CertPrepNow
Palo Alto NetworksNetSec-ProUpdated 2026-06-07

NetSec-Pro Study Guide

Everything you need to pass the Palo Alto Networks Certified Network Security Professional exam. Structured study plans, key services, common traps, and practice questions.

You Can Pass This Exam For Free

The NetSec-Pro exam is passable with free resources alone if you study consistently for 4-8 weeks:

  • Palo Alto Networks official exam datasheet (free download from paloaltonetworks.com)
  • Palo Alto Networks Beacon digital learning path (free registration required)
  • Palo Alto Networks official documentation for PAN-OS and Prisma Access (free)
  • Palo Alto Networks LIVEcommunity forums and knowledge base (free)
  • Palo Alto Networks TechDocs for firewall configuration and deployment (free)
  • Free practice questions on this site

This certification is part of the role-based framework that succeeded the retired PCNSA (Jan 2025) and PCNSE (Jul 2025). Palo Alto Networks provides extensive free documentation and learning paths through their Beacon platform and LIVEcommunity.

Choose Your Study Path

Limited networking or security experience. You need to build foundational knowledge in network security concepts before tackling Palo Alto-specific technologies.

Week 1Learn networking fundamentals: OSI model, TCP/IP, subnetting, VLANs, routing protocols (OSPF, BGP), DNS, DHCP, NAT. These are prerequisites for understanding firewall operations
Week 2Study security fundamentals: Zero Trust architecture, defense-in-depth, security zones, network segmentation, VPNs, IPS/IDS, and basic firewall concepts
Week 3Learn Palo Alto NGFW architecture: single-pass parallel processing, App-ID, Content-ID, User-ID, and how they work together in the traffic processing flow
Week 4Study PAN-OS interface types (L2, L3, virtual wire, tap, tunnel), security zones, and how traffic flows through the firewall with zone-based policies
Week 5Deep dive into security policies: Security policy rules, NAT policies, App-ID and application-based rules, URL filtering, and threat prevention profiles
Week 6Learn Prisma SASE concepts: Prisma Access, GlobalProtect, SD-WAN, cloud-delivered security. Understand how SASE extends network security to remote users
Week 7Study Panorama centralized management, Cloud-Delivered Security Services (CDSS), device groups, templates, and log management
Week 8Cover infrastructure topics: high availability, certificate management, software updates, licensing, and basic troubleshooting with CLI and logs
Week 9Practice questions across all six domains. Focus on Domains 3 and 4 which together are 37% of the exam
Week 10Take full mock exams, review weak areas, re-study any domains where you score below 85%. The passing score is 860/1000 so target 85%+ consistently

Exam Overview

Format

Approximately 75 questions in 90 minutes. Question types include multiple-choice, multiple-select, drag-and-drop, and scenario-based (testlet) questions. Delivered in-person at Pearson VUE test centers only.

Scoring

Scaled scoring from 300 to 1000. Passing score: 860. No penalty for wrong answers — always answer every question.

Domains & Weights

  • Network Security Fundamentals16%
  • NGFW and SASE Solution Functionality18%
  • Platform Solutions, Services, and Tools18%
  • NGFW and SASE Solution Maintenance and Configuration19%
  • Infrastructure Management and CDSS15%
  • Connectivity and Security14%

Registration

$200 USD. Available at authorized Pearson VUE testing centers. In-person only as of 2026 (online proctoring discontinued). Exam fee is $200 USD. Vouchers expire 12 months after purchase.

Topic Priority Table

Not all topics are tested equally. Focus your study time on Tier 1 first, then Tier 2. Tier 3 topics rarely appear — just recognize what they do.

Tier 1: Must KnowYou must understand these concepts deeply, know definitions, and be able to apply them in scenarios. These appear across multiple questions.
Tier 2: Should KnowUnderstand what these are and their key characteristics. May appear in 2-5 questions each.
Tier 3: Recognize OnlyKnow what these are at a high level. Rarely more than 1-2 questions each.
Domain 116% of exam

Network Security Fundamentals

This domain covers foundational network security concepts including Zero Trust architecture, defense-in-depth, network segmentation, traffic flow analysis, and application-layer inspection. While the smallest domain by weight, it underpins the knowledge needed for all other domains.

