Yesterday, I passed the PCNSA exam.
I previously did the PCCSA/PCCET exam, which was more of a general overview about security concepts and the Palo Alto product range. By contrast, the PCNSA is more practical, so it’s aimed at people who do hands-on tasks with a Palo Alto firewall. In particular, it’s mostly focussed on PAN-OS, with a bit of Panorama; the other cloud-based services (e.g. Prisma) have separate certifications.
Training
In the past, there were 2 ways to prepare for the exam: you could do an instructor-led course (EDU-210, paid) or self-paced online training (EDU-110, free). However, I don’t think that EDU-110 exists anymore. Instead, there’s a page at Beacon with a set of modules:
Palo Alto Networks Certified Network Security Administrator (PCNSA) : Beacon
There are 9 modules for the NGFW and 3 for Panorama. Interestingly, there’s an identical list of modules for the PCNSE course:
Palo Alto Networks Certified Network Security Engineer (PCNSE) : Beacon
Looking at the main page for the PCNSA certification, the first link goes to the Beacon collection, then there are 9 links to the NGFW modules, but no links to the Panorama modules. By contrast, the main page for the PCNSE certification has links to the corresponding Beacon collection, the 9 NGFW modules, and the 3 Panorama modules.
Personally, I did all the NGFW modules, but I skipped the Panorama modules. (Or rather, I’ve postponed them for now.) I don’t think they’re necessary for the PCNSA exam, but I do have prior experience using Panorama.
The estimated duration varies between 25 mins and 2 hours for most of the modules; “Introduction to Firewall Management Through Panorama” is the outlier, with 11 modules that vary between 30 mins and 1.5 hours (9 hours in total). If this material is new to you, I’d suggest doing 1 module per day, to help you retain it. If you’re familiar with it all already, you can “test out” of each module, i.e. skip the text/videos and go straight to the assessment.
I also used this playlist by Astrit Kranniqi. That seems to be a partial copy of his Udemy course (which no longer exists), e.g. it jumps from 2.3 to 2.7. So, it won’t cover everything you need to know, but it’s a good way to supplement the Beacon modules. He has also done a PCNSA practice exam at Udemy, but I haven’t used it so I can’t comment on the quality.
After that, I read through the study guide (121 page pdf). There are sample questions at the end of each chapter (corresponding to that domain), but some of them ask about details which aren’t in the pdf. There are references at the end of each section, with hyperlinks to the documentation on the Palo Alto website, i.e. that’s where you can go to read about the concepts in more depth.
At the time of writing, the exam covers PAN-OS 11.0 (released in Nov 2022), and the study guide has been updated to reflect that. However, the Beacon modules use version 10.x, and Astrit Kranniqi’s course uses version 9.x. Most of that material is still relevant, but I’d suggest looking at this page:
What’s New in PAN-OS 11.0 Nova – Palo Alto Networks
Finally, I did the practice exam at Beacon. Overall, it took me about a week to prepare for the exam.
Exam
At the time of writing, the PCNSA exam costs $186 ($155 + VAT), which is roughly equal to £150. If you want to get it a bit cheaper, and you’re flexible about the date, I recommend following this page on LinkedIn:
Palo Alto Networks Education Services: Overview | LinkedIn
NB That’s separate to the main Palo Alto Networks page, and it’s specifically for training/certification. They have “flash sales” a few times each year, with exam voucher discounts that range from 30% to 50%.
According to the study guide, there will be 60-75 questions in 80 minutes. In my case, I had 70 questions, but that number might be different for other people. I’m guessing that they put in a few “beta” questions (which don’t count towards the score); I certainly hope so, because one of my questions was incoherent (which I mentioned in the post-exam survey). Also, some questions will take longer than others, particularly if you have to examine a large screenshot.
Speaking of screenshots, you might need to scroll left and right (as well as up and down) to see the full image. The test software will stop you if you try to move to the next question without scrolling to all 4 corners of the screen. That’s a useful feature on your first pass, because you might otherwise miss some vital information. However, it’s a bit of a nuisance when you’re reviewing your answers and you just want to click “Next”.
It took me 55 minutes to do my first pass, then another 22 minutes to review my answers, so I ended the exam with 3 minutes left on the clock. Based on that, I think the top priority is to answer every question. If you’re not sure, just take a guess, mark it for review, and move on.
On the whole, I think that it was a fair exam, and you will certainly benefit from hands-on experience (rather than just reading/watching the study material). I think that someone who passes this is qualified to handle day-to-day operations on a Palo Alto firewall.
I’d like to see a simulator in the exam to supplement the multiple-choice questions, e.g. “create a new authentication profile”. However, I assume that this is more difficult to implement (e.g. if it requires a virtual machine).
Results
After the exam, I did the survey, then it displayed my result on screen. (This is a simple pass/fail.) I then got a print-out of my score report from the test centre, and Pearson Vue sent me an email an hour later to say that I could download the same report from their website.
The score report shows the percentage of questions that you answered correctly in each of the 4 domains. It doesn’t show your overall score, but you can combine the percentage correct with the weightings. E.g. I got 94% of the questions correct for Policy Evaluation and Management, and that domain is weighted at 28% of the exam, so that added 26.32% to my score.
I’m not sure of the exact pass mark. Some people have said that it’s 70%, but I can’t see that listed on the Palo Alto website anywhere. If you do the practice exam at Beacon, the pass mark is 80%, and I think that’s a good threshold to aim for.
I then checked the CertMetrics site, which didn’t have any mention of the exam or certification. There’s a note on the website:
“Exams are imported during regular business hours. After completing an exam, allow 5 business days for it to appear here.”
5 days seems a bit excessive in the modern world, but as it turned out I didn’t have to wait that long. I received an email from Credly this morning (about 18 hours after I finished the exam), notifying me that I have a new digital badge. I then checked the CertMetrics site again, and I saw my exam/certification there, so I was able to download my certificate as a pdf.
NB This exam also renewed my PCCET, so I downloaded a new copy of that certificate too (which shows the new expiry date).
Update: I received 2 emails from Palo Alto Networks in the evening (about 10 hours after the email from Credly), asking me to log into the CertMetrics site to see my exam result. So, everything trickled through in the end.