PCNSE Exam Information and Outline
Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.1
PCNSE Exam Syllabus & Study Guide
Before you start practicing with our exam simulator, it is essential to understand the
official PCNSE exam objectives. This course outline serves as your roadmap.
The information below reflects the 2026 syllabus defined by
Palo-Alto.
Below are complete topics detail with latest syllabus and course outline, that will help you good knowledge about exam objectives and topics that you have to prepare. These contents are covered in questions and answers pool of exam.
| Domain | Heading | Sub-heading / Topics |
|---|---|---|
| Domain 1: Core Concepts | 1.1 Identify how Palo Alto Networks products work together | Security/Firewall/Panorama components, Subscriptions, Plugins, Heatmap/BPA, AIOps, IPv6, IoT |
| 1.2 Determine and assess appropriate interfaces or zone types | Layer 2/3, Vwire, Tap, Subinterfaces, Tunnel, Aggregate, Loopback, Decrypt mirror, VLAN | |
| 1.3 Identify decryption deployment strategies | Risks, Use cases, Decryption types, Profiles/Certificates, SSH Proxy | |
| 1.4 Enforce User-ID | Mapping methods, Agent vs Agentless, Redistribution, Group mapping, Server profiles | |
| 1.5 Determine how/when to use Authentication policy | Purpose, Dependencies, Captive portal vs GlobalProtect client | |
| 1.6 Management plane vs Data plane functions | Fundamental functions and plane differentiation | |
| 1.7 Define multiple virtual systems (multi-vsys) | User-ID hub, Inter-vsys routing, Service routes | |
| Domain 2: Deploy and Configure Core Components | 2.1 Configure Management Profiles | Interface Management Profile, SSL/TLS profile |
| 2.2 Deploy and configure Security Profiles | Security Profile Groups, URL filtering, DNS Security, Threat Prevention vs Advanced | |
| 2.3 Configure zone/packet buffer/DoS protection | Custom vs Default, Classified vs Aggregate, L3/L4 header inspection | |
| 2.4 Design deployment configuration | Advanced HA, HA Pair, Zero-Touch Provisioning, Bootstrapping | |
| 2.5 Configure authorization, auth, and device access | RBAC, Authentication methods, Auth Sequence, Device access methods | |
| 2.6 Configure and manage certificates | Usage, Profiles, Chains | |
| 2.7 Configure routing | Dynamic routing, Redistribution, Static, Route monitoring, PBF, Virtual vs Logical routers | |
| 2.8 Configure NAT | NAT/Security rules, Source NAT, No-NAT, U-Turn NAT, Session browser | |
| 2.9 Configure site-to-site tunnels | IPsec components, Static/Dynamic peers, Tunnel Monitor, GRE, Proxy IDs | |
| 2.10 Configure service routes | Default, Custom, Destination, Multi-vsys service routes | |
| 2.11 Configure application-based QoS | Enablement, QoS policy/profile, DSCP/ToS, Bandwidth control | |
| Domain 3: Deploy and Configure Features and Subscriptions | 3.1 Configure App-ID | Security rules, Port conversion, Application override, Custom apps/threats |
| 3.2 Configure GlobalProtect | Licensing, Portal/Gateway, Agent, Logon methods, Clientless VPN, HIP, Split tunneling | |
| 3.3 Configure decryption | Inbound, SSL forward proxy, Exclusions, SSH proxy | |
| 3.4 Configure User-ID | Agent/Agentless, Group mapping, VSYS redistribution, Dynamic User Groups (DUGs) | |
| 3.5 Configure WildFire | Submission/Action profiles, Verdicts, Signature actions, File types, Update schedules | |
| 3.6 Configure Web Proxy | Transparent proxy, Explicit proxy | |
| Domain 4: Deploy and Configure Firewalls Using Panorama | 4.1 Configure templates and template stacks | Template components, Stack order, Overriding values, Variables |
| 4.2 Configure device groups | Hierarchies, Pre/Post-rules, Local vs Default rules, Primary device impact | |
| 4.3 Manage firewall configurations within Panorama | Commit recovery, Backups, Dynamic updates, Log Collectors, RBAC | |
| Domain 5: Manage and Operate | 5.1 Manage and configure log forwarding | Log types, External services, Tags, Monitoring, Custom reporting |
| 5.2 Plan and execute upgrade process | Single firewall, HA pairs, Panorama push, Dynamic updates | |
| 5.3 Manage HA functions | Link/Path monitoring, HA links, Failover triggers, Active/Active vs Active/Passive, Clustering | |
| Domain 6: Troubleshooting | 6.1 Troubleshoot site-to-site tunnels | IPSec, GRE, Phase 1 issues, Route vs Policy-based, Tunnel monitoring |
| 6.2 Troubleshoot interfaces | Transceivers, LACP, Counters, Tagging | |
| 6.3 Troubleshoot Decryption | Inbound/Forward Proxy/SSH Proxy issues, Exclusions, Certificates | |
| 6.4 Troubleshoot routing | Dynamic, Redistribution, Static, PBF, Multicast, Service routes | |
| 6.5 General Troubleshooting | Logs, Packet capture (pcap), Reports | |
| 6.6 Troubleshoot resource protections | Zone Protection, DoS, Packet buffer protections | |
| 6.7 Troubleshoot GlobalProtect | Portal/Gateway, Resource access, Client issues | |
| 6.8 Troubleshoot policies | NAT, Security, Decryption, Authentication | |
| 6.9 Troubleshoot HA functions | Monitoring, Failover triggers |