Question 6 - Palo Alto Networks NetSec-Pro Real Exam Questions [Jan 2026 Update]

Q: 6

Which functionality does an NGFW use to determine whether new session setups are legitimate or illegitimate?

Options

Discussion

Arjun C. Jan 20, 2026 6:55 am

Option B. SYN cookies. They're what NGFWs use to make sure a TCP handshake is legit before session setup. This came up in the official guide if I remember right. Somebody correct me if you think it's a trick question.

Ishaan N. Jan 22, 2026 2:53 am

I don’t think D is right here. B is the one that actually verifies if the handshake’s legit using SYN cookies, while D is just the broader protection against floods. I’ve seen a similar question and B was the expected answer. Disagree?

Alex Jan 22, 2026 8:59 am

QuietLearner441 Jan 21, 2026 3:02 pm

Pretty confident it's B here. SYN cookies actually handle the verification of a real handshake, which is exactly what they're asking.

Maya Jan 7, 2026 10:10 am

This is about the actual handshake check, not just protection: so it's B. SYN cookies let the NGFW validate if the client really got the SYN-ACK, proving legitimacy before a new session spins up. D (SYN flood protection) is broader but doesn't describe how legitimacy is determined. I think B's correct but correct me if I'm missing a catch here.

Jamie Y. Jan 11, 2026 10:22 am

I get why people might pick D since it's related to attacks, but the actual session legitimacy check is with SYN cookies (B). Pretty sure B is the right call here. Trap is mixing up prevention and verification.

Emma P. Jan 20, 2026 4:29 am

Probably B. SYN cookies help the NGFW verify if the handshake is genuine before allocating resources, especially against spoofed SYNs. Seen this in some practice material. Open to pushback if anyone's seen different.

Taylor W. Jan 7, 2026 5:08 pm

B tbh, SYN cookies are used to check if that TCP handshake is real before setting up resources. Seen similar on practice tests, question's clear and straight to the point.

Be respectful. No spam.

Correct Answer:

Explanation

SYN cookies are a specific technique used by a Next-Generation Firewall (NGFW) to handle and validate TCP session initiations, particularly to mitigate SYN flood attacks. When this protection is active, the NGFW intercepts an initial SYN packet. Instead of immediately allocating resources for a new session, it sends a SYN-ACK packet back to the source with a specially crafted sequence number (the "cookie"). A legitimate client will respond with an ACK packet containing the correct incremented cookie value. The NGFW validates this ACK, confirming the client is legitimate and not a spoofed source, before establishing the session. This process effectively determines the legitimacy of the session setup request.

Why Incorrect

A. SYN bit: The SYN bit is a standard flag in a TCP header used to initiate a connection; it is present in both legitimate and malicious SYN packets and is not a determination mechanism itself.

C. Random Early Detection (RED): RED is a congestion avoidance algorithm that drops packets to manage queue length. It does not validate the legitimacy of the source initiating a session.

D. SYN flood protection: This is the name of the overall security feature or category of protection. SYN cookies (Option B) are a specific method or functionality used to implement SYN flood protection, making it the more precise answer.

References

1. Palo Alto Networks Documentation

"SYN Flood Protection." This document details the two primary modes for SYN flood protection: SYN Cookies and Random Early Drop (RED). It explains that the SYN Cookies method actively validates the client. The firewall sends a SYN-ACK with a cookie and waits for a valid ACK from the client before allowing the session. This directly confirms the client's legitimacy.

Reference: Palo Alto Networks Administrator's Guide (PAN-OS)

section on "Zone Protection for DoS Attacks

" subsection "SYN Flood Protection."

2. Palo Alto Networks Documentation

"Packet-Based Attack Protection." This resource describes how Zone Protection profiles and DoS Protection policies use mechanisms like SYN cookies to protect against reconnaissance and flooding attacks. It differentiates between RED (a congestion control method) and SYN Cookies (a client validation method).

Reference: Palo Alto Networks PAN-OS® Administrator's Guide

section on "DoS and Zone Protection

" subsection "Configure Flood Protection."

3. Bernstein

D. J. (2002). "SYN cookies." This is the foundational resource explaining the mechanism. While not a Palo Alto document

it is the seminal work defining the technology that Palo Alto Networks implements. It details how cookies are constructed and used to validate a client's ACK response without pre-allocating state on the server/firewall

thus verifying the session initiator.

Source: D. J. Bernstein's official page on SYN Cookies. (This is a foundational computer science resource often cited in university curricula).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE