What is the PCNSA?
The PCNSA stands for Palo Alto Networks Certified Network Security Administrator. This is a mid-level exam provided by Palo Alto that covers the following topics:
- Security Platform and Architecture
- Initial Configuration
- Interface Configuration
- Security and NAT Policies
- App-ID™
- Content-ID™
- URL Filtering
- Decryption
- WildFire™
- User-ID™
- GlobalProtect™
- Site-to-Site VPN
- Monitoring and Reporting
- Active/Passive High Availability
- Next-Generation Security Practices
Someone who completes the PCNSA is prepared to operate Palo Alto firewalls to protect against common threats. The test also covers the core features of the firewall so you can deep dive into the areas that apply specifically to your environment.
The exam I took was taken online and proctored by Pearson Vue. The test includes a combination of multiple choice, ordering questions, and matching.
How did I Prepare?
I had never touched a Palo Alto before, but I received an opportunity to take the Palo Alto Networks: Firewall 9.1: Optimizing Firewall Threat Prevention (EDU-214) and took it willingly. This course covered some really interesting topics and was quite simple compared to similar features provided with ASA + FirePOWER.
In Person Training
The course covered:
- Module 1: The Cyber-Attack Lifecycle
- Module 2: Blocking Packet and Protocol-Based Attacks
- Module 3: Blocking Threats from Known-Bad Sources
- Module 4: Blocking Threats Using App-ID™
- Module 5: Blocking Threats Using Custom Applications
- Module 6: Creating Custom Threat Signatures
- Module 7: Blocking Threats in Encrypted Traffic
- Module 8: Blocking Threats in Allowed Traffic
- Module 9: Blocking Threats from Stolen Credentials
- Module 10: Viewing Threat and Traffic Information
The course was 4 days of hands on training within a lab environment. This was a great experience, but it definitely isn’t required to pass the PCNSA.
After the training I looked at the certifications offered by Palo Alto and decided to knock out the PCNSA. I scheduled the test for 2 weeks from the training so I could get through the material.
On Demand Training
Palo Alto offers “ALMOST” everything you need to pass with just an account within the Learning Center found at https://education.paloaltonetworks.com/learnincenter.
Once logged in search for “pcnsa”
Here you will find the Official Study Guide for a version behind the current offered test, however my test was for 9.1 and the study guide was 9.0. I downloaded the PDF and built out a study plan. With 2 weeks before the exam I had to get through 15 pages of the study guide per day.
Hands-on Training
Great that covers the topics of the test, now I need to get my hands on a Palo Alto Firewall. I started looking for a downloadable VM for GNS3, but stumbled upon the AWS Marketplace.
AWS allowed a 15 day free trial for the Palo Alto licensing, so I would just have to pay for the ec2 instance running the software. This gave me a fully licensed Palo Alto firewall to power up, work through some hands on labs, then power off when I was finished.
I built out a small test environment with one ec2 instance in the internal and one ec2 instance in the DMZ for testing. This allowed me to build out security profiles and policies to test access control and alerting.
Before powering on all 3 ec2 instances, I made a plan of what features I would be testing so I could get through the material quickly and efficiently.
Practice Test
Palo Alto offers a free practice test for the PCNSA also located at https://education.paloaltonetworks.com/learning. The practice test can only be taken once and includes 40 practice questions.
I would recommend taking screenshots of the test as you go through the questions so you can go back and review. Upon test completion you are given your score, but with no answers to the questions.
I got an 83% on the practice test so I was feeling good going into the exam.
Exam Day
I have taken many certification tests through Pearson Vue, but this was my first online experience. I decided not to study the night before, and just get as much sleep as possible.
I got up early the day of the exam and logged into the Pearson Vue testing site. The first step was a web application that tested to ensure my webcam, internet speed and microphone meet the requirements. Next, Pearson Vue had me take pictures of my identity and all angles of my home office where I would be taking the exam.
Fifteen minutes before the exam was scheduled to start I was able to begin the test, which allowed me to download the Pearson Vue OnVue software. This software ensures the test taker can not access other applications on the machine during the exam (who knows what else it monitors).
Once I had started the software a chat window popped up with the proctor who called me on my test taking machine. He asked me to ensure no mobile devices are within arms reach and to remove my hat during the test.
The exam was straight forward and I felt prepared with the training I had done. All the questions seemed to be covered in the material provided from Palo Alto.
After finishing the test, I reviewed the few questions I had flagged and submitted the exam.
Results
PASS!
Shortly after completing the exam I received an email with my results broken down into topics.
Domain | Percentage Correct |
Palo Alto Networks Security Operating Platform Core Components | 100 |
Simply Passing Traffic | 83 |
Traffic Visibility | 70 |
Securing Traffic | 56 |
Identifying Users | 100 |
Deployment Optimization | 100 |
Conclusion
Overall I feel the PCNSA experience has prepared me to secure north-south and east-west traffic for an organization. I also feel more prepared to replace currently implemented firewalls with Palo Alto equipment. I recommend any current CISCO ASA + FirePOWER users to check out how Palo Alto firewalls compare. Go take the PCNSA if you get the chance, and until next time, stay safe in the Trenches of IT!