Palo Alto Networks

PCNSE

Palo Alto Networks Certified Security Engineer

Professional PCNSE Content Available

The premier Palo Alto Networks certification for security engineers and architects.

Practice PCNSE Questions Study Notes Exam Topics
Exam Code
PCNSE
Duration
80 minutes
Questions
75
Passing Score
Determined by Pearson VUE
Validity
2 years
Exam Cost
$175 USD
Overview

About PCNSE

The Palo Alto Networks Certified Security Engineer (PCNSE) is the professional-level certification that validates deep technical expertise across the full Palo Alto Networks Security Operating Platform. It tests the ability to design, deploy, configure, maintain, and troubleshoot the vast majority of Palo Alto Networks implementations — including complex enterprise, data centre, and service provider scenarios. Unlike the entry-level PCNSA, the PCNSE covers advanced topics including high availability design, Panorama management at scale, large-scale GlobalProtect VPN deployments, WildFire integration, SSL/TLS decryption architectures, advanced threat prevention, and Cortex Data Lake log forwarding. Engineers who pass the PCNSE are recognised as subject-matter experts capable of leading complex security projects. The PCNSE is the target certification for senior firewall engineers, security architects, pre-sales and post-sales engineers, and managed security service provider (MSSP) staff who work with Palo Alto Networks technology daily.

Prerequisites
PCNSA (recommended, not mandatory) Minimum 3 years hands-on experience with PAN-OS in production environments Strong understanding of networking (routing, switching, NAT, VPN)
Exam Domains

What you need to know

6 domains, 77 objectives. Click a domain to expand its topics.

