CertQuests
Why Palo Alto Networks updated both exams for PAN-OS 11
PAN-OS 11.0 was a landmark release for Palo Alto Networks. It introduced machine-learning models running natively on the firewall data plane — a fundamental shift from signature-based threat detection to inline ML inference that classifies never-before-seen threats without a cloud lookup. PAN-OS 11.1 extended this with Advanced Threat Prevention v3, which applies deep learning models to encrypted traffic without decryption, and overhauled the Advanced DNS Security engine to detect DNS-based command-and-control at millisecond latency.
The previous exam versions, which described PAN-OS 10.x behaviour, could not adequately test these capabilities. An administrator managing a PAN-OS 11 environment without understanding how ML security profiles differ from traditional AV/anti-spyware profiles, or without knowing when inline cloud analysis is triggered versus on-device inference, is not prepared for the operational realities of modern Palo Alto deployments. The exam updates bring the testing content in line with what is actually running in production networks today.
Both PCNSA and PCNSE now have exam versions explicitly tied to PAN-OS 11.0/11.1. Legacy exam versions against PAN-OS 10.x software are still available at some testing centres during the transition window, but candidates beginning study in 2026 should target the PAN-OS 11 versions exclusively — the older version exams will be retired on a rolling basis as testing demand drops.
PCNSA vs PCNSE at a glance
PCNSA
| Level | Administrator |
| Duration | 75 minutes |
| Questions | 75 |
| Pass score | 70% |
| Cost | $175 USD |
| Validity | 2 years |
| Prerequisite | None |
| Experience | 6–12 months PAN-OS |
| Exam code | PCNSA |
PCNSE
| Level | Engineer |
| Duration | 80 minutes |
| Questions | 75 |
| Pass score | 70% |
| Cost | $200 USD |
| Validity | 2 years |
| Prerequisite | None (PCNSA recommended) |
| Experience | 3+ years PAN-OS |
| Exam code | PCNSE |
PCNSA: what the updated exam tests
The PCNSA exam is designed for network security administrators who work with Palo Alto Networks firewalls daily — configuring policies, monitoring logs, managing Security profiles, and keeping the environment operational. The updated exam covers six primary domains.
Domain 1 — Device Setup and Initial Configuration
Interface types (Layer 2, Layer 3, tap, virtual wire), initial management plane configuration, certificate management, admin role types (superuser, device admin, vsys admin), and high-availability fundamentals. The PAN-OS 11 update added content on the updated Web UI layout, new CLI syntax for ML security profile inspection, and management profile changes that affect cloud-delivered NGFW deployments. Candidates must understand how the management and data planes are separated and what each controls.
Domain 2 — Security Policy Fundamentals and App-ID
Security policy rule types (universal, intrazone, interzone), rule ordering, shadow rules, App-ID classification engine, application override policies, and dependent application handling. The updated exam adds ML-assisted App-ID, which uses on-device machine-learning models to identify applications not yet covered by signatures — a capability that requires candidates to understand when ML classification runs, how confidence thresholds affect allow/block decisions, and how to tune unknown-application policies without disrupting business-critical traffic.
Domain 3 — User-ID and Threat Prevention
User-ID agent configuration, group mapping, terminal server agents, and the updated Cloud Identity Engine integration (which replaced the older on-premise LDAP/AD connector model for cloud-hosted directories). Threat Prevention in PAN-OS 11 now includes three distinct layers: Anti-Spyware with Advanced Threat Prevention inline ML models, Antivirus with WildFire integration, and Advanced DNS Security. The exam tests configuring Security profiles for all three, understanding which threat types each addresses, and interpreting threat logs to distinguish between on-device ML detections and WildFire cloud verdicts.
Domain 4 — URL Filtering and Content-ID
PAN-DB URL category management, custom URL categories, Safe Search enforcement, credential theft prevention, and file blocking profiles. PAN-OS 11 introduced Advanced URL Filtering with inline ML classification — URLs that do not match PAN-DB receive an ML verdict rather than defaulting to “unknown.” The exam tests how Advanced URL Filtering interacts with the Security profile stack and how to configure exception handling for business-critical uncategorised sites without disabling ML enforcement globally.
Domain 5 — GlobalProtect and SSL/TLS Decryption
GlobalProtect gateway and portal configuration, HIP profiles, client certificate authentication, and split tunnel vs. full tunnel policies. SSL/TLS decryption profile types (forward proxy, inbound inspection, no-decrypt), certificate pinning exceptions, and the updated decryption broker functionality. The PCNSA update added ZTNA 2.0 awareness at the conceptual level — candidates must understand how GlobalProtect integrates with Prisma Access to deliver continuous trust verification, though deep Prisma Access configuration is deferred to the PCNSE.
Domain 6 — Logging, Monitoring, and Panorama Basics
Log forwarding profiles, syslog and HTTPS log forwarding, log types (traffic, threat, URL, WildFire submission, authentication), and basic Panorama device group and template management. The PAN-OS 11 update added content on the new AI-Ops for NGFW feature, which surfaces ML-driven best-practice recommendations directly in the Web UI. Candidates must understand how to review and act on AI-Ops findings, and how to distinguish AI-Ops advisory alerts from Panorama push failures in operational dashboards.
PCNSE: what the updated exam tests
The PCNSE covers the full PCNSA domain set at greater depth plus five additional engineering-level domains that PCNSA does not test. The distinction is not just complexity — PCNSE candidates are expected to design solutions, not just operate them. The exam includes scenario-based questions where the candidate must select the correct architectural approach from multiple plausible options, not just identify a correct configuration fact.
Advanced Deployment Architectures
ECMP and PBF-based traffic steering, VM-Series deployment on AWS and Azure (including auto-scaling groups with Panorama bootstrapping), CN-Series on Kubernetes, and Prisma SD-WAN integration with PAN-OS hub-and-spoke topologies. PAN-OS 11 added software-defined zone segmentation models that the PCNSE exam covers in architectural depth — candidates must understand when to use SD-WAN policy-based forwarding versus traditional static routing, how to integrate with BGP for branch site connectivity, and the operational differences between hardware-based PA-Series firewalls and VM-Series in elastic cloud environments.
High Availability and Redundancy
Active/passive and active/active HA pair configuration, HA link types (control, data, backup), session synchronisation, HA preemption and timer tuning, and failure detection thresholds. The PCNSE exam goes beyond configuration to test failure simulation scenarios: candidates must identify which HA state transitions occur when a specific link fails, what traffic is dropped versus resumed after failover, and how to recover from split-brain conditions without clearing sessions that would affect application continuity. Panorama HA configuration and managed collector group redundancy are also in scope.
Panorama at Scale
Panorama in management-only versus log collector mode, distributed log collection with log collector groups, Panorama template stacks (variables, overrides, inheritance order), device group hierarchies, and Panorama-managed cloud NGFWs. PAN-OS 11 introduced Panorama Support for AI-Ops policy recommendations at scale — the PCNSE tests how to use Panorama to push AI-Ops-recommended Security profile changes across a multi-firewall estate without manual per-device intervention. Template variables for dynamic address and interface binding are heavily tested in the scaling scenarios.
Troubleshooting Methodology
Packet capture (stages: firewall, drop, transmit, receive), session table inspection, routing table debugging, NAT policy verification, and the test security policy and test NAT policy CLI commands. The PCNSE exam presents multi-hop troubleshooting scenarios where a packet traverses a NAT rule, a Security policy, and an SSL decryption policy before being dropped — candidates must sequence the diagnostic steps correctly and identify which component is the source of the drop from log evidence alone. WildFire submission failures, Panorama push failures, and HA synchronisation errors are also explicitly tested troubleshooting scenarios.
ZTNA 2.0 and Prisma Access Integration
This domain is new to the PAN-OS 11 version of the PCNSE and reflects the central role that Zero Trust Network Access has taken in enterprise firewall design. Candidates must understand how ZTNA 2.0 differs from ZTNA 1.0 — continuous trust verification throughout the session versus one-time verification at connection establishment — and how Prisma Access delivers this capability via GlobalProtect infrastructure. The exam tests designing ZTNA 2.0 policies for application segments, configuring Prisma Access mobile users through Panorama, and integrating Cloud Identity Engine for identity-based access decisions in environments with multiple identity providers.
What changed between PAN-OS 10 and PAN-OS 11 exam versions
Candidates who prepared for PCNSA or PCNSE against PAN-OS 10 study material will find approximately 60–70% of the underlying knowledge transferable. The App-ID engine, Security policy fundamentals, NAT types, and Panorama device group model have not changed conceptually. The areas requiring fresh study are:
- ML Security Profiles — on-device inference, confidence thresholds, unknown threat handling. Absent in PAN-OS 10 exams.
