Exam PCNSE topic 1 question 286 discussion

Correct option is A the question is about best practice. I don't think disabling Zone Protection would be a best practice regardless of circumstances.

Log Forwarding—For easier management, forward DoS logs separately from other Threat logs directly to administrators via email and to a log server. - https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices

lol the answer is D , that's a big no no it's best practice to use separate log forwarding profiles for DoS and ZPP event logs

Option A - "For easier management, use separate log forwarding profiles to forward DoS and zone threshold event logs separately from other Threat logs." Best Practices: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices

Reviewing DoS (Denial of Service) threat activity in the Block Activity section of the ACC (Application Command Center) and looking for patterns of abuse is an important step in ensuring effective zone protection. By monitoring and analyzing DoS threat activity, you can identify potential attacks and take appropriate actions to mitigate them.

https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices "For easier management, use separate log forwarding profiles to forward DoS and zone threshold event logs separately from other Threat logs."

is D because the kb says Log Forwarding—For easier management, forward DoS logs separately from other Threat logs directly to administrators via email and to a log server. only for easier mgmt but the real thing here are the fw resources

A Disabling zone protection because not enough resources is hardly best practices. Best practice would be to size the appliance accordingly in the first place and so make D obsolete. Then A is correct. https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices

Look this. "Measure firewall performance to ensure it’s within acceptable norms and so you understand the effect of zone and DoS protection on firewall resources. If the levels of zone and DoS protection (combined with other resource-consuming features such as decryption) consume too many firewall resources, the best practice is to scale up the resources rather than to compromise security." So, the answer is not D. It's A.

https://docs.paloaltonetworks.com/best-practices/10-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices

https://docs.paloaltonetworks.com/best-practices/10-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices

annoyingly both A & B are included in the link: https://docs.paloaltonetworks.com/best-practices/9-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices

A is correct answer. (Log forwarding) Palo will never tell you as Best practice to disable security....

https://docs.paloaltonetworks.com/best-practices/10-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices Log Forwarding—For easier management, forward DoS logs separately from other Threat logs directly to administrators via email and to a log server.

https://docs.paloaltonetworks.com/best-practices/9-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices