Logo for Marathon TS

Senior Palo Alto Network Security Engineer

Role overview

Qualifications

  • Minimum 8 years of enterprise network security engineering experience
  • Minimum 5 years administering Palo Alto Networks next-generation firewalls
  • Demonstrated experience performing production PAN-OS upgrades in High Availability environments
  • Strong understanding of SAML 2.0 and Identity Providers

Responsibilities

  • Perform all technical activities required to complete the engagement, including discovery and risk assessment
  • Troubleshoot and resolve SAML/Single Sign-On authentication issues
  • Develop a production-ready upgrade strategy including rollback procedures
  • Execute a controlled rolling upgrade of a High Availability firewall pair while maintaining uninterrupted production services

About the company

Marathon TS logo

Marathon TS

Information Technology & Services

Company details

Company typeSME
IndustryInformation Technology & Services

Your match analysis

See how your profile stacks up against this role.

We compared the job requirements to your profile to show where you're strong and where you fall short.

Job description

Senior Palo Alto Network Security Engineer (Project-Based)

Location

Remote (U.S.)

Duration

Approximately 94 hours with an anticipated project completion by August 31, 2026.

Position Type

Contract (Professional Services)

Project Overview

We are seeking an experienced Senior Palo Alto Network Security Engineer to lead a production firewall remediation and operating system upgrade for a mission-critical enterprise environment.

The selected engineer will perform a controlled, zero-downtime upgrade of a High Availability Palo Alto firewall environment while diagnosing and resolving existing SAML/Single Sign-On authentication issues impacting administrative access and GlobalProtect users.

This engagement requires extensive experience performing production firewall upgrades in highly available environments where service interruption is unacceptable.

The project will be executed by a single senior engineer responsible for all planning, execution, validation, documentation, and project closeout.


Primary Responsibilities

The selected engineer will perform all technical activities required to complete the engagement, including:

Discovery & Risk Assessment

  • Assess the current Palo Alto firewall environment and overall health.
  • Validate High Availability (HA) configuration, synchronization, and failover readiness.
  • Inventory PAN-OS versions, Dynamic Updates, GlobalProtect, plugins, and content releases.
  • Export and secure running configurations, device state files, and technical support files.
  • Evaluate Panorama dependencies and upgrade sequencing.
  • Establish baseline performance metrics including:
    • CPU utilization
    • Session counts
    • Throughput
    • VPN utilization
    • Packet buffers
  • Review licensing and support entitlement status.
  • Document upgrade readiness and identify technical risks.

Authentication & SSO Remediation

  • Troubleshoot and resolve SAML/Single Sign-On authentication issues.
  • Validate synchronization between firewalls and Identity Providers (IdPs).
  • Review and update:
    • IdP metadata
    • Signing certificates
    • Certificate chains
    • Entity IDs
    • Assertion Consumer Service (Client) URLs
    • Group mappings
    • Authentication profiles
  • Analyze authentication and system logs to isolate root causes.
  • Validate GlobalProtect authentication workflows.
  • Configure and verify local break-glass administrative access.

Upgrade Planning

  • Develop a production-ready upgrade strategy.
  • Determine the appropriate PAN-OS target release.
  • Validate software compatibility with:
    • Panorama
    • GlobalProtect
    • User-ID
    • Dynamic Updates
    • Plugins
    • Routing services
  • Stage software images.
  • Develop rollback procedures and recovery plans.
  • Produce detailed maintenance window documentation.
  • Define Go/No-Go decision points.

Production Upgrade Execution

Execute a controlled rolling upgrade of a High Availability firewall pair while maintaining uninterrupted production services.

Responsibilities include:

  • Validate HA health.
  • Upgrade passive firewall.
  • Verify synchronization and health.
  • Execute controlled failover.
  • Monitor:
    • Routing
    • VPN connectivity
    • NAT
    • Production traffic
    • Session stability
  • Upgrade remaining firewall.
  • Restore preferred HA state.
  • Validate overall operational health.

