Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 608

While investigating a SYN flood attack, the firewall administrator discovers that legitimate traffic is also being dropped by the DoS profile.
If the DoS profile action is set to Random Early Drop, what should the administrator do to limit the drop to only the attacking sessions?

Answer options

• A. Enable resources protection under the DoS Protection profile.
• B. Change the SYN flood action from Random Early Drop to SYN cookies.
• C. Increase the activate rate for the SYN flood protection.
• D. Change the DoS Protection profile type from aggregate to classified.

Correct answer: B

Explanation

Changing the SYN flood action to SYN cookies allows the firewall to better manage legitimate connections and mitigate the effects of the SYN flood attack, reducing false positives. The other options either do not directly address the issue of legitimate traffic being dropped or may not effectively differentiate between attack sessions and legitimate traffic.