| certifications | security - Richard Bevis
4 Best Palo Alto Certs for Network Engineers
This post is the second in a series about Palo Alto Technologies, how its products are positioned in the network security landscape, and how the company's certification program affects career opportunities for certified engineers and technicians.
With the intense level of enterprise interest in cybersecurity, there's high demand for advanced network security products and services, as well as the technical staff with the credentials and experience to design, engineer, and operate them. While traditional network vendors such as Cisco, Juniper Networks, VMware, and others continue to dominate enterprise networking, Palo Alto Technologies has staked its own claim.
With a range of hardware, software, and cloud offerings, the company has now displaced Cisco as the leading network security vendor. Increasingly, we see Palo Alto firewall solutions operating in conjunction with Cisco and other vendor networks. It's not just with hardware-based networks. As software-driven networks have evolved, with virtual private networks (VPN) and software-defined wide area networks (SD-WAN), we've seen the emergence of software- and cloud-driven firewalls.
And Palo Alto leads the way with their Prisma Cloud and Cloud Access platform.
With this changing network and security landscape, enterprises are likely to expect their security and networking professionals to be proficient with both the networking technology, as well as Palo Alto security solutions. That brings us to the topic of this article, namely Palo Alto's range of certifications and which ones are most relevant for network engineers.
Palo Alto's Certification Program
Palo Alto's certification program features role-based certifications for cybersecurity professionals. The roles begin at the entry-level security associate, then move to security administrator and then security engineer. Unlike other vendor accreditation programs, Palo Alto's certs do not specify prerequisite certifications, skills, or experiences. Each one stands on its own and is earned by passing an online certification exam that is managed and proctored by Pearson VUE.
The certifications are as follows:
- Role: Security Associate
- Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)
- Role: Security Administrator
- Palo Alto Networks Certified Network Security Administrator (PCNSA)
- Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA)
- Role: Security Engineer
- Palo Alto Networks Certified Network Security Engineer (PCNSE)
- Prisma Certified Cloud Security Engineer (PCCSE)
- Palo Alto Networks Certified Security Automation Engineer (PCSAE)
Why Earn Palo Alto Certification?
If you're already working in a Palo Alto shop, then it's a no-brainer to burnish your credentials with one or more Palo Alto certs. And if your organization doesn't use Palo Alto, then you can expand your potential opportunities by earning a Palo Alto cert.
It's important to acknowledge that most people will be working in a mixed environment, with Palo Alto firewalls securing a network that uses Cisco, VMware, Juniper, or maybe a public cloud. So, if you are a network engineer or administrator, it's a good strategy to earn a Palo Alto security certification — especially if it complements your network vendor credentials.
Palo Alto Certs for Net Engineers
For the purposes of this article, we're going to focus on Palo Alto's certifications for entry-level cybersecurity technician, network security administrator, network security engineer, and cloud security engineer. With the exception of the entry-level technician, each of these certs presumes at least six months hands-on experience with Palo Alto firewalls.
Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET)
The PCCET certification is for professionals who have limited experience in the security field but are looking to add cybersecurity to their portfolio. The PCCET credential certifies that holders understand:
- Fundamentals of Cybersecurity including types of Web 2.0/3.0 applications and services, security challenges of cloud computing and Software as a Service (SaaS), denial of service attacks, advanced persistent threats, perimeter-based network security, and Zero Trust principles and architectures.
- General Networking and Connectivity Principles including the role of hubs, switches, and routers, network topologies, network firewalls, intrusion detection and prevention, unified threat management, endpoint security, identity and access management, and next-generation firewalls.
- Principles of Securing Cloud Technologies including cloud service and deployment models and cloud security challenges, data security vulnerabilities, and hybrid data center security.
- Elements of Security Operations including the essential elements of effective security operations, security information and event management (SIEM), and security orchestration, automation and response (SOAR).
Cisco's Security certification path does not have an entry-level security certification. So, if you are a network engineer with a CCNA or CCNP Enterprise and want to get some cybersecurity credibility, then start with the Palo Alto PCCET technician cert, before considering more advanced Palo Alto or Cisco security credentials. If you work in a Juniper Networks shop, then give the PCCET a miss and go straight to the entry-level Juniper Networks Certified Associate, Security (JNCIA-SEC) certification.
Palo Alto Networks Certified Network Security Administrator (PCNSA)
Our second certification is the Certified Network Security Administrator. The PCNSA is primarily targeted at security professionals who are responsible for deploying and managing Palo Alto next generation firewalls (NGFW) as part of their organization’s cybersecurity regime. Candidates for this cert would typically have two to three years of security admin experience and six months hands-on experience deploying and configuring Palo Alto firewalls.
This certification validates that the holders understand:
- Palo Alto’s Strata Portfolio of next-generation firewalls—physical, virtual, and containerized appliances—and their single-pass parallel processing architecture.
- Device Management and Services including firewall management interfaces, defining firewall configurations, dynamic updates, security zones, and configuring firewall interfaces.
- Managing Objects including creating address objects and services, using external dynamic lists, and configuring app filters and groups.
- Policy Evaluation and Management including the use of application-based security policies, configuring security policy match conditions, and implementing appropriate NAT (Network Address Translation) policies.
- Securing Traffic including creating security profiles, utilizing traffic, threat, and data logs, and using cloud DNS Security to facilitate domain-based traffic control.
