PALO ALTO NETWORKS

PCNSC
STUDY GUIDE

Palo Alto Networks, Inc.

April 2021
www.paloaltonetworks.com
© 2017-2021 Palo Alto Networks – all rights reserved.
Aperture, AutoFocus, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, Traps, and WildFire are trademarks of Palo Alto Networks, Inc. All other
trademarks are the property of their respective owners.

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 2

Table of Contents
Palo Alto Networks PCNSC Study Guide ............................................... 5
Overview ................................................................................................................5
Prerequisites ...........................................................................................................5
Exam Format ..........................................................................................................5
How to Take This Exam.........................................................................................6
Preparation Resources ............................................................................................6
CPSP Program ........................................................................................................6
Exam Domains and Objectives ................................................................ 7
1 Design and Architecture of Advanced Panorama and Firewalls .........................7
1.1 Discover customer requirements. ....................................................................................................... 7
1.2 Determine the proper platform and subscriptions. ............................................................................. 8
1.3 Develop an implementation plan. ...................................................................................................... 8
1.4 Identify the best practices that allow for functionality and scalability. ............................................. 8
2 Migration Techniques .........................................................................................8
2.1 Install, maintain, and upgrade Expedition. ........................................................................................ 8
2.2 Determine Expedition prerequisites. .................................................................................................. 8
2.3 Leverage Expedition to complete the migration. ............................................................................... 9
2.4 Use the appropriate tools to convert a security policy to an advanced policy. .................................. 9
2.5 Export device configuration from Expedition. .................................................................................. 9
3 Implementation of Advanced Features................................................................9
3.1 Design and Implement User-ID. ........................................................................................................ 9
3.2 Design and implement SSL decryption. .......................................................................................... 10
3.3 Design and Implement App-ID. ....................................................................................................... 11
3.4 Design and implement content filtering and threat prevention. ....................................................... 11
4 Advanced Networking .......................................................................................12
4.1 Determine connectivity requirements. ............................................................................................. 12
4.2 Based on the requirements, construct routing topology................................................................... 12
4.3 Deploy IPSEC. ................................................................................................................................. 12
4.4 Configure aggregate interfaces. ....................................................................................................... 13
5 Advanced Troubleshooting ...............................................................................13
5.1 Given a scenario, troubleshoot issues with dynamic routing. .......................................................... 13
5.2 Given a scenario, troubleshoot User-ID. .......................................................................................... 13

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 3

5.3 Given a scenario, troubleshoot SSL Decryption. ............................................................................. 13
5.4 Given a scenario, troubleshoot Panorama. ....................................................................................... 13
5.5 Given a scenario, troubleshoot Firewalls. ........................................................................................ 14

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 4

Palo Alto Networks PCNSC Study Guide
Welcome to the Palo Alto Networks PCNSC Study Guide. The purpose of this guide is to help
you prepare for your Palo Alto Networks® Certified Network Security Consultant (PCNSC)
exam and achieve your PCNSC credential.

Overview
The PCNSC program is a formal, third-party-proctored certification for security consultants of
Palo Alto Networks and partners of Palo Alto Networks. Success on the PCNSC exam shows
that you possess the in-depth skills and knowledge to migrate data, deliver professional services,
and demonstrate the highest standard of deployment methodology and operational best practices
associated with the Palo Alto Networks Next-Generation Firewall. The exam is not intended to
trick you with its questions or test obscure detail. However, a nuanced understanding, and the
ability gained through significant experience to make subtle technical distinctions, will help you
make better answer choices.

Prerequisites
§ You have passed the Palo Alto Networks Certified Network Security Engineer (PCNSE) exam.
§ You have completed the Palo Alto Networks Transformation Level Services (TLS) workshop or
the Palo Alto Networks Professional Services Academy.

