https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices "For easier management, use separate log forwarding profiles to forward DoS and zone threshold event logs separately from other Threat logs."

A Disabling zone protection because not enough resources is hardly best practices. Best practice would be to size the appliance accordingly in the first place and so make D obsolete. Then A is correct. https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices

https://docs.paloaltonetworks.com/best-practices/10-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices Log Forwarding—For easier management, forward DoS logs separately from other Threat logs directly to administrators via email and to a log server.

Look this. "Measure firewall performance to ensure it’s within acceptable norms and so you understand the effect of zone and DoS protection on firewall resources. If the levels of zone and DoS protection (combined with other resource-consuming features such as decryption) consume too many firewall resources, the best practice is to scale up the resources rather than to compromise security." So, the answer is not D. It's A.

Correct option is A the question is about best practice. I don't think disabling Zone Protection would be a best practice regardless of circumstances.

Log Forwarding—For easier management, forward DoS logs separately from other Threat logs directly to administrators via email and to a log server. - https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices

lol the answer is D , that's a big no no it's best practice to use separate log forwarding profiles for DoS and ZPP event logs

Option A - "For easier management, use separate log forwarding profiles to forward DoS and zone threshold event logs separately from other Threat logs." Best Practices: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices

Reviewing DoS (Denial of Service) threat activity in the Block Activity section of the ACC (Application Command Center) and looking for patterns of abuse is an important step in ensuring effective zone protection. By monitoring and analyzing DoS threat activity, you can identify potential attacks and take appropriate actions to mitigate them.

is D because the kb says Log Forwarding—For easier management, forward DoS logs separately from other Threat logs directly to administrators via email and to a log server. only for easier mgmt but the real thing here are the fw resources

https://docs.paloaltonetworks.com/best-practices/10-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices

https://docs.paloaltonetworks.com/best-practices/10-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/deploy-dos-and-zone-protection-using-best-practices

annoyingly both A & B are included in the link: https://docs.paloaltonetworks.com/best-practices/9-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices

A is correct answer. (Log forwarding) Palo will never tell you as Best practice to disable security....

https://docs.paloaltonetworks.com/best-practices/9-1/dos-and-zone-protection-best-practices/dos-and-zone-protection-best-practices/follow-post-deployment-dos-and-zone-protection-best-practices