Palo Alto Networks Certified Network
Security Engineer (PCNSE)
What does SP3 stand for? - ✔✔Single-Pass Parallel Processing architecture.
https://www.paloguard.com/SP3-Architecture.asp
What is the difference between the PA-5260 and the PA-5280? - ✔✔Double the data-plane RAM which
doubles the session capacity.
(Can't find a non-training source for this.)
When is a Virtual Systems license needed? - ✔✔• To support multiple virtual systems on PA-3200
Series firewalls.
• To create more than the base number of virtual systems supported on a platform.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/virtual-systems/virtual-systems-
overview/platform-support-and-licensing-for-virtual-systems.html
What is the default IP address for a physical appliance? - ✔✔192.168.1.1
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/getting-started/integrate-the-firewall-
into-your-management-network/perform-initial-configuration.html
What is the default IP address for a virtual firewall? - ✔✔Dynamic via DHCP.
,(Can't find a non-training source for this.)
What commands enter maintenance mode? - ✔✔• Via serial console: "maint".
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldXCAS
• Via SSH console: "debug system maintenance-mode".
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpjCAC
Where can you specify which interface to use for accessing certain external services? - ✔✔"Device" →
"Setup" → "Services" → "Service Features" → "Service Route Configuration".
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/service-routes.html
When is user authentication denied? - ✔✔If all authentication profiles fail.
(Can't find a non-training source for this.)
What needs to be done before upgrading PAN-OS? - ✔✔1. Install the latest Applications and Threats
update.
2. Install the latest maintenance release (for example, 7.1.*).
3. Install the major base release (for example, 8.0.0).
4. Install the latest maintenance release (for example, 8.0.*).
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK
Are HA and MGMT interfaces assigned to a zone? If so, which? - ✔✔No.
,(Can't find a non-training source for this.)
By default, what are Ethernet ports 1 and 2 configured for? - ✔✔Virtual Wire (VWire) allowing all
untagged traffic.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLSCA0
What functionality is supported by Layer 2 deployment mode? - ✔✔• App-ID
• Content-ID
• User-ID
• SSL / TLS decryption
• QoS
(Can't find a non-training source for this.)
What netmask must a loopback interface have? - ✔✔None or /32.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-
interfaces-loopback.html
What does the term "shadow" mean? - ✔✔Rules with a larger scope being above and taking effect over
others which have a narrower scope.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVXCA0
, What do policy hit counts persist through? - ✔✔Reboots, dataplane restarts, and upgrades.
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/device-
monitoring-on-panorama/monitor-policy-rule-usage
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-policy-rule-usage.html
What does DIPP stand for? - ✔✔Dynamic IP and Port.
Do security policies match on pre- or post-NAT for IP addresses and zones? - ✔✔Pre-NAT IP addresses
but post-NAT zones.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-policy-rules/nat-
policy-overview.html
How many packets does App-ID need to identify a TCP application? - ✔✔According to EDU-110: Up to
5.
According to KB: Up to 4.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIgCAK
How many packets does App-ID need to identify a UDP application? - ✔✔1.
(Can't find a non-training source for this.)
Do application dependencies listed under "Depends On" need to be added to security policy rules? - ✔
✔Yes.
Security Engineer (PCNSE)
What does SP3 stand for? - ✔✔Single-Pass Parallel Processing architecture.
https://www.paloguard.com/SP3-Architecture.asp
What is the difference between the PA-5260 and the PA-5280? - ✔✔Double the data-plane RAM which
doubles the session capacity.
(Can't find a non-training source for this.)
When is a Virtual Systems license needed? - ✔✔• To support multiple virtual systems on PA-3200
Series firewalls.
• To create more than the base number of virtual systems supported on a platform.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/virtual-systems/virtual-systems-
overview/platform-support-and-licensing-for-virtual-systems.html
What is the default IP address for a physical appliance? - ✔✔192.168.1.1
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/getting-started/integrate-the-firewall-
into-your-management-network/perform-initial-configuration.html
What is the default IP address for a virtual firewall? - ✔✔Dynamic via DHCP.
,(Can't find a non-training source for this.)
What commands enter maintenance mode? - ✔✔• Via serial console: "maint".
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldXCAS
• Via SSH console: "debug system maintenance-mode".
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpjCAC
Where can you specify which interface to use for accessing certain external services? - ✔✔"Device" →
"Setup" → "Services" → "Service Features" → "Service Route Configuration".
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/service-routes.html
When is user authentication denied? - ✔✔If all authentication profiles fail.
(Can't find a non-training source for this.)
What needs to be done before upgrading PAN-OS? - ✔✔1. Install the latest Applications and Threats
update.
2. Install the latest maintenance release (for example, 7.1.*).
3. Install the major base release (for example, 8.0.0).
4. Install the latest maintenance release (for example, 8.0.*).
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRrCAK
Are HA and MGMT interfaces assigned to a zone? If so, which? - ✔✔No.
,(Can't find a non-training source for this.)
By default, what are Ethernet ports 1 and 2 configured for? - ✔✔Virtual Wire (VWire) allowing all
untagged traffic.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLSCA0
What functionality is supported by Layer 2 deployment mode? - ✔✔• App-ID
• Content-ID
• User-ID
• SSL / TLS decryption
• QoS
(Can't find a non-training source for this.)
What netmask must a loopback interface have? - ✔✔None or /32.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/network/network-
interfaces-loopback.html
What does the term "shadow" mean? - ✔✔Rules with a larger scope being above and taking effect over
others which have a narrower scope.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVXCA0
, What do policy hit counts persist through? - ✔✔Reboots, dataplane restarts, and upgrades.
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/device-
monitoring-on-panorama/monitor-policy-rule-usage
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-policy-rule-usage.html
What does DIPP stand for? - ✔✔Dynamic IP and Port.
Do security policies match on pre- or post-NAT for IP addresses and zones? - ✔✔Pre-NAT IP addresses
but post-NAT zones.
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat/nat-policy-rules/nat-
policy-overview.html
How many packets does App-ID need to identify a TCP application? - ✔✔According to EDU-110: Up to
5.
According to KB: Up to 4.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIgCAK
How many packets does App-ID need to identify a UDP application? - ✔✔1.
(Can't find a non-training source for this.)
Do application dependencies listed under "Depends On" need to be added to security policy rules? - ✔
✔Yes.