Exam Format
The test format is 50 multiple-choice items. Candidates will have five minutes to complete the
non-disclosure agreement (NDA), 70 minutes (1 hour, 10 minutes) to complete the questions,
and five minutes to complete a survey at the end of the exam.
The approximate distribution of items by topic (Exam Domain) and topic weightings are as
follows:
This exam is based on PAN-OS® 10.0.
Weight
Exam Domain
(%)
Design and Architecture of Advanced Panorama and
24%
Firewalls
Migration Techniques 18%

Implementation of Advanced Features 24%

Advanced Networking 16%

Advanced Troubleshooting 18%

Total 100%

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 5

How to Take This Exam
This exam is by invitation only.

Preparation Resources
The document is a compilation of key resources to guide exam preparation. These resources
cover the material designated by the exam objectives. To study efficiently, focus on the
suggested topics listed for each resource. Be sure that you have a clear and complete
understanding of these topics before taking the exam.

CPSP Program
The PCNSC certification is one of the requirements for partners participating in the Certified
Professional Services Partner (CPSP) Program. For more detailed information about this
program, visit our program page: CPSP Program. This link takes you to a page that displays this
banner.

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 6

Exam Domains and Objectives
1 Design and Architecture of Advanced Panorama and Firewalls
1.1 Discover customer requirements

Access domains in Panorama:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-overview/role-
based-access-control/access-domains.html

Using access domains to define access in device groups and templates:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/set-up-
administrative-access-to-panorama/configure-an-access-domain.html

Using Panorama to redistribute data:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-
overview/user-id-redistribution-using-panorama.html

Complete discussion of centralized logging support and reporting:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-
overview/centralized-logging-and-reporting.html

Panorama use of templates in managing firewalls:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-
overview/centralized-firewall-configuration-and-update-management/templates-and-
template-stacks.html

Panorama use of device groups in managing firewalls:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-
overview/centralized-firewall-configuration-and-update-management/device-groups.html

Security, NAT, and policy-based forwarding rules tests on the CLI:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQSCA0

Policy match and connectivity tests from the firewall GUI:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNaKCA
W

Role-based access control in firewall administration:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-
administration/manage-firewall-administrators.html

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 7

 Panorama communication requirements:
• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-
administration/reference-port-number-usage/ports-used-for-panorama.html

1.2 Determine the proper platform and subscriptions

Subscription to use with firewall:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/subscriptions/all-
subscriptions.html#idcaa6fc0b-3d53-4870-884d-a00d474bf98e

Activating subscription licenses:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/subscriptions/activate-subscription-
licenses.html#ide86db26b-258b-421f-9328-7aba83e734d4

What to do when license expires:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/subscriptions/what-happens-when-
licenses-expire.html#id4a1e6e0b-1ea4-48e7-952a-ad551183d726

Enhanced application for cloud services:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/subscriptions/enhanced-application-
logs.html#id1844CJ00Q9F

1.3 Develop an implementation plan

Authentication:
• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication

Planning a Panorama deployment:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/panorama-overview/plan-
your-panorama-deployment.html

1.4 Identify the best practices that allow for functionality and scalability

Best practices for securing administrative access:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/getting-started/best-practices-
for-securing-administrative-access.html

2 Migration Techniques
2.1 Install, maintain, and upgrade Expedition

Migrating port-based Security policy to PAN-OS using Expedition:

• https://docs.paloaltonetworks.com/best-practices/10-0/best-practices-for-migrating-to-
application-based-policy/best-practices-for-migrating-to-application-based-policy/migrate-a-port-
based-policy-to-pan-os-using-expedition.html

2.2 Determine Expedition prerequisites

Migrate from an M-Series appliance to a Panorama virtual appliance:

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 8

 • https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/transition-
to-a-different-panorama-model/migrate-from-an-m-series-appliance-to-a-panorama-virtual-
appliance

Migrate a Panorama virtual appliance to a different hypervisor:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/transition-
to-a-different-panorama-model/migrate-a-panorama-virtual-appliance-to-a-different-
hypervisor.html

