Certified Network Security Engineer (CNSE) FAQ


Where do I sign up to take the exam and how much does it cost?

The CNSE exam is both hosted and proctored by a third-party testing company, Kryterion. Kryterion has testing facilities in major cities worldwide.

Sign up to take the CNSE exam at the following site: www.webassessor.com/paloaltonetworks

You can find a list of Kryterion locations at: www.kryteriononline.com/host_locations/

In most locations, the CNSE exam costs $160 USD for each exam attempt, and each attempt must be paid for by the exam taker. Note that once an exam is scheduled, the scheduled exam date cannot be changed within 72 hours (3 days) of the exam date.

What if I need to change my exam date once scheduled?

You are able to reschedule your exam date up to three days prior, but once an exam is scheduled, the scheduled exam date cannot be changed within 72 hours (3 days) of the exam date without incurring the full cost of the exam.

What are the differences between the ACE and CNSE exams?

The Accredited Configuration Engineer (ACE) exam is an accreditation exam that, once passed, indicates that an engineer understands the core features and functionality of the Palo Alto Networks firewall technologies. The ACE exam will always be tied to the .0 release of each version of PAN-OS (4.0, 5.0, etc.). It is taken over the Internet, using a common web-browser, and it is a free exam.

The Certified Network Security Engineer (CNSE) is a formal, third-party proctored certification, which indicates that those who have passed it possess an in-depth engineering level knowledge of how to install, configure, and implement Palo Alto Networks products. The CNSE exam will always be tied to the .1 release of each version of PAN-OS (4.1, 5.1, etc.). It should be taken by anyone who wishes to demonstrate a deep understanding of Palo Alto Networks technologies. This includes customers who use Palo Alto Networks products, value-added resellers, pre-sales system engineers, system integrators and varied tiers of support staff.

How many questions are there, what is the passing score, and how much time is allotted?

The exam comprises 100 multiple-choice and/or multiple-select questions. The test taker is given 2 1⁄2 hours to finish, and a 60% or greater passing score is required. Many people interpret this as a “low” passing number; however, we have tested the exam against over 100 Palo Alto Networks engineers and this passing requirement has been psychometrically gauged as an indicator of baseline product understanding. The questions are challenging and can only be correctly answered by those who possess a hands-on knowledge of the product. The test taker can revisit an exam question and modify the answer up to the point where the fixed time allotted for the exam ends. It is suggested that the exam taker utilize the entirety of this allotted time, to ensure that each question was properly answered.

Do I get a certificate after I pass?

For those who pass the CNSE exam, a numbered Certified Network Security Engineer certificate will automatically be generated and sent from Kryterion via email. In addition, all new Certified Network Security Engineers will receive a CNSE backpack.

How should I prepare for the CNSE exam?

The CNSE exam tests much more than just “book knowledge” of the Palo Alto Networks technologies. The best way to prepare for the exam is to take the Palo Alto Networks technical training courses and/or to install and use Palo Alto Networks technologies in many different “real world” environments.

To achieve a respectable passing score, Palo Alto Networks recommends at least a solid month of working with the product. The exam questions are concentrated in the following categories:

  • Administration & Management – Demonstrate an understanding of configuration management, upgrading and downgrading PAN-OS, role-based administration, configuring the management interface, customizing response pages, reporting, and using the ACC to obtain network information.

  • Network Architecture – Demonstrate an understanding of interface configuration and features, SSL and site-to-site VPN’s, Source and Destination NAT, and Virtual Routers

  • Security Architecture – Demonstrate an understanding of packet flow, zone-based security policy, SSL decryption, certificate management, and logging behaviors.

  • Troubleshooting – Illustrate knowledge of how to use the Get TechSupport file, interpret CLI commands, and evaluate firewall logs as methods for troubleshooting.

  • User Identification – Display knowledge of how to install and configure the various User Identification agents, the terminal server agent, and Captive Portal.

  • Content Identification – Demonstrate knowledge of how to configure security profiles as they relate to URL-filtering, Anti-virus, data filtering patterns, and vulnerability detection.

  • Application Identification – Display an understanding of the workings of security policy as it relates to Application ID, Application Groups, Application Filters, application dependencies, rule shadowing, and Application Override traffic.

  • Panorama – Demonstrate an understanding of how policy is created and pushed from the Panorama server, how Panorama received logging and reporting events, how objects are managed, and how device groups are created and used as targets in policy rules.

  • GlobalProtect – Display an understanding of how a GlobalProtect Agent, GlobalProtect Portal, and a GlobalProtect Gateway are configured. Understand how HIP matches are used in security rules and how clients are polled for HIP compliance.

Is there a logo I can use on my business cards?

Upon passing, you will automatically receive an email containing your numbered CNSE certificate and an EPS-format CNSE logo file for use on business cards and other customer-facing communications.