AnNGFW (Next-Generation Firewall)determines whethernew session setups are legitimate or illegitimateby usingSYN flood protection, which is a key component ofDoS/DDoS mitigation.

Detects High SYN Traffic Rates– SYN flood attacks occur when a large number ofhalf-open TCP connectionsare created, overwhelming a server or firewall.

Implements SYN Cookies or Rate-Limiting– To mitigate attacks, the NGFW appliesSYN cookiesorconnection rate limitsto filter out illegitimate connection attempts.

Maintains a Secure State Table– The firewall trackslegitimate and suspicious SYN requests, ensuring onlygenuine connectionsare allowed through.

Protects Against TCP-Based Attacks– Preventsresource exhaustioncaused byattackers flooding SYN packetswithout completing the TCP handshake.

B. SYN bit❌

Incorrect, because theSYN bitis just aflag in the TCP headerused to initiate a connection—it does not helpdistinguish between legitimate and illegitimate sessions.

C. Random Early Detection (RED)❌

Incorrect, becauseRED is used in congestion avoidancefor queuing mechanisms, not forTCP session validation.

D. SYN cookies❌

Incorrect, becauseSYN cookies are a method used within SYN flood protection, but they are justone part of the larger SYN flood protection mechanismimplemented in NGFWs.

Firewall Deployment– SYN flood protection is acore featureof Palo Alto NGFWs.

Security Policies– Helps enforcerate-limiting and SYN cookie mechanismsto prevent DoS attacks.

VPN Configurations– Prevents SYN flood attacks from affectingIPsec VPN gateways.

Threat Prevention– Works alongsideintrusion prevention systems (IPS) to block TCP-based attacks.

WildFire Integration– Not directly related but ensuresmalware-infected botsdon’t launch SYN flood attacks.

Zero Trust Architectures– Protectstrusted network zonesby preventingunauthorized connection attempts.

How SYN Flood Protection Works in an NGFW:Why Other Options Are Incorrect?References to Firewall Deployment and Security Features:Thus, the correct answer is:✅A. SYN flood protection