Palo Alto's Network Security Administrator cert has definite value for vendor-certified network engineers and administrators. For example, for those working with Palo Alto Next-Generation firewalls in a Cisco security operations center (SOC), the PCNSA will be an excellent complement to Cisco's Cisco Certified CyberOps Associate or CyberOps Professional certifications. On the Juniper Networks front, the PCNSA is best complemented by the Certified Security Associate (JNCIA-SEC) or Specialist (JNCIS-SEC) certifications.
Palo Alto Networks Certified Network Security Engineer (PCNSE)
The third cert for network engineers is the Certified Network Security Engineer (PCNSE). This is an advanced certification for security professionals with three to five years of networking or cybersecurity experience, as well as six months or more experience deploying and configuring Palo Alto Next-Gen firewalls.
The certification validates that the certified professionals possess the knowledge and skills to design, deploy, operate, manage, and troubleshoot Palo Alto Next-Gen firewalls. Possessing a PCNSE provides assurance to hiring managers that certified individuals understand:
- Firewall Planning and Core Concepts including the security components of the PAN-OS software that drives Palo Alto next-generation firewalls.
- Deployment and Configuration of Palo Alto firewalls, including configuring management and security profiles, setup of zone protection, packet buffer protection and DoS protection, authorization, authentication, and device administration, and configuring the Wildfire malware analysis engine.
- Deploying and Configuring Firewalls using the web-based Panorama centralized management system.
- Managing and Operating Firewalls including managing and configuring security log forwarding, and setting up and operating high availability functions.
- Troubleshooting Firewall Implementations including site-to-site tunnels, physical interfaces, SSL decryption, routing, zone protection, packet buffer protection and DoS protection.
If you're already certified as a security engineer by one of the networking vendor programs, you'll find a good fit with the PCNSE. For example, Cisco's CCNP Security complements the PCNSE network security engineer accreditation. Even if you're a Cisco security expert with a CCIE Security badge, then it's worth getting the Palo Alto PCNSE certification. Similarly, there's a good match with the PCNSE for Juniper certified professional (JNCIP-SEC) and expert (JNCIE-SEC) network security engineers.
Palo Alto Networks Prisma Certified Cloud Security Engineer (PCCSE)
Our final Palo Alto certification pick for network engineers is the Prisma Certified Cloud Security Engineer (PCCSE). Prisma Cloud is Palo Alto's cloud-native security platform. Prisma Cloud is used to protect users, apps, and data across public, private, hybrid and multi-cloud environments including AWS, Azure, Google Cloud, VMware, and others.
The PCCSE cert demonstrates that the holder has the skills and knowledge to onboard, deploy and administer a Prisma Cloud security regime, including the Security as a Service (SaaS) Enterprise edition and the customer self-hosted Prisma Compute edition.
The certification validates that the holders understand:
- Installing and upgrading, including deploying and managing the Console for the Prisma Cloud Compute Edition, as well as the defenders that enforce policies.
- Instituting Visibility, Security, Compliance, and Data Security including policies, alerts, and notifications, identifying assets in a cloud account, and onboarding cloud accounts with data protection.
- Using the Cloud Workload Protection Platform including monitoring and protecting against image, host and serverless vulnerabilities, and enforcing compliance on images/containers, hosts, and container runtimes.
- Deploying Web Application and API Security including creating WAAS policies and App rules, configuring application firewall settings and exceptions, and using the WAAS runtime audit.
- Employing Dev SecOps Security including configuring policies to scan IAC (Infrastructure-as-Code) templates for misconfigurations and integrating those scans into the CI/CD pipeline.
- Performing Prisma Cloud Administration including onboarding accounts, configuring role-based access control (RBAC), and using Cloud and Compute APIs.
Because of the wide-spread enterprise adoption of cloud technologies, cloud certifications are a hot commodity with hiring managers. And given Palo Alto's popularity, the PCCSE is a highly desirable badge for candidates to hold.
As with the other Palo Alto certs we've discussed, vendor networking and security certs can be a good match to the PCCSE. Depending on the technology your organization uses, we're thinking of certs such as Amazon's AWS Certified Security – Specialty, Juniper's specialist level cloud cert (JNCIS-Cloud), Cisco's CCNP Enterprise, or either of Microsoft's Azure Security Engineer Associate or Azure Network Engineer Associate accreditations.
Palo Alto firewall solutions have become a fixture in enterprise networks alongside technologies from Cisco and other leading vendors. Not surprisingly, there's lots of value and career opportunities in holding certifications from Palo Alto and network and cloud vendors such as Cisco, Juniper Networks, or AWS! In this article, we have discussed how vendor accreditations such as Cisco's CCNA CyberOps, Juniper's Certified Security Associate, or Azure's Network Engineer can complement Palo Alto's PCCET, PCNSA, PCNSE and PCCSE certifications.
If you're already a certified network engineer and want to add Palo Alto to your credentials, then check out Keith Barker's online Palo Alto training classes. If you're new to cybersecurity, then start off with the Certified Cybersecurity Entry-level Technician (PCCET) course. Then, depending on your career plans, you could go on to the Palo Alto Networks Certified Network Security Administrator (PCNSA) or Certified Network Security Engineer (PCNSE) courses.