Back to Jobs
United States Remote (Global) Full-time USD 170,000 – 200,000 / year

AHEAD is hiring a Senior Technical Consultant - Network Security

Responsibilities

  • Architect and implement Cisco Secure Firewall Threat Defense (FTD) managed through Firewall Management Center (FMC), covering high-availability setups, threat policies with Snort IPS and malware defense, and both site-to-site and remote access VPNs.
  • Set up and maintain Palo Alto Networks next-generation firewalls on PAN-OS, including security profiles for antivirus, anti-spyware, and WildFire, along with App-ID, User-ID, SSL decryption, and Panorama-based centralized management.
  • Lead transitions from legacy firewall platforms, including migrating Cisco ASA to FTD, and support cross-vendor shifts to Palo Alto or Cisco, ensuring optimized policy translation during cutover.
  • Create network segmentation strategies using firewall zones, virtual routers, VRFs, and policy-based routing to enforce least-privilege access for internal and external traffic.
  • Implement cloud-native firewall solutions such as Palo Alto Cloud NGFW for AWS and Azure, and Cisco Secure Firewall Cloud Native for containerized and cloud workloads.
  • Design and deploy high-availability firewall architectures, including active/standby failover, active/active clustering, and multi-context configurations for large-scale and service provider networks.
  • Configure centralized logging, integrate with SIEM platforms like Splunk and Microsoft Sentinel, and enable NetFlow/IPFIX for traffic analysis, threat correlation, and compliance reporting.
  • Conduct regular firewall rule base optimization, policy cleanup, and compliance audits to minimize exposure and meet standards such as PCI-DSS, HIPAA, and NIST.
  • Integrate Cisco Secure Firewall with Cisco XDR to enable cross-platform threat detection, event correlation, and automated incident response.
  • Automate firewall provisioning, configuration backups, and policy rollouts using infrastructure-as-code tools like Terraform and Ansible, along with vendor APIs for consistent, auditable operations.
  • Deploy Cisco Identity Services Engine (ISE) for 802.1X authentication on wired and wireless networks, MAC Authentication Bypass (MAB), and RADIUS/TACACS+ administration across campus, branch, and data center networks.
  • Develop ISE authorization policies using Security Group Tags (SGTs), TrustSec, downloadable ACLs, VLAN assignments, and Adaptive Network Control for dynamic access enforcement.
  • Configure ISE profiling, posture assessment, and compliance checks to ensure endpoints meet security baselines before network access is granted.
  • Integrate ISE with Cisco infrastructure and third-party network devices to ensure consistent policy enforcement across mixed environments.
  • Implement ISE guest portals, BYOD onboarding, and certificate-based EAP-TLS authentication using internal or external CAs for secure device enrollment.
  • Enable pxGrid integrations to share identity and session data between ISE, Cisco Secure Firewall, Splunk, and other security platforms for unified policy and threat intelligence.
  • Design distributed ISE deployments with Policy Administration Nodes, Policy Service Nodes, and Monitoring and Troubleshooting Nodes to support scale, redundancy, and geographic reach.
  • Perform ISE upgrades, migrations from legacy ACS systems, and advanced troubleshooting using RADIUS logs, policy traces, and packet capture tools.
  • Design and deploy SASE and Zero Trust architectures for remote users, branch offices, cloud workloads, and data centers using a unified security policy model.
  • Configure Zscaler Internet Access (ZIA) with Secure Web Gateway, SSL inspection, URL filtering, cloud firewall, and sandboxing, and Zscaler Private Access (ZPA) with ZTNA segments and browser-based access.
  • Deploy Palo Alto Prisma Access with GlobalProtect for remote users, explicit proxy for branches, and service connections to on-prem systems via Strata Cloud Manager or Panorama.
  • Implement Cisco Secure Access (SSE) with Zero Trust Network Access, Secure Web Gateway, Cloud Access Security Broker, and resource connectors for private app access.
  • Configure Netskope Security Cloud with Next Gen SWG, CASB protections (API and inline), and Netskope Private Access (NPA) with traffic steering, real-time policies, and DLP controls.
  • Use Guardicore micro-segmentation to control east-west traffic, isolate applications, and enhance workload visibility in hybrid and multi-cloud environments.
  • Deploy identity-based access controls integrated with Okta, Microsoft Entra ID, SAML 2.0, and SCIM to enforce trust across SASE platforms.

Other

  • We are an equal opportunity employer, and do not discriminate based on an individual's race, national origin, color, gender, gender identity, gender expression, sexual orientation, religion, age, disability, marital status, or any other protected characteristic under applicable law, whether actual or perceived.
  • We embrace all candidates that will contribute to the diversification and enrichment of ideas and perspectives at AHEAD.
About company
AHEAD
AHEAD builds platforms for digital business. By weaving together advances in cloud infrastructure, automation and analytics, and software delivery, we help enterprises deliver on the promise of digital transformation.
All jobs at AHEAD Visit website
Job Details
Department Network Delivery
Category security
Posted a month ago