Migrate from a Panorama virtual appliance to an M-Series appliance:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/transition-
to-a-different-panorama-model/migrate-from-a-panorama-virtual-appliance-to-an-m-series-
appliance.html

2.3 Leverage Expedition to complete the migration

Using Expedition for services to App-ID conversions (see the “Replace Services by App-ID”
section):
• https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-User-Guide-v1-2/ta-
p/285157

2.4 Use the appropriate tools to convert a security policy to an advanced policy

Panorama and local Security policy hierarchy:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CljVCAS

Security policy resource list:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgACAS

2.5 Export device configuration from Expedition.

Expedition export:
• https://live.paloaltonetworks.com/t5/expedition-discussions/expedition-panorama-config-
export/m-p/321935#M2479

3 Implementation of Advanced Features

3.1 Design and Implement User-ID

Resource list for configuring and troubleshooting User-ID:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

Creating custom LDAP groups:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ1CAK

List of all user mapping options within PAN-OS:

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 9

 • https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/user-
mapping.html

Overview of users-to-groups mapping:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/group-
mapping.html

Discussion of User-ID, including the benefits:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-overview.html

Complete implementation review, with requirements for each step:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/enable-user-id.html

Implementing the PAN-OS integrated User-ID agent:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to-
users/configure-user-mapping-using-the-pan-os-integrated-user-id-agent.html

Implementing the Windows User-ID agent:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to-
users/configure-user-mapping-using-the-windows-user-id-agent.html

3.2 Design and implement SSL decryption

Description and configuration of an SSL decryption profile:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-
concepts/ssl-protocol-settings-decryption-profile.html

SSL forward proxy components and functions:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-
concepts/ssl-forward-proxy.html

Specific discussion of SSL decryption certificate requirements:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-
concepts/keys-and-certificates-for-decryption-policies.html

Discussion of differences between the modes:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK

SSL inbound inspection components and functions:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-
concepts/ssl-inbound-inspection.html

Creating a policy to decrypt SSL traffic:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/define-traffic-to-
decrypt/create-a-decryption-policy-rule.html

Policy-based decryption exclusions:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-
exclusions/create-a-policy-based-decryption-exclusion.html

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 10

 Discussion of predefined decryption exclusions in PAN-OS 10.0:
• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-
exclusions/palo-alto-networks-predefined-decryption-exclusions.html

SSL decryption exclusions in PAN-OS versions:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEzCAK

General notes on deploying SSL decryption, including certificate requirements:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0

3.3 Design and Implement App-ID

Managing custom or unknown applications:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/manage-custom-or-
unknown-applications.html

Using application override to identify applications:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/policies/policies-
application-override.html

Creating custom App-IDs:

• https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-
application-and-threat-signatures

Managing new App-IDs in content releases:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/manage-new-app-ids-
introduced-in-content-releases/app-id-updates-workflow.html

Discussion of application filters and application groups:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/use-application-objects-
in-policy.html

3.4 Design and implement content filtering and threat prevention

Zero Trust implementation practices:

• https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/best-practices/10-0/zero-
trust-best-practices/zero-trust-best-practices.pdf

Best practices for creating security profiles:

• https://docs.paloaltonetworks.com/best-practices/10-0/internet-gateway-best-practices/best-
practice-internet-gateway-security-policy/create-best-practice-security-profiles.html

Troubleshooting URL filtering in PAN-OS 10.0:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/url-filtering/troubleshoot-url-
filtering.html

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 11

4 Advanced Networking
4.1 Determine connectivity requirements

NAT overview and supporting NAT with Security policies:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CllzCAC

Bidirectional NAT:
• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClWBCA0

Specific considerations for U-turn NAT:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

4.2 Based on the requirements, construct routing topology

Summary of virtual router capabilities:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/network/network-
virtual-routers.html

Configuring BGP routing:

• https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000DAOW
AA4&field=Attachment_1__Body__s

Configuring OSPF routing:

• https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000D8HwA
AK&field=Attachment_1__Body__s

