We are seeking a hands-on Network Security Engineer to operate and continuously improve our network security stack—primarily enterprise firewalls (Palo Alto, Fortinet, Cisco), secure web gateways/proxies, and site-to-site/remote-access VPNs. The ideal candidate is an operator-engineer hybrid with deep knowledge across L2–L7 security controls, strong troubleshooting skills, and proven experience in high-availability, low-latency environments. Experience supporting MAS TRM or BNM RMiT audits is highly preferred.
Operations & Reliability:
Own day‑to‑day operation of Palo Alto, Fortinet, and Cisco firewalls, Proxies, and VPN appliances (IPSec/SSL).
Monitor and maintain HA clusters, dynamic routing (BGP/OSPF) on firewalls, and NAT/policy objects to ensure availability and performance SLAs.
Execute change management: rule modifications, NAT adjustments, SSL decryption policies, URL categories and app‑ID signatures.
Perform break/fix troubleshooting using methodical, packet‑level analysis (pcaps, flow records, session tables, global counters).
Security Engineering & Hardening:
Manage segmentation (zones, VRFs, tags), east‑west and north‑south controls, and zero-trust policy baselines.
Develop and maintain standardized security templates (objects, groups, security profiles, threat/vulnerability profiles, URL filtering, DLP where applicable).
Tune IPS/IDS, Anti‑Malware, URL filtering, WildFire/ATP, DNS Security, and sandboxing controls to reduce false positives while maintaining strong coverage.
Integrate firewalls with identity (AD/LDAP, IdP, SSO), SIEM/SOAR, PKI, and EDR/XDR telemetry to enrich detections and automate response.
Secure Remote Access & Edge
Maintain VPN architectures (IPSec, GlobalProtect/AnyConnect/FortiClient), posture checks, MFA, split vs. full tunnel policies.
Support branch/edge (SD‑WAN) security policy application and traffic steering to on‑prem or cloud security services.
Manage proxy/SWG policies (e.g., SSL decrypt, file controls, CASB integration) and ensure compliance for web access.
Experience in Zero Trust Network Access (ZTNA) is an advantage.
Governance, Risk & Compliance
Maintain policy standards, rule certification/recertification cycles, and least‑privilege reviews.
Ensure controls meet regulatory and industry frameworks (e.g., ISO 27001, NIST 800‑53/CSF, SOC 2, PCI DSS, MAS TRM if applicable).
Document and execute disaster recovery and BCP plans for network security platforms.
Incident Response & Continuous Improvement
Act as an escalation point for network‑security incidents; participate in RCA, and corrective actions.
Build dashboards and metrics (utilization, block/allow, threat trends, latency) and drive continuous tuning.
Contribute to runbooks, knowledge base articles, and automation (e.g., Ansible, Terraform, Panorama, FortiManager, Cisco FMC APIs).