Post-Implementation Validation

  • Validate administrative SSO functionality.
  • Validate GlobalProtect authentication.
  • Test role mappings and group-based access.
  • Verify HA failover behavior following upgrade.
  • Compare post-upgrade performance against baseline metrics.
  • Document metadata renewal procedures.
  • Produce final operational acceptance documentation.

Required Qualifications

  • Minimum 8 years of enterprise network security engineering experience.
  • Minimum 5 years administering Palo Alto Networks next-generation firewalls.
  • Demonstrated experience performing production PAN-OS upgrades in High Availability environments.
  • Strong understanding of:
    • Active/Passive HA
    • Active/Active HA
    • Session synchronization
    • Failover operations
  • Extensive experience with:
    • GlobalProtect
    • User-ID
    • Dynamic Updates
    • Panorama
  • Experience troubleshooting enterprise SAML authentication.
  • Strong knowledge of:
    • SAML 2.0
    • Identity Providers (Microsoft Entra ID/Azure AD, Okta, Ping, ADFS, etc.)
    • Certificates
    • PKI
    • NTP
  • Experience developing rollback strategies and production maintenance runbooks.
  • Strong documentation and technical writing skills.
  • Experience working within formal change management processes.

Preferred Qualifications

  • Palo Alto Networks Certified Network Security Engineer (PCNSE)
  • Palo Alto Certified Network Security Administrator (PCNSA)
  • Experience supporting enterprise environments with 24x7 operational requirements.
  • Experience with enterprise VPN environments.
  • Experience supporting Federal Government or highly regulated environments.
  • ITIL Foundation certification.
  • Security+ CE (preferred).

Desired Technical Skills

  • Palo Alto Networks Firewalls
  • PAN-OS 10.x
  • Panorama
  • GlobalProtect
  • High Availability (HA)
  • SAML 2.0
  • Single Sign-On (SSO)
  • Microsoft Entra ID / Azure AD
  • Okta
  • Active Directory
  • LDAP
  • RADIUS
  • PKI
  • TLS Certificates
  • NTP
  • Dynamic Routing
  • NAT
  • VPN Technologies
  • User-ID
  • WildFire
  • Threat Prevention
  • Logging & Monitoring
  • Change Management
  • Disaster Recovery
  • Rollback Planning

Deliverables

The engineer will be responsible for producing the following project artifacts:

  • Production Firewall Assessment Report
  • SSO Root Cause Analysis / Restoration Report
  • Approved Upgrade & Rollback Plan
  • Production Change Execution Documentation
  • Post-Upgrade Validation Report
  • Operational Acceptance Documentation
  • Final Project Closeout Report

Required Professional Skills

  • Excellent troubleshooting and analytical abilities.
  • Ability to independently lead complex infrastructure projects.
  • Strong verbal and written communication skills.
  • Ability to perform structured root cause analysis.
  • Experience supporting mission-critical production environments.
  • Ability to work during scheduled after-hours maintenance windows.
  • Strong organizational and documentation skills.


Marathon TS is committed to the development of a creative, diverse and inclusive work environment. In order to provide equal employment and advancement opportunities to all individuals, employment decisions at Marathon TS will be based on merit, qualifications, and abilities. Marathon TS does not discriminate against any person because of race, color, creed, religion, sex, national origin, disability, age or any other characteristic protected by law (referred to as "protected status").

Apply once. Then go straight to the hiring manager.

After you apply, unlock the direct contact details of the people who actually make the call. A quick follow-up makes you 5x more likely to land an interview.

MR

Marcus Rivera

Chief Revenue Officer

m.rivera@company.com
linkedin.com/in/marcusrivera
Unlocked after you apply
·

Network Security Engineer Related jobs

Other jobs at Marathon TS

Premium

Reach out to the hiring manager directly.

Gain access to the contact details of the hiring managers who actually decide, and reach out to network with them directly. That, plus more when you upgrade:

  • Full match report with fit score and gaps
  • Career diagnostics on how recruiters read you
  • Curated company matches and warm intros
  • 48h early access to new roles

Cancel anytime.