Key Topics

Zero TrustDefense-in-DepthNetwork SegmentationApplication-Layer InspectionEncryptionAuthentication

Must-Know Concepts

  • Zero Trust architecture principles: never trust, always verify. No implicit trust based on network location. Continuous verification of users, devices, and applications
  • Defense-in-depth strategy: multiple layers of security controls (network, endpoint, application, data) that provide redundancy if one layer fails
  • Network segmentation and microsegmentation: dividing networks into isolated segments to contain breaches and limit lateral movement
  • Application-layer inspection: analyzing traffic at Layer 7 to identify applications regardless of port or protocol — the foundation of Palo Alto NGFW technology
  • Traffic flow concepts: how packets traverse a firewall including ingress, security policy evaluation, NAT, content inspection, and egress
  • Common attack types: phishing, ransomware, command-and-control, lateral movement, data exfiltration, and how network security controls mitigate each
  • Encryption concepts: SSL/TLS, IPsec, certificate-based authentication, and why decryption is necessary for visibility into encrypted traffic
  • Authentication methods: RADIUS, LDAP, SAML, Kerberos, multi-factor authentication, and their role in network security

Common Exam Traps

Zero Trust is NOT about blocking everything. It is about verifying everything and applying least-privilege access after verification
Application-layer inspection requires the firewall to see inside the traffic. Encrypted traffic cannot be inspected without SSL/TLS decryption enabled
Network segmentation alone does not prevent all lateral movement — you also need user-based policies and microsegmentation
Defense-in-depth does NOT mean duplicating the same control. It means layering DIFFERENT types of controls for redundancy
Quick Check: Network Security Fundamentals

Question 1 of 3

An organization wants to prevent users from accessing social media applications during work hours, regardless of which ports those applications use. Which network security approach should they implement?

Domain 218% of exam

NGFW and SASE Solution Functionality

This domain covers the core functional capabilities of Palo Alto Networks Next-Generation Firewalls and Prisma SASE solutions. You need to understand how App-ID, Content-ID, User-ID, WildFire, and Prisma Access work, their use cases, and how they integrate to provide comprehensive security.

Key Topics

App-IDContent-IDUser-IDWildFirePrisma AccessGlobalProtectSD-WAN

Must-Know Concepts

  • App-ID: identifies applications using signatures, protocol decoders, and heuristics. Applications are identified regardless of port, protocol, encryption, or evasive technique
  • Content-ID: scans content for threats using antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, and data filtering. Requires security profiles attached to policy rules
  • User-ID: maps IP addresses to usernames through AD integration, captive portal, GlobalProtect, and other methods. Enables user-based and group-based security policies
  • WildFire: cloud-based malware analysis that detonates unknown files in sandbox environments. Generates and distributes new threat signatures within minutes
  • Prisma Access architecture: cloud-delivered SASE with mobile user and remote network connections. Provides NGFW-equivalent security from the cloud
  • GlobalProtect: VPN client for secure remote access. Portal provides configuration; gateways provide VPN tunnels. Supports always-on VPN, split tunneling, and HIP checks
  • SD-WAN: integrated into PAN-OS for intelligent path selection across multiple WAN links. Uses traffic distribution profiles and path quality metrics
  • Security policy processing: top-down, first-match evaluation. Inter-zone traffic denied by default; intra-zone traffic allowed by default

Common Exam Traps

App-ID identifies the application FIRST, then Content-ID inspects the content. If App-ID cannot identify the application, it falls back to the default port-based behavior
Security profiles (Antivirus, Anti-Spyware, etc.) must be ATTACHED to allow rules. Profiles on deny rules serve no purpose because the traffic is already blocked
WildFire analysis happens in the CLOUD by default. Files are uploaded to WildFire servers for sandboxing. For sensitive environments, a local WildFire appliance is available
GlobalProtect always-on mode does NOT mean the user is always connected to the corporate network. It means the VPN tunnel is re-established automatically after disconnection
Quick Check: NGFW and SASE Solution Functionality

Question 1 of 3

A security administrator wants to identify and control Slack usage on the network. Slack traffic uses standard HTTPS (port 443). Which technology should the administrator rely on?

