Senior Network Firewall Engineer

L3 Senior Firewall Engineer – Firewall, IDS/IPS & DDoS The ideal candidate will be a highly experienced firewall and network security SME capable of owning complex enterprise security infrastructure end to end. The role demands strong technical depth, disciplined change execution, and the ability to support mission-critical services in a regulated, fast-paced environment. Role Summary: This role is responsible for designing, implementing, upgrading, and supporting enterprise network security controls across firewall, IDS/IPS, and DDoS protection platforms in complex production environments.

The engineer will serve as an SME for physical and virtual security appliances and will own change execution, fault resolution, lifecycle replacements, and operational stability across hybrid and multi-site infrastructures. A. Roles and Responsibilities Lead end-to-end lifecycle management of enterprise firewall, IDS/IPS, and DDoS security platforms, including planning, deployment, upgrades, migration, validation, and decommissioning.

Perform hardware refresh and replacement of end-of-support and end-of-life security appliances with minimal business disruption and validated rollback readiness. Analyze existing and target-state security architectures to ensure compatibility, performance, resilience, and compliance during upgrades and migrations. Design, configure, and optimize firewall policies, NAT, routing, VPN, and security inspection rules in line with enterprise standards and least-privilege principles.

Support multi-context and clustered firewall environments, including high availability, failover, split-brain prevention, and state synchronization validation. Plan and execute pre-change and post-change testing, including failover testing, traffic validation, security rule verification, and application reachability checks. Troubleshoot complex incidents involving connectivity, asymmetric routing, policy conflicts, VPN failures, inspection drops, IPS triggers, and DDoS event impacts.

Monitor device health, performance, and capacity, and recommend tuning actions to improve throughput, latency, and availability. Manage firmware, image, bootstrap, patch, and code upgrades across physical and virtual appliances in a controlled and auditable manner. Operate and improve DDoS mitigation controls, including threshold tuning, attack analysis, traffic baselining, and mitigation strategy validation.

Collaborate with infrastructure, cloud, application, SOC, and operations teams to support incident response and production change execution. Maintain accurate documentation for designs, runbooks, standard operating procedures, and upgrade or rollback plans. Ensure configuration governance, compliance alignment, and regular hygiene of firewall objects, object groups, unused policies, and rule recertification.

Contribute to automation and standardization efforts using scripts, templates, or workflow tools to reduce manual effort and configuration drift. Support audit evidence collection, risk assessments, and remediation actions for internal controls, client reviews, and regulatory requirements. Participate in on-call or extended support windows for major changes, production incidents, and critical remediation activities.

Engage with stakeholders and vendors to drive problem resolution, roadmap planning, and technology replacement decisions. Provide technical guidance to junior engineers and peers through reviews, mentoring, and knowledge sharing. B.

Skills Matrix Must-Have Skills Strong hands-on experience with enterprise firewalls, especially Cisco ASA/Firepower, Palo Alto, Fortinet, and Check Point. Deep understanding of IDS/IPS tuning, signatures, false-positive analysis, and traffic inspection behavior. Practical DDoS mitigation experience, including Arbor or equivalent platforms, threshold policy design, and attack analysis.

Strong networking fundamentals: routing, switching, subnetting, VLANs, BGP, OSPF, EIGRP, NAT, ACLs, TCP/IP, and packet analysis. Experience with high availability clusters, failover behavior, upgrade planning, rollback execution, and change control. Strong troubleshooting ability across firewall, VPN, routing, and security inspection layers.

Ability to produce clear documentation and operational handover artifacts. Experience working in ITIL-driven enterprise environments. Good-to-Have Skills Firewall automation or scripting using Python, Ansible, PowerShell, or similar tools.

Experience with cloud network security in Azure, including ExpressRoute and VNet integration. Exposure to AWS or GCP security controls and hybrid connectivity. Experience with proxy, WAF, Zscaler, SASE, or cloud-delivered security platforms.

Knowledge of SIEM or SOAR integration and log analytics. Exposure to container networking and security for Kubernetes or OpenShift. Experience in compliance-driven environments such as BFSI, insurance, telecom, or global shared services.

Leadership in large-scale migration programs or multi-vendor enterprise refresh initiatives. C. Technical Competencies Firewall policy architecture, segmentation design, and security zoning.

IDS/IPS rule governance, tuning, and incident response support. DDoS detection and mitigation architecture, including volumetric and protocol-layer attack handling. Physical and virtual appliance deployment, upgrade, migration, and compatibility validation.

Advanced routing and connectivity troubleshooting across data center and branch environments. VPN technologies such as site-to-site IPsec, remote access, tunnel monitoring, and phase negotiation troubleshooting. High availability design, failover testing, and service continuity planning.

Network traffic analysis using packet captures, logs, counters, and platform diagnostics. Security hardening, patch management, vulnerability remediation, and exposure reduction. Operational governance, CMDB accuracy, SOP creation, and change or release coordination.

Ability to work effectively across on-premises, remote site, and third-party data center environments. D. Professional Certifications Preferred Certifications PCNSE for Palo Alto.

CCNP Security. Check Point CCSA or CCSE. Fortinet NSE 4, NSE 5, or equivalent.

Arbor or DDOS-related vendor training, where available. Azure networking or security certifications for hybrid-cloud alignment. ITIL Foundation for service management maturity.

E. Preferred Qualifications Bachelor’s degree in Computer Science, Information Technology, Electronics, or a related field. 8 to 16 years of relevant experience in network security or firewall engineering, with senior-level L3 support exposure. Proven experience in enterprise environments managing firewalls, IDS/IPS, and DDoS tooling across large-scale production networks.

Experience in BFSI, insurance, telecom, or similarly regulated industries is highly desirable. Strong communication, incident leadership, and stakeholder management skills. Demonstrated ability to work under pressure during major incidents, upgrades, and cutover windows.

Willingness and flexibility to undertake onsite assignments or client travel within the next six months based on business needs. Ideal Candidate Profile: The ideal candidate will be a highly experienced firewall and network security SME capable of owning complex enterprise security infrastructure end to end. The role demands strong technical depth, disciplined change execution, and the ability to support mission-critical services in a regulated, fast-paced environment.