Hardware: Palo Alto PA - 3K,5K,7K, Panorama M200, M600, Checkpoint 23000, 21000, 15000 (new hardware), 13000, 4400 Series appliances running Gaia. Checkpoint Smart appliances for Management including Provider-1/MDS. Cisco ASA 5585, Cisco ASA with firepower series 5555-x, 5525-x
Networking: OSI Layers, TCP/IP Communications, VLAN, VTP, Spanning Tree, Layer 2 redundancy protocols such as HSRP and VRRP, NTP, Dynamic routing such as BGP, OSPF, EIGRP, Virtual Routing including VRF
Security: VPN including Site to Site and remote access, AnyConnect, SSL VPN, IPsec, ISAKMP, SSL, TWO Factor Authentication, DMZ, Perimeter security, Security internal and external facing servers, LDAP zones, Business partner network setup including MPLS connectivity.
Sr. Network Security Engineer
- Deploy Palo Alto firewalls in AWS Cloud as wells as Azure Cloud and manage them using Panorama. Manage the firewall instances and assign appropriate Security Groups and NACLs to the instance and VPC respectively.
- Work on building Network Security Groups (NSG) on VNETs in Azure.
- Built Global Virtual Network Peering in Azure to connect Virtual networks across different Azure regions.
- Integrate Splunk Heavy Forwarders with Palo Alto firewalls to get the User to IP mapping information from the Domain Controllers. This was achieved over secure TLS communication with the certificates.
- Implement Captive Portal as a failsafe to the User ID deployment using Keytab files for Kerberos Authentication (Single Sign On).
- Migrate various port-based firewalls like Cisco ASA, CheckPoint to Next Generation Security firewall Palo Alto leveraging the migration tool Expedition. Use this tool to multi edit rules, convert individual device-group objects to shared objects across all the firewalls.
- Worked on building redundant AWS VPN connections with business partners in AWS Cloud. Expertise in building IKEv1/v2 VPN connections on both checkpoint and Palo Alto firewalls. Also actively worked on troubleshooting connectivity and latency problems with both IKEv1 and IKEv2 AWS VPN connections.
- Configure and deploy a datacenter in the AWS Cloud spanning Virtual Private Cloud (VPC) across multiple regions, Transit Gateway, Transit VPC (With Cisco CSR’s for VPN termination), AWS VPN connections, Instances (EC2), Public and Private Subnets, and custom third party traffic filtering (firewall) solution (Palo Alto).
- Troubleshoot complex issues in AWS Cloud environment by performing VPC traffic mirroring, analyzing flow logs, and analyzing packet captures taken on client and EC2 instances.
- Build and configure AWS infrastructure resources like S3, Route 53, Auto Scaling via Cloud Formation JSON templates and custom python scripts executed on lambda.
- Deploy and roll out Remote access VPN Solution i.e., Global Protect Client to all the Windows/MAC users across the environment successfully and troubleshoot the user issues.
- Configure Service connections from Service Connection firewalls to OnPrem firewalls to have site to site VPN connection for GPCS (GlobalProtect Cloud Services/Prisma Access) deployment.
- Deploy multiple tenants in Prisma access to provision for routing of multiple thirdparties.
- Develop documentation on end user experience when logged into Prisma access.
- Setup split routing scenarios for Skype/Microsoft teams and deploy Pre-logon using Prisma access.
- Leverage Layer7 capabilities of Palo Alto firewalls and build the firewalls with APP-ID, User-ID and advanced threat protection profiles like Anti-Virus, Anti-Spyware, Vulnerability Protection, Wildfire (SandBox environment) for Zero-day attacks.
- Work with OPSEC tools like Firemon to perform the entitlement review process to validate if a rule is being used or a user group is still required access using the firewall rules.
- Collaborate with Level2 and Level1 teams and train them on the various projects and educate them on existing projects to make the processes more efficient.
- Work on AWS Cloud Hosting environment performing the Inbound SSL Decryption to decrypt the traffic coming inbound and re-encrypt the traffic leaving the firewall.
- Installing the certificates on Application Load Balancers using ACM and adding the rules for various listeners.
- Proven ability to lead migrations from legacy equipment, including Checkpoint FW and IPS, Cisco IronPort URL, Cisco Anyconnect, and McAfee DLP, onto Confidential NGFW and using advanced features of the platform.
- Design, configure and deploy Panorama to centrally manage PA-800s and two sets of PA-5250 pairs in 2 different datacenters providing consolidated Internet and Data Center perimeter security.
- Deep understanding of virtualization / cloud solutions and how to safely integrate and secure those environments, specifically Arista and VMware NSX solutions.
- Assist / drive adoption of User-ID with both Active Directory and non-AD sources while implementing user-based policies wherever possible.
- Worked closely with EC2 infrastructure teams to troubleshoot complex issues.
- Configure and manage security groups for EC2 instances and NACLS for VPC.
- Configure Virtual Private Cloud (VPC) with both public and private subnets, NAT instances, and Elastic Load Balancers and enable latency in VPC.
- Thorough understanding of App-ID and proven ability of deploying in production environments.
- Ability to integrate with existing cybersecurity solutions including McAfee DLP and ArcSight.
- Strong understanding of SSL Decryption and how Confidential performs this on their platform.
- Expert level relationship management, communication skills and interpersonal skills to manage face to face communications daily with multiple levels of customer management and engineering staff across multiple departments within the host company in a responsible and professional fashion.
- Will be required to work with third party vendors and managed service providers
- Remain calm and show patience when faced with opposition and/or complex processes
- Expert level troubleshooting methodology to isolate and identify configuration, design, and software anomalies; ability to clearly articulate findings in written and verbal communications with development level engineering staff.
Network Security Engineer
- Firewall Policy Provisioning and troubleshooting application connectivity issues through Check Point, Cisco ASA, and Palo Alto Firewalls.
- Advanced Troubleshooting and Packet Captures on Firewalls using TCPDUMP on Check Point, CAP on Cisco ASA and debug on Palo Alto platforms.
- Firewall Policy provisioning on PAN devices using PANORAMA MGMT platform.
- Troubleshoot security policy, High Availability, Global Protect on PAN devices,
- Configuring Palo Alto Firewalls with multiple zones based on traffic segregation requirements.
- Understanding of Management Plane and Data Plane on Palo Alto NG Firewalls.
- Firewall policy optimization and rule base clean up on PAN devices using Tufin Secure Track and Algosec.
- Perform Upgrade of PAN OS on Palo Alto Firewalls from 7.x to 8.x
- Security Policy configuration and Policy administration on Palo Alto firewalls
- Configure Panorama for Shared Policy and Reporting as well as log collection.
- Configured Security groups specific to EC2 instances based on the requirements
- Work with Palo Alto IPS tweaking false positives and update the security profile configurations.
- Installation of New Security Gateways from Ground and build HA using ClusterXL
- Plan and Execute Firewall Migrations and go through high impact change windows for approval
- Check Point Licensing and deploying firewalls in the DMZ and the Perimeter
- Experience working with Smart Domain Manager in a Multi Domain Environment
- Experience with several Advanced Blades including IPS, URL Filtering, Cloud based Threat Emulation
- Build and troubleshoot IPsec B2B VPN with business partners and clients.
- Work with different types of NAT on checkpoint / Palo Alto and Cisco ASA including policy-based NAT.
- Experience working with end point protection tool Symantec (SEPM) and Crowdstrike.
- Run the power eraser on SEPM and reviewing the scan results and re-imaging the infected PC’s.