- Advanced DNS Security — DNS proxy inspection, command-and-control domain detection, DNS Security log analysis. The PAN-OS 10 DNS proxy content was tested at a surface level; PAN-OS 11 tests it as a first-class threat prevention layer.
- Cloud Identity Engine — replaces the legacy on-premise User-ID agent for cloud directory sources. The configuration model is fundamentally different from AD agent-based User-ID.
- AI-Ops for NGFW — entirely new in PAN-OS 11. Not present in any earlier exam version.
- ZTNA 2.0 — new architecture domain in PCNSE; conceptual awareness tested in PCNSA.
Plan for 20–30 additional study hours if you have PAN-OS 10.x experience and are transitioning to the PAN-OS 11 exam versions. The operational core is familiar, but the ML security layer and ZTNA 2.0 architecture require hands-on lab time — they do not map cleanly to any earlier Palo Alto Networks concept.
The Palo Alto Networks certification path
PCNSA and PCNSE sit at the base of the Palo Alto Networks practitioner path. Beyond them, the program branches into specialist credentials for cloud, SASE, and SOC use cases.
Neither PCCSE nor PCSAE require PCNSE as a formal prerequisite, but Palo Alto Networks recommends PCNSE as preparation for PCCSE — the cloud security engineer exam assumes PAN-OS firewall literacy as background knowledge, not as testable content. PCSAE candidates who do not hold PCNSE are recommended to complete the official SASE training course before sitting the exam.
Renewal: how two-year validity works in practice
Both PCNSA and PCNSE are valid for two years from the date of passing. Renewal before expiry requires either retaking the exam or completing a specified set of Palo Alto Networks continuing education credits through the official education portal. The credits pathway was introduced to reduce the burden on experienced engineers who are current with PAN-OS developments through their work but find the prospect of resitting a 75-question exam every two years disproportionate to their skill level.
Palo Alto Networks has not announced a grace period or extension policy for expired credentials. An expired PCNSA or PCNSE must be retaken from scratch — there is no reduced-scope renewal exam. Engineers who let their PCNSE lapse and attempt to re-certify against the current PAN-OS 11 exam version should plan for 40–60 hours of preparation if they have remained current with PAN-OS through their work, and 80–100 hours if they have spent time outside of Palo Alto Networks environments.
Who should prioritise PCNSA vs PCNSE in 2026
Network security administrators working inside Palo Alto Networks environments — applying policy changes, reviewing threat logs, managing GlobalProtect users, and responding to WildFire verdicts — should target PCNSA first. The exam validates the operational competencies that define day-to-day firewall administration and is the appropriate entry point for professionals transitioning from other NGFW platforms (Cisco ASA, Fortinet FortiGate, Check Point) who need to demonstrate platform-specific competence to employers.
Security engineers who design network architectures, integrate Palo Alto firewalls with cloud platforms, manage Panorama estates of ten or more devices, or troubleshoot complex multi-domain policy interactions should target PCNSE. The exam is also the correct preparation credential for engineers moving into Palo Alto Networks professional services roles or joining MSSPs that manage Palo Alto environments for enterprise customers. In the MSSP market specifically, PCNSE has become a standard hiring bar for senior security engineers — many job descriptions list it alongside CISSP or CCNP Security as a required rather than preferred qualification.
The official preparation resources are the Palo Alto Networks Beacon e-learning platform (free account required) and the paid instructor-led courses: EDU-110 (Firewall Essentials, 5-day) for PCNSA preparation, and EDU-310 (Firewall: Install, Configure, and Manage, 5-day) plus EDU-330 (Panorama: Managing Firewalls at Scale, 3-day) for PCNSE preparation. For hands-on lab practice, the Palo Alto Networks VM-Series trial licence (available on AWS Marketplace) allows candidates to spin up a full PAN-OS 11 firewall environment at no cost beyond AWS compute charges. The key lab exercises for PAN-OS 11 exam readiness are: configuring an ML-powered Anti-Spyware profile against a test threat source, setting up Cloud Identity Engine with a cloud LDAP directory, and enabling Advanced DNS Security with a DNS sinkhole policy. Practice tests on CertQuests cover both PCNSA and PCNSE domain content, including PAN-OS 11 question sets added in the recent refresh.
Practice PCNSA and PCNSE questions on CertQuests — free, no sign-up required.
Start Practicing →