The Resident Engineer (RE) will provide expert support, analysis and research into complex problems and processes relating to deployed Palo Alto Networks equipment. The RE will function as the Palo Alto Networks products Subject Matter Expert (SME) and will interact directly with the customer’s personnel. The RE will serve as the technical expert on executive-level project teams within the customer providing technical direction, interpretation, and alternatives. As a consultant, the RE contributes to the development of new principles and concepts, works on unusually complex technical problems and provides solutions which are highly innovative and ingenious. This is a highly technical, hands-on role and the RE will be required to develop and maintain an expertise on the products and solutions deployed within the Customer’s network.
- Work full-time at the customer site.
- Analyze logs and events from the solution and provide threat analysis reports.
- Build custom security policies and application signatures.
- Interact with the Palo Alto Networks TAC to troubleshoot and diagnose cases.
- Mitigate web-based threats in a timely manner.
- Maintain the Palo Alto Networks solution and provide guidance on code upgrades, etc.
- Excellent written and verbal communication skills, with proven ability to communicate to sr. leaders and technical peers
- Minimum 2 years experience managing security solutions in large environments.
- Extensive knowledge of different security threats.
- Strong understanding of core Internet protocols and applications.
- Detailed technical experience in the installation, configuration and operation of high-end firewall appliances, ideally Palo Alto Networks products.
- Strong TCP/IP networking skills.
- Ability to effectively manage many different tasks simultaneously.
- Extensive background in internetworking, LAN, and WAN technologies required.
- PCNSE 6.x or greater
- Ability to analyze and convert existing firewall configurations from various vendors (Cisco, Juniper, CheckPoint) to Palo Alto.
- Ability to explain how the Palo Alto will behave in various circumstances related to packet processing and how the various fields of security policies interact.
- Ability to explain how Palo Alto implements various features within its security architecture.
- Things like IPS/IDS, user ID, and syslogging of pertinent data.
- Ability to configure and troubleshoot dynamic routing protocols, specifically BGP with ECMP and BFD.
- Ability to design and implement redistribution rules, export policies, and import policies that are scalable and adaptable.
- IPSec – Ability to design and configure VPNs to non-Palo Alto equipment that includes Cisco ASA, Cisco ISR/ASR, Juniper SRX, Juniper SSG/ISG, and CheckPoint.
- Knowledge of how each component within the Palo Alto threat module works.
- Ability to fine tune threat modules based on NYS ISO requirements
- Functional knowledge of how to configure all necessary subsystems required for the Palo’s to implement URL filtering. Things like captive portal, ADFS integration with SAML, user to group mappings, ssl decryption, etc.
- Requirments to fully implement URL filtering.
Ability to work independently once given adequate client information and existing design standards. Ability to provide feedback on new and existing designs based on Palo Alto’s best practices. Ability to work with NYS ITS staff to transfer operational knowledge of the Palo Alto platform. Knowledge of how to take full advantage of Panorama to synchronize common configurations across multiple systems, both physical and virtual through the use of Device Groups and Templates. Ability to research and troubleshoot any unexpected behaviors. Ability to engage TAC or Palo Alto “channels” to address any unexpected behaviors.
Client Specific Needs:
- Assist client in progressing beyond port & protocol by enabling advanced features on their PA-7050s
- Upgrade to the latest version of PAN-OS per design requirements
- Evaluate client configuration against Palo Alto Networks recommended Best Practices
- Ability to configure and manage M-500 for logging
- Experience with User-ID deployments
- Migrate from legacy Cisco ASA to new PA-820s
- Must have proven cross-functional experience with the ability to mediate between organization that have conflicting priorities