Domain 318% of exam

Platform Solutions, Services, and Tools

This domain tests your knowledge of the broader Palo Alto Networks product and services portfolio. You need to identify and understand each platform component, its purpose, and how different tools work together for threat prevention, analytics, and security operations.

Key Topics

StrataPrismaCortexCDSSThreat PreventionAdvanced URL FilteringDecryption Broker

Must-Know Concepts

  • Palo Alto Networks three product pillars: Strata (network security/NGFW), Prisma (cloud and SASE security), Cortex (security operations and AI-driven analytics)
  • Cloud-Delivered Security Services (CDSS): Advanced Threat Prevention, Advanced URL Filtering, DNS Security, WildFire, IoT Security, SaaS Security, Enterprise DLP
  • Advanced Threat Prevention: inline detection of zero-day threats using machine learning, custom signatures, and cloud-based analysis
  • Advanced URL Filtering: real-time URL categorization using machine learning. Provides inline protection against phishing and credential theft
  • Decryption broker: shares decrypted traffic with third-party security tools without each tool needing to decrypt independently
  • Palo Alto Networks integration ecosystem: Cortex XSOAR for SOAR, Cortex XSIAM for autonomous SOC, Cortex XDR for extended detection and response
  • Strata Cloud Manager: cloud-based management and operations platform for Strata products, providing unified visibility and AI-powered best practice recommendations
  • SaaS Security: visibility and control over sanctioned and unsanctioned SaaS application usage across the organization

Common Exam Traps

Strata, Prisma, and Cortex are product FAMILIES, not individual products. Each contains multiple products and services
CDSS services require active subscriptions and are not included with the base NGFW purchase. Know which services are subscription-based
Advanced URL Filtering is a CDSS subscription that replaces the legacy PAN-DB URL filtering. It adds inline ML-based phishing detection
Decryption broker only distributes decrypted traffic. It does not perform analysis itself — the third-party tools connected to it do the analysis
Quick Check: Platform Solutions, Services, and Tools

Question 1 of 3

A company needs to provide decrypted traffic to a third-party DLP solution and an IDS appliance without requiring each tool to perform its own SSL decryption. Which Palo Alto Networks feature should they use?

Domain 419% of exam

NGFW and SASE Solution Maintenance and Configuration

The heaviest domain at 19%. Covers hands-on configuration and maintenance of Palo Alto NGFW and SASE solutions including security policies, NAT, interfaces, routing, threat prevention profiles, GlobalProtect, and software updates. This domain tests practical, scenario-based knowledge.

Key Topics

Security PoliciesNAT PoliciesInterfacesRoutingThreat Prevention ProfilesGlobalProtect ConfigurationSoftware Updates

Must-Know Concepts

  • Security policy rule components: source/destination zones, addresses, users, applications, services, actions, security profiles, and logging
  • NAT policy types: source NAT (dynamic IP/port, dynamic IP, static IP), destination NAT, and U-Turn NAT. Security policies use pre-NAT IP addresses but post-NAT zones for all NAT scenarios
  • Interface types: Layer 2, Layer 3, virtual wire, tap, tunnel, loopback, and aggregate ethernet. Know when to use each type
  • Routing configuration: static routes, OSPF, BGP, PBF (Policy-Based Forwarding), and route redistribution between protocols
  • Threat prevention profile configuration: Antivirus, Anti-Spyware, Vulnerability Protection profiles with action settings (default, strict, custom)
  • URL Filtering profile configuration: category-based actions (allow, alert, block, continue, override), custom URL categories, and credential phishing protection
  • GlobalProtect configuration: portal, gateway, agent configuration, authentication profiles, HIP (Host Information Profile) checks, and split tunneling
  • PAN-OS software updates: dynamic content updates (Applications and Threats, Antivirus, WildFire), PAN-OS version upgrades, and scheduling
  • Certificate management: generating, importing, and managing certificates for SSL decryption, GlobalProtect, and management access
  • Commit process: candidate configuration vs running configuration, commit validation, partial commits, and commit-and-push from Panorama

