Palo Alto Networks · 2026 Edition
A complete preparation guide written by Palo Alto Networks-certified engineers. Covers the exam format,all 8 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
2–3 months
Prep time
Intermediate
Difficulty
80
Exam questions
700/1000
Pass mark
Exam code
PCNSA
Full name
Palo Alto Networks Certified Network Security Administrator
Vendor
Palo Alto Networks
Duration
80 minutes
Questions
80 items
Passing score
700/1000 (scaled)
Domains covered
8 blueprint domains
Recommended experience
Familiarity with networking fundamentals and basic firewall concepts; no formal prerequisites
Typical prep time
2–3 months
PCNSA (Palo Alto Networks Certified Network Security Administrator) validates the ability to deploy, configure, and manage Palo Alto Networks next-generation firewalls. It is the entry point for the Palo Alto certification path and is required for many NGF administrator roles.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Weeks 1–3
Platform Architecture: PAN-OS overview, management plane, data plane, interface types
Tip: Know the Palo Alto NGFW traffic processing order: ingress → decryption (if SSL inspection enabled) → App-ID → User-ID → Content-ID → security policy match → egress. App-ID identifies the application regardless of port and protocol — this is what makes PAN-OS a next-generation firewall.
Weeks 4–6
Security Policies and NAT: rule types, App-ID, User-ID, service objects, NAT policy
Tip: Security policy evaluation order matters on PAN-OS: rules are evaluated top-to-bottom, first match wins. Know the rule components: Source Zone, Source Address, Source User (User-ID), Destination Zone, Destination Address, Application (App-ID), Service (port), and Action (Allow/Deny). Know that the 'any' application with 'application-default' service is not the same as 'any' application with 'any' service.
Weeks 7–9
Security Profiles: Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, WildFire
Tip: Security profiles are attached to allow rules to inspect traffic after the policy permits it. Know what each profile type inspects: Antivirus (malware in files), Anti-Spyware (command-and-control traffic, DNS sinkholing), Vulnerability Protection (exploits against known CVEs), URL Filtering (web categories), File Blocking (specific file types), WildFire (unknown files sent to cloud sandbox).
Weeks 10–12
VPN, GlobalProtect, SSL Decryption, and Logging
Tip: GlobalProtect is Palo Alto's VPN solution. Know the GlobalProtect components: Gateway (the firewall that connects clients), Portal (provides configuration to clients, single hostname users connect to), App (client software). Know the difference between pre-logon, user-logon, and on-demand connection methods.
The PCNSA exam covers PAN-OS 10.1 or later (verify the current version before your exam). Know how to navigate Panorama vs the local firewall management interface — they look similar but Panorama manages multiple devices centrally.
App-ID application signatures are the foundation of PAN-OS security. Know that App-ID identifies applications based on behavioural signatures (not just port/protocol), that applications can be unknown initially and get identified as more traffic is seen, and that you can allow unknown TCP/UDP traffic using a specific App-ID policy action.
Zones are the fundamental security construct on PAN-OS. Know that traffic must cross a zone boundary to be inspected by a security policy — traffic within the same zone is not inspected by default. The 'intrazone-default' rule permits all same-zone traffic; the 'interzone-default' rule denies all cross-zone traffic not matched by a user-defined rule.
Log Forwarding profiles are tested on PCNSA: know how to configure a log forwarding profile to send traffic, threat, and URL logs to Panorama, a syslog server, or an email alert. Know that log forwarding must be attached to a security policy rule to take effect — a global log forwarding profile does not exist in PAN-OS.
PCNSA is valid for 2 years. It can be renewed by passing the PCNSA exam again or by passing the PCNSE exam (which automatically renews PCNSA). Palo Alto offers free digital badges for PCNSA holders through Credly.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on PCNSA — with exam key points and common misconceptions.