An organization's administrator has the funds available to purchase more firewalls to increase the organization's security posture.
The partner SE recommends placing the firewalls as close as possible to the resources that they protect.
Is the SE's advice correct, and why or why not?
Yes. Placing firewalls closer to protected resources allows for more granular control over security policies through Zone Protection profiles. These profiles can be specifically configured to match the particular characteristics of different device types and operating systems within the protected zones. This tailored approach improves the effectiveness of the firewall in mitigating threats and managing traffic based on the specific needs of each protected resource.
I believe A is correct.
SO DO I
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection "The firewall is a session-based device that isn’t designed to scale to millions of connections-per-second (CPS) to defend against large volumetric DoS attacks"
Why not B? "The firewall is a session-based device that isn’t designed to scale to millions of connections-per-second (CPS) to defend against large volumetric DoS attacks." "For the best DoS protection, place firewalls as close to the resources you’re protecting as possible. This reduces the number of sessions the firewall needs to handle and therefore the amount of firewall resources required to provide DoS protection."
B is correct https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection
It is definitely a "Yes" answer. I would go with B, since you cannot "tailor" the zone protection profile as described in D. You cannot define any device types and OSs in a zone protection profile. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/building-blocks-of-zone-protection-profiles.html#id463e1210-c858-4712-8d34-66b5fb587c2e
Terrible question, it doesn't explain what they mean by "closer". Anyway, if this question is about Zone Protection, then D is correct because the "closer" the fw is to the resources, the more specific the zone protection profile can be. In other words, instead of zone "DMZ" protecting 2 web servers and a file server with a general ZP profile, you can have zone "WEB" with the 2 webservers and zone "FILE" with the file server. Then each zone will have its own specific ZP profile. (Remember that ZP profiles have no specific targets, they only protect a zone in its entirety.
Answer is B. The firewall is a session-based device that isn’t designed to scale to millions of connections-per-second (CPS) to defend against large volumetric DoS attacks. For the best DoS protection, place firewalls as close to the resources you’re protecting as possible. This reduces the number of sessions the firewall needs to handle and therefore the amount of firewall resources required to provide DoS protection.
B is correct always place firewalls behind high-volume devices.
Definitevely B
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection
B This was mentioned in PBP section
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection
I will choose D. The question said "purchase more firewall", but not "purchase a higher ended model firewall". Multiple Firewalls put on the core network? How can it be connected? If for "more" firewalls which run the same security posture, it should be put as closes as the resources (i.e. servers sides). So it must be "Yes". Then Firewalls are session-based and it is truth, then so? "D" should be more correct so it can define specific security policy for the specific protected resource.
Answers make no sense. Yes firewall should be closer in terms of DDoS protection. But palo has firewalls with up to 4 million CPS, so answer B is not the correct one as firewalls can scale to millions of CPS. Answer D makes no sense as well, what kind of tailoring to operating systems?
Choose the least bad answer then, which is B. The fewer sessions a firewall will need to handle (ie because it's behind a DDOS screen or because routing of flows to other parts of the network reduces the flows going across this firewall towards the specific protected resources) the less the customer needs to spend on the hardware.
B is the correct answer https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/firewall-placement-for-dos-protection
Agree with D.
D interesting they used the word "Firewalls" in the other three answers, and in the answer linked documented the word "Tailor" is used, which reads more like subconscious marketing.