Senior Firewall Engineer – Palo Alto Networks

Senior Firewall Engineer – Palo Alto Networks

Firewall Operations and Administration

• Manage and maintain Palo Alto Networks virtual and physical firewalls, including PA-VM firewalls deployed across Azure and on-premises environments.
• Administer firewall infrastructure through Panorama, including device groups, template stacks, policy push operations, device registration, and configuration management.
• Monitor firewall health, including CPU, memory, disk usage, session utilization, throughput, HA status, and availability.
• Manage Active/Passive HA firewall pairs, document failover events, and perform post-failover verification.
• Maintain firewall administrative access, jump server connectivity, GUI access, CLI access, and access controls.
• Perform firewall clean-up, rule tuning, NAT rule rationalization, decommissioning of redundant firewall instances, and routing/interface updates.

Panorama Management

• Administer Panorama, including scheduled backups, backup integrity checks, and backup issue remediation.
• Troubleshoot Panorama operational issues such as SAML authentication failures, SSO integration issues, syslog forwarding failures, resource warnings, and configuration export failures.
• Manage Panorama disk usage, system resource capacity, device certificate requirements, and vendor escalations with Palo Alto TAC when required.
• Support syslog forwarding to Microsoft Sentinel and resolve log ingestion, duplication, and forwarding issues.

Security Policy and Configuration Management

• Implement and manage firewall security policies, NAT rules, object and service definitions, security profiles, URL filtering, application signatures, and threat prevention configurations.
• Configure and maintain East-West firewall rules for inter-agency and platform traffic flows.
• Manage ingress firewall policies, unused and shadowed rule identification, rule lifecycle management, and periodic policy optimization.
• Implement IOC-based blocking in response to SOC and threat intelligence notifications.
• Investigate anomalous traffic patterns and provide findings, remediation recommendations, and supporting documentation.
• Ensure firewall configurations align with Palo Alto best practices and security hardening standards.

Government Network and VPN Connectivity

• Design, configure, and troubleshoot Site-to-Site VPN tunnels over Government Network connectivity paths.
• Coordinate Government Network connectivity change requests from initiation through implementation, verification, and incident resolution.
• Configure firewall policies and routing for new government connectivity paths and external entity integrations.
• Maintain IPSec documentation and support technical planning with external agencies and technology partners.
• Support public IP whitelisting requests and troubleshoot VPN instability, syslog disruption, load balancer availability, and related connectivity incidents.

Web Publishing and SSL/TLS Certificates

• Support firewall configuration for web publishing requests and URL publication activities.
• Manage SSL/TLS certificate lifecycle activities, including certificate procurement, wildcard certificate renewals, certificate updates, and expiration tracking.
• Troubleshoot SSL/TLS issues involving Azure Front Door, Application Gateway, integration endpoints, and certificate mismatches.
• Coordinate certificate renewal requests and apply certificates during approved maintenance windows.
• Threat Advisory, Vulnerability, and Patch Management
• Monitor Palo Alto Networks security advisories, assess impact, and initiate required response actions.
• Evaluate critical CVEs affecting PAN-OS and prepare impact assessments, remediation recommendations, and CAB-ready change plans.
• Monitor Palo Alto threat intelligence updates and apply relevant updates to security profiles.
• Support Vulnerability Assessment activities affecting the firewall estate and follow through on remediation actions.
• Review firewall-related security incidents and alerts from Microsoft Sentinel.

• PAN-OS Lifecycle Management

• Monitor PAN-OS releases, security updates, and End-of-Life announcements.
• Plan and execute PAN-OS upgrades and content update deployments during approved maintenance windows.
• Prepare upgrade plans, including pre-checks, HA upgrade sequencing, rollback procedures, and post-upgrade validation.
• Track firewall, Panorama, and license expiration dates and coordinate renewals.
• Reporting and Documentation
• Prepare weekly firewall configuration change reports.
• Prepare monthly operational reports covering availability, incidents, changes, security posture, and performance trends.
• Prepare quarterly preventive maintenance reports covering system health, rule reviews, capacity planning, and recommendations.
• Maintain change logs, ITSM ticket updates, audit documentation, and post-incident reports.
• Document configuration changes within 24 hours of implementation.
• Vendor and Stakeholder Coordination
• Open and manage Palo Alto TAC support cases for complex technical issues.
• Provide technical logs, packet captures, troubleshooting evidence, and case updates.
• Coordinate with Microsoft Sentinel, infrastructure, government agency, connectivity, and platform teams.
• Follow formal change management processes, including technical details, risk assessments, rollback plans, and CAB approvals.
• Participate in integration planning meetings and operational governance discussions.

Required Skills and Experience

• 8–10 years of experience in network security, firewall engineering, or similar infrastructure security roles.
• Deep hands-on experience with Palo Alto Networks Next-Generation Firewalls.
• Strong experience with Panorama centralized management, including device groups, template stacks, policies, log forwarding, and software updates.
• Experience with PA-VM virtual firewalls and firewall operations in Microsoft Azure environments.
• Strong knowledge of security policies, NAT, security profiles, application-based policies, URL filtering, threat prevention, and firewall hardening.
• Experience with Palo Alto HA configurations, especially Active/Passive failover.
• Strong understanding of IP networking, subnetting, CIDR, routing, VPN tunnelling, IPSec, NAT, load balancing, and complex multi-zone environments.
• Experience configuring and troubleshooting Site-to-Site VPN connections.
• Experience with syslog forwarding, log pipeline management, and SIEM integrations, preferably Microsoft Sentinel.
• Experience responding to threat advisories, CVEs, security incidents, and vulnerability findings.
• Experience with SSL/TLS certificate lifecycle management and certificate troubleshooting.
• Strong reporting, documentation, change management, root cause analysis, and incident response skills.
• Ability to work in a structured, high-scrutiny government programme environment.
• Strong written and verbal communication skills for coordination with government stakeholders, technology partners, and vendor support teams.

Required Certifications

• Candidates must hold the following:
• Palo Alto Networks Certified Network Security Engineer — PCNSE
• At least one of the following Microsoft certifications:
• Microsoft Certified: Security Operations Analyst Associate — SC-200

Microsoft Certified: Azure Administrator Associate — AZ-104

Preferred Certifications

Job Type: Contract