Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 94

A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)?

Answer options

• A. Define a custom App-ID to ensure that only legitimate application traffic reaches the server.
• B. Add a Vulnerability Protection Profile to block the attack.
• C. Add QoS Profiles to throttle incoming requests.
• D. Add a DoS Protection Profile with defined session count.

Correct answer: D

Explanation

The correct answer is D, as adding a DoS Protection Profile with defined session count directly addresses the issue of resource exhaustion by limiting the number of concurrent sessions from multiple sources. Option A, while helpful for traffic legitimacy, does not specifically prevent resource exhaustion. Option B focuses on vulnerability protection, which is not specifically designed for DDoS attacks. Option C deals with request throttling, but it may not be as effective in managing resource limits as a dedicated DoS Protection Profile.