Palo Alto Networks: CNSE Certification, History and Future – with Michael Pawloski

by Mirek Burnejko

Palo Alto NetworksThis is an interview with Michael Pawloski from Palo Alto Networks. He is a Senior Education Engineer and at the moment, he is working on an updated release of the Certified Network Security Engineer (CNSE) certification.

In this interview you will find:

  • How to prepare to the exam and how to pass it?
  • What is the real value of the CNSE certification?
  • The history of Palo Alto Networks certifications.
  • What additional industry certification will provide value?

IT Certification Master: How long have you been working with Palo Alto Networks and what is your story?

Michael Pawloski: I joined Palo Alto Networks education department in June of 2009. I was hired as a Palo Alto Networks technical trainer and I was also tasked with spearheading the accreditation program and, ultimately, the certification program.

ICM: Could you describe the history of the Palo Alto Networks certifications?

MP: We developed the first iteration of the Palo Alto Networks ACE (Accredited Configuration Engineer) exam in 2009 and it was initially tied to the 3.0 release of PAN-OS. The ACE exam started off as a simple means of assessing our partner’s understanding of Palo Alto Networks core technologies, while we were laying the groundwork for the CNSE exam. As such, the ACE exam is a much less formal exam. It is not a proctored exam and can be taken online from your home.

In 2011, we went live with the CNSE (Certified Network Security Engineer) exam. The CNSE exam is a proper certification exam, delivered and proctored globally by Kryterion. The PAN-OS 3.1 CNSE exam has 60 multiple-choice/multiple-select questions and 120 minutes is allotted to complete the exam.

Those wishing to take either the ACE exam or the CNSE exam can self-register by accessing our education portal.

There is also a FAQ that you can access from the education website, which provides more detail about the differences between the ACE and CNSE exams.

ICM: What is the benefit for engineers with Palo Alto Networks CNSE certification? What is the benefit for employers with hiring certified engineers with CNSE or ACE?

MP: Engineers who obtain the CNSE certification can prove a deep technical knowledge of the Palo Alto Networks platform. A next-generation firewall requires a whole new way of thinking about securing your network. On an engineering and hardware level, our security engine is fundamentally different from any other firewall on the market. Proving that you know how to properly implement a Palo Alto Networks firewall, and showing that you are certified to do this, will be a key differentiator going forward. From an employer standpoint, hiring people with this certification means that you can have the confidence that a CNSE will truly know what they are doing when they integrating a Palo Alto Networks firewall into your network.

ICM: Gartner has published their 2011 Magic Quadrant for Enterprise Network Firewalls. Palo Alto Network’s firewalls were positioned as leader in 2011. Let’s talk about the future. Do you have plans for changes in the Palo Alto Networks certification system? Are you going to add additional levels, similar to the approach that Checkpoint and Cisco have employed?

MP: We are currently in this process of updating the exam from PAN-OS 3.1 to PAN-OS 4.1. We have added many new technologies since PAN-OS 3.1, such as Active/Active HA, GlobalProtect, and WildFire. We determined that the best way to properly test on the added functionality in PAN-OS 4.1 was for us to expand the exam topics, adjusting the exam from 60 questions to 100 questions. So, for now at least, we have decided to keep everything in one exam track.

ICM: Where should engineers obtain training, in order to obtain Palo Alto Networks certification? What is your best recommendation, in terms of a proper study approach? Due to the newness of the exam, are there no books or other materials for self-study?

MP: On the Palo Alto Networks education website, we provide links to our Authorized Training Partners. Approximately 60% of what is taught in our 201 and 205 classes will be reflected in the exam in some way. Although our training classes are an excellent start, the best method for preparing to take the CNSE exam is to spend as much hands-on time as you possibly can with a Palo Alto Networks firewall. Create security policies, NAT rules, set up SSL decryption, experiment with App-ID and User-ID, create site-to-site VPN’s, set up GlobalProtect, experiment with Panorama, run reports. Just get to know the box from the perspective of everyday use. We also have just released a study guide for the 3.1 CNSE; an updated version of this study guide will be made available as we take the 4.1 CNSE exam live early in 2012.

[Additional information]
The 4.1 guide will be released with the 4.1 exam in the February timeframe. We are working with releasing the 3.1 study guide on the education website. We currently distribute the study guide to partners. This will probably change going forward; we will want to encourage as many people as possible to take the exam.

ICM: What would be the biggest mistake candidates make preparing for the Palo Alto Networks certifications?

MP: This one is quite straightforward. The biggest mistake is not taking enough time to properly study for the CNSE exam. Establish a schedule for studying and determine key areas that you feel you need to understand more deeply. Read the admin guide, read white papers, access the support site, spend a lot of time working with the product. In our findings, anyone who has worked with a Palo Alto Networks firewall for at least a solid month was able to pass the exam. Also, remember that if you wish to reschedule or cancel the exam, this must be done 72 hours (3 days) prior to the scheduled exam time.

ICM: We’re talking about IT certifications. Which other certifications (besides the Palo Alto Networks CNSE) should engineers have in order to be the best of the best in the industry?

MP: Palo Alto CNSE certification is one (albeit rather crucial) component of the network security picture. Most all CNSE’s hold additional certifications with multiple vendors. Our firewall will always be integrated into heterogeneous environments, where many different technologies and companies are represented. The CISSP certification is always a nice addition to being a CNSE.

ICM: What do you think about certifications in general? Should people concentrate on one single certification that is hard to achieve, or distribute their certifications across many specialized areas?

MP: As is the case with all certifications, the ability to pass any exam should be tempered with real life experience and an understanding of the everyday realities one must face as a security engineer. I have heard many a story of someone who was hired on the strength of them having a certain certification, only to show up on the first day of work with no real knowledge needed to get the job done. Certifications are wonderful when it comes to rounding out your knowledge on a particular product or technology, but they should not be depended on exclusively.

[This is part of the Interviews with Vendors Series]