🔥
Core Concepts & Architecture
PAN-OS architecture, high availability design, Panorama hierarchy, logging, and monitoring.
15%
  • Describe the PAN-OS architecture (management plane, data plane, signature plane, offload cards)
  • Explain how PAN-OS processes traffic (flow logic, App-ID, Content-ID, User-ID pipeline)
  • Configure and verify active/passive HA (HA1, HA2, HA3 links, election, failover)
  • Configure and verify active/active HA (floating IP, session owner, session setup)
  • Describe HA failure conditions and preemption behaviour
  • Configure Panorama in a high availability pair
  • Describe Panorama device groups and template stacks and their inheritance model
  • Configure log forwarding profiles (syslog, HTTP, email, SNMP, Panorama forwarding)
  • Configure SNMP v2c and v3 for network management systems
  • Interpret system health metrics (CPU, memory, session table, dataplane utilisation)
  • Describe Cortex Data Lake and cloud-based log forwarding architecture
  • Use the ACC (Application Command Centre) and interactive log viewer for investigations
🌐
Deployment & Interface Configuration
Interface types, routing protocols, virtual routers, zones, and security profile attachment.
20%
  • Configure Layer 3 interfaces (IP address, MTU, link state, management profile)
  • Configure Layer 2 interfaces and VLAN objects for transparent bridging
  • Configure virtual wire interfaces for inline bump-in-the-wire deployments
  • Configure TAP interfaces for passive monitoring (SPAN/mirror)
  • Configure subinterfaces (Layer 2 and Layer 3) with 802.1Q VLAN tags
  • Configure loopback interfaces for management and routing purposes
  • Configure aggregate ethernet (AE) interfaces for link aggregation
  • Configure virtual routers and understand the separation between routing domains
  • Configure static routes with administrative distance, path monitoring, and BFD
  • Configure OSPF on PAN-OS (areas, neighbor authentication, stub areas, redistribution)
  • Configure BGP on PAN-OS (eBGP/iBGP, peer groups, route filtering, aggregation)
  • Configure Policy-Based Forwarding (PBF) rules for traffic steering
  • Configure inter-VLAN routing and describe its interaction with security policy
  • Configure DHCP server, relay, and client on PAN-OS interfaces
🛡️
Security Policy & Objects (Advanced)
Advanced policy design, policy optimisation, DoS protection, and Security Profile Groups.
20%
  • Design security policy for multi-zone enterprise deployments
  • Use Policy Optimiser to convert application-any rules to application-specific rules
  • Configure Security Profile Groups and attach to multiple security rules efficiently
  • Configure zone protection profiles (flood protection, reconnaissance detection, packet-based attack prevention)
  • Configure DoS protection profiles and DoS protection policy rules
  • Configure application overrides for non-standard port applications
  • Use custom Application-IDs (App-ID) and custom signatures for proprietary traffic
  • Configure address objects (IP/netmask, FQDN, range, wildcard) and dynamic address groups
  • Configure external dynamic lists (EDLs) for IP, URL, and domain-based blocking
  • Implement security policy auditing and change management procedures
  • Configure pre-rules and post-rules in Panorama for centralised policy enforcement
  • Configure service objects, service groups, and application-default vs explicit service matching
  • Understand how Log Forwarding Profiles attach to security rules for selective log export
🔐
Advanced Security Features
SSL/TLS decryption architecture, WildFire cloud and appliance, GlobalProtect large-scale VPN.
20%
  • Design and configure SSL forward proxy decryption for outbound HTTPS inspection
  • Design and configure SSL inbound inspection for published HTTPS servers
  • Configure no-decrypt rules for certificate-pinned and privacy-sensitive traffic
  • Manage the SSL decryption certificate lifecycle (forward trust CA, forward untrust CA, server certs)
  • Configure decryption profiles (protocol versions, cipher suites, certificate verification)
  • Troubleshoot SSL decryption issues (certificate errors, pinned certs, missing CA chains)
  • Describe WildFire architecture (public cloud, private cloud WF-500 appliance, hybrid)
  • Configure WildFire submission profiles and analysis settings
  • Interpret WildFire verdicts and configure automatic signature updates
  • Configure GlobalProtect portal, gateways, and agent configuration profiles
  • Configure satellite VPN for large-scale site-to-site GlobalProtect
  • Configure split-tunnel and full-tunnel configurations in GlobalProtect
  • Configure HIP (Host Information Profile) checks for endpoint compliance enforcement
  • Configure pre-logon and always-on GlobalProtect connection methods
  • Troubleshoot GlobalProtect connectivity using logs and debug commands
⚠️
Threat Prevention
Advanced antivirus, anti-spyware, vulnerability protection signatures, DNS Security, and URL filtering.
15%
  • Configure advanced antivirus with machine-learning based detection
  • Create custom anti-spyware signatures using the signature editor
  • Create custom vulnerability protection signatures for internal applications
  • Configure DNS Security for real-time DNS sinkholing and DGA detection
  • Configure URL Filtering profiles with custom URL categories and credential theft detection
  • Configure data filtering profiles for PII and sensitive data detection
  • Configure file blocking profiles with granular MIME-type and file extension control
  • Interpret threat logs to identify lateral movement, C2 callbacks, and exploitation attempts
  • Configure Threat Prevention exception rules with appropriate logging and actions
  • Describe and configure GlobalProtect for HIP-based threat response
  • Configure packet capture on the firewall for threat investigation
  • Understand the relationship between threat signature severity and recommended actions
📊
Panorama & Logging
Panorama device groups, template stacks, log collection, log forwarding profiles, and Cortex Data Lake.
10%
  • Configure Panorama device groups for centralised policy management
  • Configure Panorama templates and template stacks for device configuration push
  • Override template settings at the device level and manage variable substitution
  • Configure Panorama log collection (local and Dedicated Log Collectors)
  • Configure log forwarding from Panorama to external SIEM, syslog, and HTTP destinations
  • Use Panorama for software updates, content updates, and license management at scale
  • Configure Cortex Data Lake onboarding and log forwarding from managed firewalls
  • Use Panorama ACE (Application Command Centre) for enterprise-wide traffic visibility
  • Configure Panorama administrator roles and access domains
  • Perform a Panorama commit-and-push operation and interpret push status
  • Troubleshoot Panorama connectivity issues (managed device status, log collection)
Resources

Study & Practice

Practice PCNSE Questions Official PCNSE Exam Page Palo Alto Networks EDU Training PAN-OS Administrator's Guide Schedule your exam via Pearson VUE