Common Exam Traps

Security policies always use pre-NAT IP addresses but post-NAT zones. For destination NAT scenarios, the security rule must reference the ORIGINAL (pre-NAT) destination IP but the post-NAT destination zone. Remember: pre-NAT IP, post-NAT zone
PAN-OS uses a candidate configuration model. Changes are NOT active until committed. A failed commit leaves all pending changes in the candidate configuration — nothing is applied to the running configuration, but the pending changes are preserved for the administrator to fix and retry
Content updates (Applications and Threats, Antivirus) should be installed BEFORE PAN-OS version upgrades to ensure compatibility
HIP checks in GlobalProtect evaluate the endpoint's health (patch level, antivirus status, disk encryption). They do NOT check network health
Quick Check: NGFW and SASE Solution Maintenance and Configuration

Question 1 of 3

An administrator creates a destination NAT rule to translate traffic destined for public IP 203.0.113.10 to internal server 10.1.1.100. When creating the corresponding security policy rule, what should the destination address be?

Domain 515% of exam

Infrastructure Management and CDSS

This domain covers centralized management with Panorama, Cloud-Delivered Security Services, logging and reporting, high availability, and operational management tasks. You need to understand how to manage multiple firewalls at scale and leverage cloud services for enhanced security.

Key Topics

PanoramaDevice GroupsTemplatesLog CollectorsCDSSHigh AvailabilityLicensing

Must-Know Concepts

  • Panorama management architecture: management server, log collectors, device groups, template stacks, and managed firewalls
  • Device groups: hierarchical structure for pushing security policies, objects, and profiles to managed firewalls. Supports inheritance and overrides
  • Template stacks: layered configurations for network and device settings. Multiple templates can be stacked with priority-based resolution for conflicts
  • Log collector architecture: dedicated appliances or Panorama in log collector mode that aggregate logs from managed firewalls for centralized analysis
  • CDSS activation and management: subscription licensing, feature activation, and how CDSS services integrate with NGFW and Prisma Access
  • High availability configuration: HA modes (Active/Passive, Active/Active), HA links (HA1 control, HA2 data), failover triggers, and preemption settings
  • Software and content update management: scheduling updates, managing firmware across multiple firewalls via Panorama, and update deployment strategies
  • Reporting and dashboards: built-in reports, custom reports, automated report generation, ACC (Application Command Center) widgets, and PDF report scheduling

Common Exam Traps

Device groups push POLICIES. Templates push CONFIGURATIONS. Do not mix them up — this is a very common exam question pattern
Template stacks layer templates with the HIGHER priority template winning when there are conflicts. The most specific template should have the highest priority
Panorama can operate in Management Only mode or Panorama mode (management + log collection). In Management Only mode, logs must go to dedicated log collectors
CDSS services activated on Panorama apply to all managed firewalls in the relevant device groups. You do not need to activate them on each firewall individually
Quick Check: Infrastructure Management and CDSS

Question 1 of 3

An administrator needs to push the same set of security policy rules to 50 branch office firewalls managed by Panorama. Which Panorama feature should be used?

Domain 614% of exam

Connectivity and Security

This domain covers network connectivity features including VPN configuration, SSL decryption, certificate management, routing integration, and how security is applied to different connectivity scenarios. You need to understand site-to-site VPNs, remote access, and encrypted traffic inspection.

Key Topics

IPsec VPNSSL DecryptionCertificate ManagementRouting ProtocolsPolicy-Based ForwardingZone Protection

Must-Know Concepts

  • Site-to-site IPsec VPN: IKE (Internet Key Exchange) phases, IKE gateways, IPsec tunnels, proxy IDs, and crypto profiles. Know Phase 1 (IKE SA) vs Phase 2 (IPsec SA)
  • SSL/TLS decryption: forward proxy (outbound), inbound inspection (inbound), and SSH proxy. Certificate requirements for each decryption mode
  • SSL decryption exclusions: categories or applications that should not be decrypted (financial, healthcare) due to regulatory or privacy concerns
  • Certificate management: root CA certificates, server certificates, certificate profiles, OCSP/CRL for revocation checking, and certificate pinning considerations
  • Routing protocol configuration: OSPF areas, BGP neighbors, route redistribution, and how routing interacts with security zones and policies
  • Policy-Based Forwarding (PBF): routing decisions based on application, user, or source rather than standard routing table. Use cases include traffic steering and WAN optimization
  • Zone protection profiles: protects against flood attacks (SYN, UDP, ICMP), reconnaissance (port scan, host sweep), and packet-based attacks at the zone level
  • DoS protection profiles: rate-based protection for specific destinations, applied at the policy level rather than the zone level

