You Can Pass This Exam For Free
Choose Your Study Path
Limited networking or security experience. You need to build foundational knowledge in network security concepts before tackling Palo Alto-specific technologies.
Exam Overview
Format
Approximately 75 questions in 90 minutes. Question types include multiple-choice, multiple-select, drag-and-drop, and scenario-based (testlet) questions. Delivered in-person at Pearson VUE test centers only.
Scoring
Scaled scoring from 300 to 1000. Passing score: 860. No penalty for wrong answers — always answer every question.
Domains & Weights
- Network Security Fundamentals16%
- NGFW and SASE Solution Functionality18%
- Platform Solutions, Services, and Tools18%
- NGFW and SASE Solution Maintenance and Configuration19%
- Infrastructure Management and CDSS15%
- Connectivity and Security14%
Registration
$200 USD. Available at authorized Pearson VUE testing centers. In-person only as of 2026 (online proctoring discontinued). Exam fee is $200 USD. Vouchers expire 12 months after purchase.
Topic Priority Table
Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.
Network Security Fundamentals
This domain covers foundational network security concepts including Zero Trust architecture, defense-in-depth, network segmentation, traffic flow analysis, and application-layer inspection. While the smallest domain by weight, it underpins the knowledge needed for all other domains.
Key Topics
Must-Know Concepts
- Zero Trust architecture principles: never trust, always verify. No implicit trust based on network location. Continuous verification of users, devices, and applications
- Defense-in-depth strategy: multiple layers of security controls (network, endpoint, application, data) that provide redundancy if one layer fails
- Network segmentation and microsegmentation: dividing networks into isolated segments to contain breaches and limit lateral movement
- Application-layer inspection: analyzing traffic at Layer 7 to identify applications regardless of port or protocol — the foundation of Palo Alto NGFW technology
- Traffic flow concepts: how packets traverse a firewall including ingress, security policy evaluation, NAT, content inspection, and egress
- Common attack types: phishing, ransomware, command-and-control, lateral movement, data exfiltration, and how network security controls mitigate each
- Encryption concepts: SSL/TLS, IPsec, certificate-based authentication, and why decryption is necessary for visibility into encrypted traffic
- Authentication methods: RADIUS, LDAP, SAML, Kerberos, multi-factor authentication, and their role in network security
Common Exam Traps
NGFW and SASE Solution Functionality
This domain covers the core functional capabilities of Palo Alto Networks Next-Generation Firewalls and Prisma SASE solutions. You need to understand how App-ID, Content-ID, User-ID, WildFire, and Prisma Access work, their use cases, and how they integrate to provide comprehensive security.
Key Topics
Must-Know Concepts
- App-ID: identifies applications using signatures, protocol decoders, and heuristics. Applications are identified regardless of port, protocol, encryption, or evasive technique
- Content-ID: scans content for threats using antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, and data filtering. Requires security profiles attached to policy rules
- User-ID: maps IP addresses to usernames through AD integration, captive portal, GlobalProtect, and other methods. Enables user-based and group-based security policies
- WildFire: cloud-based malware analysis that detonates unknown files in sandbox environments. Generates and distributes new threat signatures within minutes
- Prisma Access architecture: cloud-delivered SASE with mobile user and remote network connections. Provides NGFW-equivalent security from the cloud
- GlobalProtect: VPN client for secure remote access. Portal provides configuration; gateways provide VPN tunnels. Supports always-on VPN, split tunneling, and HIP checks
- SD-WAN: integrated into PAN-OS for intelligent path selection across multiple WAN links. Uses traffic distribution profiles and path quality metrics
- Security policy processing: top-down, first-match evaluation. Inter-zone traffic denied by default; intra-zone traffic allowed by default
Common Exam Traps
Platform Solutions, Services, and Tools
This domain tests your knowledge of the broader Palo Alto Networks product and services portfolio. You need to identify and understand each platform component, its purpose, and how different tools work together for threat prevention, analytics, and security operations.
Key Topics
Must-Know Concepts
- Palo Alto Networks three product pillars: Strata (network security/NGFW), Prisma (cloud and SASE security), Cortex (security operations and AI-driven analytics)
- Cloud-Delivered Security Services (CDSS): Advanced Threat Prevention, Advanced URL Filtering, DNS Security, WildFire, IoT Security, SaaS Security, Enterprise DLP
- Advanced Threat Prevention: inline detection of zero-day threats using machine learning, custom signatures, and cloud-based analysis
- Advanced URL Filtering: real-time URL categorization using machine learning. Provides inline protection against phishing and credential theft
- Decryption broker: shares decrypted traffic with third-party security tools without each tool needing to decrypt independently
- Palo Alto Networks integration ecosystem: Cortex XSOAR for SOAR, Cortex XSIAM for autonomous SOC, Cortex XDR for extended detection and response
- Strata Cloud Manager: cloud-based management and operations platform for Strata products, providing unified visibility and AI-powered best practice recommendations
- SaaS Security: visibility and control over sanctioned and unsanctioned SaaS application usage across the organization
Common Exam Traps
NGFW and SASE Solution Maintenance and Configuration
The heaviest domain at 19%. Covers hands-on configuration and maintenance of Palo Alto NGFW and SASE solutions including security policies, NAT, interfaces, routing, threat prevention profiles, GlobalProtect, and software updates. This domain tests practical, scenario-based knowledge.
