Palo Alto Networks

PCNSA

Palo Alto Networks Certified Network Security Administrator

Associate PCNSA Content Available

Prove you can administer and operate Palo Alto Networks next-generation firewalls.

Practice PCNSA Questions Study Notes Exam Topics
Exam Code
PCNSA
Duration
80 minutes
Questions
75
Passing Score
Determined by Pearson VUE
Validity
2 years
Exam Cost
$175 USD
Overview

About PCNSA

The Palo Alto Networks Certified Network Security Administrator (PCNSA) validates your ability to deploy, configure, and operate Palo Alto Networks next-generation firewalls to protect networks from modern cyberthreats. It is the entry-level certification in the Palo Alto Networks certification track and serves as a prerequisite for the professional-level PCNSE. The exam covers the full administrative lifecycle of PAN-OS — from initial platform setup through security policy, NAT, App-ID, Content-ID, User-ID, and foundational VPN and decryption features. It is platform-agnostic but focuses on PAN-OS running on physical hardware, virtual machines (VM-Series), and Panorama-managed deployments. Whether you work as a firewall administrator, security operations analyst, or network engineer responsible for perimeter security, the PCNSA provides the recognised benchmark for hands-on Palo Alto Networks expertise.

Prerequisites
Basic TCP/IP networking knowledge (OSI model, IP addressing, routing concepts) Familiarity with firewall concepts (zones, policies, NAT) Recommended 6+ months hands-on experience with PAN-OS
Exam Domains

What you need to know

6 domains, 70 objectives. Click a domain to expand its topics.

🔥
PAN-OS Basics & Platform Management
Administrative interfaces, initial configuration, software management, and Panorama fundamentals.
20%
  • Identify the functional components of PAN-OS (management plane, data plane, signature plane)
  • Access and navigate the PAN-OS Web UI (Device tab, Policies tab, Objects tab, Network tab)
  • Use the PAN-OS CLI operational and configuration modes (show, set, commit, rollback)
  • Perform initial firewall configuration (management IP, hostname, DNS, NTP, admin accounts)
  • Configure management profiles and restrict management access by source IP and interface
  • Upgrade PAN-OS software using the web UI and CLI (check, download, install, reboot)
  • Configure dynamic updates (Antivirus, Applications and Threats, WildFire, URL filtering)
  • Understand the Panorama management hierarchy (device groups, template stacks, managed devices)
  • Describe the purpose of configuration candidates and committed running configurations
  • Configure role-based administration (superuser, device admin, custom roles)
  • Configure syslog, SNMP traps, and email notification for alerts
  • Interpret system logs, traffic logs, threat logs, and URL filtering logs
🛡️
Security Policy & Objects
Security policy rules, zones, address and service objects, application defaults, and rule ordering.
20%
  • Define security zones (Layer 3, Layer 2, virtual wire, TAP, tunnel) and their purpose
  • Create and modify security policy rules (source zone/address, destination zone/address, application, service, action)
  • Explain how PAN-OS evaluates security policy rules (top-down, first-match)
  • Configure address objects (IP/netmask, IP range, FQDN, wildcard) and address groups
  • Configure service objects and service groups (custom TCP/UDP ports)
  • Configure application default and any service settings in security policy
  • Use application groups and application filters in security policy
  • Implement security policy best practices (most-specific rules at top, clean-up rule, deny logging)
  • Use rule tagging, rule descriptions, and audit comments for policy management
  • Understand intrazone and interzone default behaviours
  • Verify policy hits using traffic logs and policy rule usage statistics
  • Configure DoS protection rules and zone protection profiles
🔄
NAT Policy
Source NAT types, destination NAT, NAT policy ordering, and bidirectional NAT.
15%
  • Explain the purpose and types of NAT in PAN-OS (source NAT, destination NAT, static NAT)
  • Configure dynamic IP-and-port (DIPP) source NAT for outbound internet access
  • Configure dynamic IP source NAT (no port translation) for a pool of public addresses
  • Configure static source NAT for fixed IP mapping
  • Configure destination NAT (port forwarding) using virtual IP objects
  • Explain NAT policy evaluation order and how NAT interacts with security policy
  • Configure bidirectional NAT for server publishing
  • Understand the relationship between pre-NAT IP addresses in security policy and post-NAT addresses
  • Verify and troubleshoot NAT policies using the CLI (test nat-policy-match)
  • Identify common NAT issues (hairpinning, U-turn NAT, asymmetric routing)
🔍
App-ID & Content-ID
Application identification engine, application objects, Content-ID profiles, and WildFire.
20%
  • Describe how the App-ID engine classifies traffic (signatures, heuristics, protocol decoding)
  • Identify unknown applications in traffic logs and decide whether to allow, block, or create custom App-IDs
  • Create custom application signatures for internal or proprietary applications
  • Configure application groups and filters to simplify policy management
  • Describe the App-ID update process and the impact of new App-ID signatures on existing policy
  • Configure antivirus security profiles (file types, directions, wildfire action)
  • Configure anti-spyware security profiles (signatures, DNS sinkhole, exception handling)
  • Configure vulnerability protection profiles (threat exceptions, CVE severity-based actions)
  • Configure file blocking profiles (file types, direction, action)
  • Configure URL filtering profiles (category actions, safe search enforcement, credential theft detection)
  • Configure WildFire analysis profiles and verify WildFire verdict reporting
  • Attach security profiles directly to rules and via Security Profile Groups
  • Interpret threat logs to identify blocked or allowed threats
👤
User-ID
User-ID agent, captive portal, group mapping, and IP-to-user mapping methods.
15%
  • Describe the purpose of User-ID and the value of user-based policy enforcement
  • Configure the Windows-based User-ID agent to poll Active Directory Security event logs
  • Configure the PAN-OS integrated User-ID agent (agentless)
  • Enable and configure Captive Portal for user identification (web form, NTLM, certificate)
  • Configure group mapping from LDAP/Active Directory to use groups in security policy
  • Describe IP-to-user mapping methods (server monitoring, client probing, syslog, XFF)
  • Configure terminal server agent (TS agent) for Citrix/RDS environments
  • Include or exclude specific subnets from User-ID coverage
  • Verify User-ID mappings using the CLI (show user ip-user-mapping all)
  • Use usernames and groups as source in security policy rules
  • Understand the impact of User-ID on traffic logs and reporting
🔐
VPN & Decryption
GlobalProtect basics, IPsec tunnel configuration, and SSL/TLS decryption fundamentals.
10%
  • Describe the GlobalProtect architecture (portal, gateway, agent, HIP)
  • Configure a basic GlobalProtect portal and gateway for remote access
  • Describe IPsec tunnel components (IKE phase 1/2, SA, SPI, ESP/AH)
  • Configure a site-to-site IPsec VPN tunnel (IKE crypto profile, IPsec crypto profile, tunnel interface)
  • Configure a static route or dynamic routing over an IPsec tunnel
  • Monitor and troubleshoot IPsec tunnels (show vpn ike-sa, show vpn ipsec-sa)
  • Describe SSL/TLS decryption modes (forward proxy, inbound inspection, no-decrypt)
  • Configure SSL forward proxy decryption for outbound HTTPS inspection
  • Configure SSL inbound inspection for protecting internal servers
  • Manage SSL decryption certificates (CA certificate, forward trust/untrust)
  • Create decryption policy rules and decryption profiles
  • Understand privacy considerations and certificate pinning exclusions for decryption
Resources

Study & Practice

Practice PCNSA Questions Official PCNSA Exam Page Palo Alto Networks EDU Training PAN-OS Administrator's Guide Schedule your exam via Pearson VUE