Common Exam Traps

SSL forward proxy requires the firewall's CA certificate to be trusted by endpoints. If not deployed, users will see certificate warnings for every HTTPS site
IPsec VPN proxy IDs must match on both sides of the tunnel. Mismatched proxy IDs are one of the most common VPN troubleshooting issues
Zone protection profiles protect the ZONE, not individual hosts. DoS protection profiles protect specific destinations at the policy level
PBF rules are evaluated BEFORE the routing table. If a PBF rule matches, the routing table is bypassed for that traffic
Quick Check: Connectivity and Security

Question 1 of 3

A security administrator deploys SSL forward proxy decryption. Users report certificate errors when visiting HTTPS websites. What is the most likely cause?

Concepts You Must Not Confuse

These pairs appear on nearly every exam. Learn the difference and you'll avoid the most common traps.

App-ID vs Port-Based Firewall Rules

Use App-ID when…

Identifies the actual application regardless of port, protocol, or encryption. Can detect applications using non-standard ports or tunneling through allowed protocols.

Use Port-Based Firewall Rules when…

Traditional firewall approach that allows or blocks traffic based on TCP/UDP port numbers. Cannot distinguish between different applications using the same port.

Exam trap

App-ID is the Palo Alto differentiator. A traditional firewall allowing port 443 permits ALL HTTPS traffic. App-ID on port 443 can distinguish between web browsing, Slack, Zoom, and file-sharing — and apply different policies to each.

GlobalProtect Portal vs GlobalProtect Gateway

Use GlobalProtect Portal when…

Provides the initial configuration, authentication, and gateway list to GlobalProtect clients. Users connect to the portal first to receive their VPN configuration and available gateway list.

Use GlobalProtect Gateway when…

Provides the actual VPN tunnel and enforces security policies for the remote user. After portal authentication, users connect to a gateway for secure network access.

Exam trap

Portal = configuration and authentication hub. Gateway = actual VPN tunnel endpoint. They are separate components that can be on different firewalls. Users always connect to the portal first, then the gateway.

Device Groups (Panorama) vs Templates (Panorama)

Use Device Groups (Panorama) when…

Used to push security policies, objects, and security profiles to managed firewalls. Device groups define WHAT traffic policies are enforced.

Use Templates (Panorama) when…

Used to push network configuration, device settings, and system configuration to managed firewalls. Templates define HOW the firewall is configured at the network and system level.

Exam trap

Device groups = policies and objects. Templates = network and device configuration. A firewall needs BOTH: a device group for security policies AND a template stack for network/system settings. Confusing these is a common exam mistake.

Active/Passive HA vs Active/Active HA

Use Active/Passive HA when…

One firewall actively processes traffic while the standby monitors health and takes over if the active firewall fails. Simpler to deploy and troubleshoot.

Use Active/Active HA when…

Both firewalls actively process traffic simultaneously. Provides better throughput utilization but requires more complex session synchronization and asymmetric routing handling.

Exam trap

Active/Passive is the most commonly deployed HA mode and is simpler. Active/Active provides better throughput but introduces complexity with session ownership and asymmetric traffic flows.

Source NAT vs Destination NAT

Use Source NAT when…

Translates the source IP address of outgoing traffic. Used to hide internal IP addresses behind a public IP when traffic leaves the network.

Use Destination NAT when…

Translates the destination IP address of incoming traffic. Used to redirect traffic destined for a public IP to an internal server IP.

Exam trap

On Palo Alto firewalls, security policies always use pre-NAT IP addresses but post-NAT zones. Remember: pre-NAT IP, post-NAT zone. For destination NAT, the security rule destination IP must be the ORIGINAL public IP (pre-NAT), but the destination zone is the post-NAT zone where the translated server resides.

