mentioned in PBP section

Answers make no sense. Yes firewall should be closer in terms of DDoS protection. But palo has firewalls with up to 4 million CPS, so answer B is not the correct one as firewalls can scale to millions of CPS. Answer D makes no sense as well, what kind of tailoring to operating systems?

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection

B is the correct answer https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection

Why not B? "The firewall is a session-based device that isn’t designed to scale to millions of connections-per-second (CPS) to defend against large volumetric DoS attacks." "For the best DoS protection, place firewalls as close to the resources you’re protecting as possible. This reduces the number of sessions the firewall needs to handle and therefore the amount of firewall resources required to provide DoS protection."

Agree with D.

D interesting they used the word "Firewalls" in the other three answers, and in the answer linked documented the word "Tailor" is used, which reads more like subconscious marketing.