Senior Palo Alto Network Security Engineer (Project-Based)Location
Remote (U.S.)
Duration
Approximately 94 hours with an anticipated project completion by August 31, 2026.
Position Type
Contract (Professional Services)
Project Overview
We are seeking an experienced Senior Palo Alto Network Security Engineer to lead a production firewall remediation and operating system upgrade for a mission-critical enterprise environment.
The selected engineer will perform a controlled, zero-downtime upgrade of a High Availability Palo Alto firewall environment while diagnosing and resolving existing SAML/Single Sign-On authentication issues impacting administrative access and GlobalProtect users.
This engagement requires extensive experience performing production firewall upgrades in highly available environments where service interruption is unacceptable.
The project will be executed by a single senior engineer responsible for all planning, execution, validation, documentation, and project closeout.
Primary Responsibilities
The selected engineer will perform all technical activities required to complete the engagement, including:
Discovery & Risk Assessment
- Assess the current Palo Alto firewall environment and overall health.
- Validate High Availability (HA) configuration, synchronization, and failover readiness.
- Inventory PAN-OS versions, Dynamic Updates, GlobalProtect, plugins, and content releases.
- Export and secure running configurations, device state files, and technical support files.
- Evaluate Panorama dependencies and upgrade sequencing.
- Establish baseline performance metrics including:
- CPU utilization
- Session counts
- Throughput
- VPN utilization
- Packet buffers
- Review licensing and support entitlement status.
- Document upgrade readiness and identify technical risks.
Authentication & SSO Remediation
- Troubleshoot and resolve SAML/Single Sign-On authentication issues.
- Validate synchronization between firewalls and Identity Providers (IdPs).
- Review and update:
- IdP metadata
- Signing certificates
- Certificate chains
- Entity IDs
- Assertion Consumer Service (Client) URLs
- Group mappings
- Authentication profiles
- Analyze authentication and system logs to isolate root causes.
- Validate GlobalProtect authentication workflows.
- Configure and verify local break-glass administrative access.
Upgrade Planning
- Develop a production-ready upgrade strategy.
- Determine the appropriate PAN-OS target release.
- Validate software compatibility with:
- Panorama
- GlobalProtect
- User-ID
- Dynamic Updates
- Plugins
- Routing services
- Stage software images.
- Develop rollback procedures and recovery plans.
- Produce detailed maintenance window documentation.
- Define Go/No-Go decision points.
Production Upgrade Execution
Execute a controlled rolling upgrade of a High Availability firewall pair while maintaining uninterrupted production services.
Responsibilities include:
- Validate HA health.
- Upgrade passive firewall.
- Verify synchronization and health.
- Execute controlled failover.
- Monitor:
- Routing
- VPN connectivity
- NAT
- Production traffic
- Session stability
- Upgrade remaining firewall.
- Restore preferred HA state.
- Validate overall operational health.
Post-Implementation Validation
- Validate administrative SSO functionality.
- Validate GlobalProtect authentication.
- Test role mappings and group-based access.
- Verify HA failover behavior following upgrade.
- Compare post-upgrade performance against baseline metrics.
- Document metadata renewal procedures.
- Produce final operational acceptance documentation.
Required Qualifications
- Minimum 8 years of enterprise network security engineering experience.
- Minimum 5 years administering Palo Alto Networks next-generation firewalls.
- Demonstrated experience performing production PAN-OS upgrades in High Availability environments.
- Strong understanding of:
- Active/Passive HA
- Active/Active HA
- Session synchronization
- Failover operations
- Extensive experience with:
- GlobalProtect
- User-ID
- Dynamic Updates
- Panorama
- Experience troubleshooting enterprise SAML authentication.
- Strong knowledge of:
- SAML 2.0
- Identity Providers (Microsoft Entra ID/Azure AD, Okta, Ping, ADFS, etc.)
- Certificates
- PKI
- NTP
- Experience developing rollback strategies and production maintenance runbooks.
- Strong documentation and technical writing skills.
- Experience working within formal change management processes.
Preferred Qualifications
- Palo Alto Networks Certified Network Security Engineer (PCNSE)
- Palo Alto Certified Network Security Administrator (PCNSA)
- Experience supporting enterprise environments with 24x7 operational requirements.
- Experience with enterprise VPN environments.
- Experience supporting Federal Government or highly regulated environments.
- ITIL Foundation certification.
- Security+ CE (preferred).
Desired Technical Skills
- Palo Alto Networks Firewalls
- PAN-OS 10.x
- Panorama
- GlobalProtect
- High Availability (HA)
- SAML 2.0
- Single Sign-On (SSO)
- Microsoft Entra ID / Azure AD
- Okta
- Active Directory
- LDAP
- RADIUS
- PKI
- TLS Certificates
- NTP
- Dynamic Routing
- NAT
- VPN Technologies
- User-ID
- WildFire
- Threat Prevention
- Logging & Monitoring
- Change Management
- Disaster Recovery
- Rollback Planning
Deliverables
The engineer will be responsible for producing the following project artifacts:
- Production Firewall Assessment Report
- SSO Root Cause Analysis / Restoration Report
- Approved Upgrade & Rollback Plan
- Production Change Execution Documentation
- Post-Upgrade Validation Report
- Operational Acceptance Documentation
- Final Project Closeout Report
Required Professional Skills
- Excellent troubleshooting and analytical abilities.
- Ability to independently lead complex infrastructure projects.
- Strong verbal and written communication skills.
- Ability to perform structured root cause analysis.
- Experience supporting mission-critical production environments.
- Ability to work during scheduled after-hours maintenance windows.
- Strong organizational and documentation skills.
Pay: $140.00 per hour
Application Question(s):
- This position is only for 94 hours, are you okay with that?
- This position requires US Citizenship, do you meet this requirement?
Experience:
- Enterprise Network Security: 8 years (Required)
- Palo Alto Networks Net-Generation Firewalls: 5 years (Required)
Work Location: Remote