URL Filtering vs App-ID

Use URL Filtering when…

Controls access to websites based on URL categories and specific URLs. Operates at the URL level within HTTP/HTTPS traffic.

Use App-ID when…

Identifies and controls entire applications regardless of the underlying URL or port. Operates at the application level.

Exam trap

URL Filtering and App-ID are complementary but different. App-ID identifies the application (e.g., Facebook). URL Filtering controls access to specific URL categories or individual URLs within allowed applications. Use both together for comprehensive control.

Prisma Access (SASE) vs On-Premises NGFW

Use Prisma Access (SASE) when…

Cloud-delivered network security for remote users and branch offices. Security is enforced from the cloud, closest to the user. Ideal for distributed workforces.

Use On-Premises NGFW when…

Physical or virtual firewall deployed at the network perimeter. Security is enforced at a specific location. Ideal for campus and data center environments.

Exam trap

Prisma Access extends the same security as an on-premises NGFW but delivers it from the cloud. The exam tests whether you understand when to use each approach — on-premises for fixed locations, Prisma Access for mobile users and remote sites.

Security Profiles vs Security Profile Groups

Use Security Profiles when…

Individual profiles for specific security functions: Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, WildFire Analysis, and Data Filtering.

Use Security Profile Groups when…

A named collection of security profiles bundled together for easy attachment to security policy rules. Simplifies policy management by grouping commonly used profiles.

Exam trap

You can attach individual profiles OR a profile group to a security rule — but not both simultaneously. Profile groups are a convenience feature that references individual profiles.

Top Mistakes to Avoid

Confusing App-ID (application identification) with URL Filtering (URL-based access control) — App-ID identifies applications, URL Filtering controls website access
Mixing up Device Groups (policies) and Templates (configurations) in Panorama — this is the most commonly tested Panorama concept
Forgetting that security profiles must be attached to ALLOW rules — profiles on deny rules are never evaluated because traffic is already blocked
Not understanding NAT and security policy interaction: security policies always use pre-NAT IP addresses but post-NAT zones. The key rule is 'pre-NAT IP, post-NAT zone' for all NAT scenarios
Confusing GlobalProtect portal (configuration/authentication) with GlobalProtect gateway (VPN tunnel endpoint)
Thinking intra-zone traffic is denied by default — intra-zone traffic is ALLOWED by default, only inter-zone traffic is denied
Assuming CDSS services are included with the firewall purchase — they require separate subscription licenses
Not understanding the candidate vs running configuration model — changes are NOT active until committed
Confusing zone protection profiles (zone-level flood protection) with DoS protection profiles (destination-level rate limiting)
Forgetting that SSL decryption requires the firewall CA certificate to be trusted by endpoints for forward proxy mode

Exam-Ready Checklist

Can explain all 6 exam domains and their relative weights (16%, 18%, 18%, 19%, 15%, 14%)
Understand App-ID, Content-ID, and User-ID and how they work together in the single-pass architecture
Can configure security policies with proper source/destination zones, applications, users, and security profiles
Know NAT and security policy interaction: pre-NAT IP addresses, post-NAT zones. Can determine correct security rule configuration for DNAT scenarios
Understand Prisma Access architecture and when to use cloud-delivered SASE vs on-premises NGFW
Can explain GlobalProtect portal vs gateway and configure remote access VPN
Know Panorama device groups vs templates and can design a management hierarchy
Understand all CDSS services and their specific use cases
Can configure and troubleshoot site-to-site IPsec VPN including IKE phases and proxy IDs
Know SSL decryption modes (forward proxy, inbound inspection) and certificate requirements
Understand high availability modes and failover behavior including preemption
Can explain Zero Trust principles and how Palo Alto products implement them
Know traffic flow through the firewall including zone evaluation, policy lookup, NAT, and content inspection
Scored consistently above the passing threshold on at least two full mock exams (860/1000 passing score)

Recommended Resources

Free & Official Resources

Paid Courses & Practice Exams

These are recommended if you prefer a structured learning path. They can save time but are not required to pass.

Frequently Asked Questions