Senior Firewall Engineer

Job Overview

This is a senior-level, hands-on firewall engineering role responsible for the day-to-day operations, configuration, security, and lifecycle management of the Palo Alto Networks firewall estate across a large-scale smart platform environment.

The role covers both virtualized Azure-hosted firewall infrastructure and on-premises devices, managed centrally via Panorama. The engineer acts as the primary technical authority for all firewall-related activities, working closely with infrastructure SMEs, security operations teams, network connectivity teams, and multiple stakeholders.

Key Responsibilities

1. Firewall Operations & Administration

• Administer and maintain Palo Alto Networks virtual and physical firewalls (PA-VM series) across cloud and on-prem environments
• Manage firewall infrastructure via Panorama (device groups, template stacks, policy push, device registration)
• Monitor system health (CPU, memory, sessions, throughput) and perform proactive remediation
• Maintain High Availability (HA) configurations and perform failover validation
• Manage administrative access, controls, and secure connectivity (GUI/CLI)
• Perform firewall cleanup, optimization, decommissioning, and NAT rule rationalization
• Support migration planning and firewall lifecycle changes
• Manage configuration updates including naming, interfaces, and routing

2. Panorama Management

• Administer Panorama platform, including backups and integrity checks
• Troubleshoot SSO/SAML, configuration export, syslog, and system issues
• Monitor system capacity and coordinate vendor escalations
• Manage certificate lifecycle and compliance
• Maintain log forwarding to SIEM platforms and resolve ingestion issues

3. Security Policy & Configuration

• Implement and manage security policies, NAT rules, objects, and profiles
• Configure East-West traffic rules across interconnected environments
• Optimize rule lifecycle (unused, shadowed rules, performance tuning)
• Apply threat intelligence updates and IOC-based blocking
• Configure URL filtering, application control, and security profiles
• Conduct traffic analysis and anomaly investigations
• Ensure consistency across HA pairs and adherence to best practices

4. Network Connectivity (VPN & External Integration)

• Design and manage Site-to-Site VPN tunnels
• Coordinate WAN connectivity changes and lifecycle management
• Configure firewall policies for external integrations
• Maintain IPSec documentation and support multi-party integrations
• Troubleshoot VPN instability, connectivity issues, and related incidents

5. Web Publishing & Certificate Management

• Support firewall configurations for web publishing
• Manage SSL/TLS certificate lifecycle (procurement, renewal, deployment)
• Troubleshoot certificate and secure connectivity issues
• Track and proactively renew certificates to avoid service disruption

6. Threat Advisory & Vulnerability Management

• Monitor security advisories and assess impact
• Respond to critical vulnerabilities (CVEs) and coordinate remediation
• Apply threat intelligence updates
• Support vulnerability assessments and follow-ups
• Investigate and respond to security incidents

7. PAN-OS Lifecycle & Patch Management

• Maintain lifecycle roadmap and monitor EOL announcements
• Plan and execute upgrades and patch deployments
• Prepare upgrade strategies, rollback plans, and validation steps
• Support migration planning for aging infrastructure
• Manage licensing and renewal tracking

8. Reporting & Documentation

• Produce weekly, monthly, and quarterly reports (operations, performance, security)
• Maintain configuration documentation and change logs
• Prepare post-incident reports and root cause analysis
• Ensure ITSM records are updated and audit-compliant

9. Vendor Coordination

• Manage support cases with vendor TAC
• Provide logs, diagnostics, and technical inputs
• Track escalation and resolution progress
• Implement approved fixes through change management

10. Stakeholder & Change Management

• Follow formal change management processes (CAB approvals, risk assessment, rollback plans)
• Participate in integration planning with stakeholders and partners
• Coordinate with security and monitoring teams
• Support operational reviews and governance discussions

Skills & Competencies

8–10 years of relevant experience

Bachelors degree in IT or related field

Firewall & Security

• Strong expertise in Palo Alto Networks NGFW (PA-VM)
• Experience with Panorama centralized management
• Deep understanding of security policies, NAT, and threat prevention
• Experience with HA configurations and lifecycle management
• Familiarity with cloud-delivered security (e.g., Prisma Access)

Networking

• Strong knowledge of IP networking, subnetting, CIDR, routing
• Hands-on experience with IPSec VPNs
• Understanding of NAT, load balancing, and multi-zone architectures

Security Operations

• Experience with SIEM integration (e.g., Microsoft Sentinel)
• Knowledge of vulnerability management and threat response
• Experience with IOC handling and traffic analysis
• SSL/TLS certificate management expertise

Reporting & Documentation

• Strong reporting skills for technical and business audiences
• Experience with ITSM tools, audit documentation, and change tracking
• Ability to perform post-incident reviews and capacity planning

Soft Skills

• Strong communication and stakeholder coordination
• Structured and methodical approach to operations and incident handling
• Ability to manage multiple priorities in complex environments
• Comfortable working within formal governance frameworks

Required Certifications

Network Security (Minimum 1 Required)

• PCNSE (Mandatory)
• PCNSA

Cloud / Technology (Minimum 1 Required)

• Microsoft Certified: Security Operations Analyst Associate (SC-200)
• Microsoft Certified: Azure Administrator Associate (AZ-104)
• Microsoft Certified: Azure Network Engineer Associate (AZ-700)

Preferred Certifications

• PCSAE
• ACE (Accredited Configuration Engineer)
• Microsoft Certified: Azure Solutions Architect Expert (AZ-305)
• GIAC Certified Incident Handler (GCIH)