Route redistribution configuration close-up:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/network/network-
virtual-routers/route-redistribution.html

Capturing OSPF and BGP routing traffic using the CLI:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEWCA0

Capturing PIM and IGMP traffic using the CLI:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsFCAS

4.3 Deploy IPSec

Base IPSec VPN configuration:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGkCAK

Complete IPSec VPN configuration and deployment:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/vpns.html

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 12

4.4 Configure aggregate interfaces

Configuring an aggregate interface group:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/networking/configure-
interfaces/configure-an-aggregate-interface-group.html

5 Advanced Troubleshooting
5.1 Given a scenario, troubleshoot issues with dynamic routing

Summary of virtual router capabilities:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/network/network-
virtual-routers.html

LSVPN configuration with dynamic routing:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/large-scale-vpn-lsvpn/lsvpn-
quick-configs/advanced-lsvpn-configuration-with-dynamic-routing

Capturing protocol independent multicast (PIM) and internet group management protocol
(IGMP) traffic using the CLI:
• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsFCAS

CLI cheat sheets with examples of troubleshooting:

• https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-cli-quick-start/cli-cheat-sheets.html

5.2 Given a scenario, troubleshoot User-ID

Resource list for configuring and troubleshooting User-ID:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5bCAC

Creating custom LDAP groups:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ1CAK

5.3 Given a scenario, troubleshoot SSL decryption

General monitoring of SSL decryption from the CLI:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF2CAK

Collection of resources for configuring and troubleshooting SSL decryption issues:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgHCAS

5.4 Given a scenario, troubleshoot Panorama

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 13

 Troubleshooting using global counters on the CLI:
• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXOCA0

Troubleshooting Panorama connectivity:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaWCAS

Troubleshooting IPSec VPN:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC

Loading partial XML configurations into the firewall:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbLCAS

Loading firewall configuration elements into Panorama using the CLI:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clf2CAC

5.5 Given a scenario, troubleshoot firewalls

Ports on firewall:
• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-
concepts/ha-links-and-backup-links/ha-ports-on-the-pa-7000-series-firewall.html

Managing firewall licenses:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/panorama-web-
interface/panorama-device-deployment/manage-firewall-licenses.html

Managing firewall with Panorama:

• https://docs.paloaltonetworks.com/best-practices/10-0/best-practices-for-managing-firewalls-
with-panorama.html

Use case for configuring firewalls using Panorama:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/use-
case-configure-firewalls-using-panorama.html

Matching URL filtering vendors:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-
firewalls/manage-device-groups/select-a-url-filtering-vendor-on-panorama/must-panorama-
and-firewalls-have-matching-url-filtering-vendors.html

Updating firewall when Panorama is not connected to the Internet:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-licenses-and-
updates/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-
panorama/deploy-an-update-to-firewalls-when-panorama-is-not-internet-connected.html

Adding firewall as a managed device:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/add-a-
firewall-as-a-managed-device.html

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 14

 Upgrading the firewall Pan-OS:
• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/upgrade-pan-os/upgrade-
the-firewall-pan-os.html

Troubleshooting automatically reverted firewall:

• https://docs.paloaltonetworks.com/panorama/10-0/panorama-
admin/troubleshooting/troubleshoot-automatically-reverted-firewall-configurations.html

Preparing USB flash drive for bootstrapping a firewall:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-
administration/bootstrap-the-firewall/prepare-a-usb-flash-drive-for-bootstrapping-a-
firewall.html

Overview of different firewall-management interfaces:

• https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-
administration/management-interfaces.html

Other troubleshooting information and approaches are listed in the remainder of this section
and are not repeated here.

Capturing packets on the firewall:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0

Troubleshooting using global counters from the CLI:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXOCA0

Using regex patterns in global counter searches:

• https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLkSCAW

PALO ALTO NETWORKS CERTIFIED NETWORK SECURITY CONSULTANT STUDY GUIDE 15