Key Topics
Must-Know Concepts
- Security policy rule components: source/destination zones, addresses, users, applications, services, actions, security profiles, and logging
- NAT policy types: source NAT (dynamic IP/port, dynamic IP, static IP), destination NAT, and U-Turn NAT. Security policies use pre-NAT IP addresses but post-NAT zones for all NAT scenarios
- Interface types: Layer 2, Layer 3, virtual wire, tap, tunnel, loopback, and aggregate ethernet. Know when to use each type
- Routing configuration: static routes, OSPF, BGP, PBF (Policy-Based Forwarding), and route redistribution between protocols
- Threat prevention profile configuration: Antivirus, Anti-Spyware, Vulnerability Protection profiles with action settings (default, strict, custom)
- URL Filtering profile configuration: category-based actions (allow, alert, block, continue, override), custom URL categories, and credential phishing protection
- GlobalProtect configuration: portal, gateway, agent configuration, authentication profiles, HIP (Host Information Profile) checks, and split tunneling
- PAN-OS software updates: dynamic content updates (Applications and Threats, Antivirus, WildFire), PAN-OS version upgrades, and scheduling
- Certificate management: generating, importing, and managing certificates for SSL decryption, GlobalProtect, and management access
- Commit process: candidate configuration vs running configuration, commit validation, partial commits, and commit-and-push from Panorama
Common Exam Traps
Infrastructure Management and CDSS
This domain covers centralized management with Panorama, Cloud-Delivered Security Services, logging and reporting, high availability, and operational management tasks. You need to understand how to manage multiple firewalls at scale and leverage cloud services for enhanced security.
Key Topics
Must-Know Concepts
- Panorama management architecture: management server, log collectors, device groups, template stacks, and managed firewalls
- Device groups: hierarchical structure for pushing security policies, objects, and profiles to managed firewalls. Supports inheritance and overrides
- Template stacks: layered configurations for network and device settings. Multiple templates can be stacked with priority-based resolution for conflicts
- Log collector architecture: dedicated appliances or Panorama in log collector mode that aggregate logs from managed firewalls for centralized analysis
- CDSS activation and management: subscription licensing, feature activation, and how CDSS services integrate with NGFW and Prisma Access
- High availability configuration: HA modes (Active/Passive, Active/Active), HA links (HA1 control, HA2 data), failover triggers, and preemption settings
- Software and content update management: scheduling updates, managing firmware across multiple firewalls via Panorama, and update deployment strategies
- Reporting and dashboards: built-in reports, custom reports, automated report generation, ACC (Application Command Center) widgets, and PDF report scheduling
Common Exam Traps
Connectivity and Security
This domain covers network connectivity features including VPN configuration, SSL decryption, certificate management, routing integration, and how security is applied to different connectivity scenarios. You need to understand site-to-site VPNs, remote access, and encrypted traffic inspection.
Key Topics
Must-Know Concepts
- Site-to-site IPsec VPN: IKE (Internet Key Exchange) phases, IKE gateways, IPsec tunnels, proxy IDs, and crypto profiles. Know Phase 1 (IKE SA) vs Phase 2 (IPsec SA)
- SSL/TLS decryption: forward proxy (outbound), inbound inspection (inbound), and SSH proxy. Certificate requirements for each decryption mode
- SSL decryption exclusions: categories or applications that should not be decrypted (financial, healthcare) due to regulatory or privacy concerns
- Certificate management: root CA certificates, server certificates, certificate profiles, OCSP/CRL for revocation checking, and certificate pinning considerations
- Routing protocol configuration: OSPF areas, BGP neighbors, route redistribution, and how routing interacts with security zones and policies
- Policy-Based Forwarding (PBF): routing decisions based on application, user, or source rather than standard routing table. Use cases include traffic steering and WAN optimization
- Zone protection profiles: protects against flood attacks (SYN, UDP, ICMP), reconnaissance (port scan, host sweep), and packet-based attacks at the zone level
- DoS protection profiles: rate-based protection for specific destinations, applied at the policy level rather than the zone level
Common Exam Traps
Concepts You Must Not Confuse
These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.
Top Mistakes to Avoid
Exam-Ready Checklist
Recommended Resources
Free & Official Resources
Paid Courses & Practice Exams
These are recommended if you prefer a structured learning path. They can save time but are not required to pass.