Senior Technical Consultant-Network Security at AHEAD – Chicago, Illinois
AHEAD
Chicago, Illinois, 60606, United States
Posted on
NewSalary:$170000 - $200000Job Function:Consultant
New job! Apply early to increase your chances of getting hired.
About This Position
AHEAD builds platforms for digital business. By weaving together advances in cloud infrastructure, automation and analytics, and software delivery, we help enterprises deliver on the promise of digital transformation.
At AHEAD, we prioritize creating a culture of belonging, where all perspectives and voices are represented, valued, respected, and heard. We create spaces to empower everyone to speak up, make change, and drive the culture at AHEAD.
We are an equal opportunity employer, and do not discriminate based on an individual's race, national origin, color, gender, gender identity, gender expression, sexual orientation, religion, age, disability, marital status, or any other protected characteristic under applicable law, whether actual or perceived.
We embrace all candidates that will contribute to the diversification and enrichment of ideas and perspectives at AHEAD.
We are seeking a Senior Technical Consultant to lead firewall, network access control, and SASE engagements across diverse enterprise environments. This role spans three core technology pillars: next-generation firewall design and deployment (Cisco Secure Firewall, Palo Alto Networks), Cisco ISE-based network access control and identity services, and SASE/Zero Trust architectures (Zscaler, Palo Alto Prisma Access, Cisco Secure Access, Netskope). The ideal candidate combines deep hands-on expertise across these platforms with strong consulting skills, owning end-to-end delivery from discovery and design through implementation, testing, and knowledge transfer. This is a client-facing role that requires the ability to lead technical workstreams, produce professional documentation, and communicate complex security strategies to both technical and executive audiences.
Key Responsibilities: Firewall- Design and deploy Cisco Secure Firewall Threat Defense (FTD) managed by Firewall Management Center (FMC), including high-availability pairs, threat policies (Snort IPS, malware defense, URL filtering), and both site-to-site and remote access VPN configurations.
- Configure and manage Palo Alto Networks next-generation firewalls running PAN-OS, including security profiles (Antivirus, Anti-Spyware, Vulnerability Protection, WildFire), App-ID, User-ID, SSL/TLS decryption, and centralized management via Panorama.
- Lead firewall migration projects including legacy Cisco ASA to FTD conversions, cross-vendor migrations (Check Point, Fortinet, Juniper to Palo Alto or Cisco), and policy translation with rule optimization during cutover.
- Design network segmentation architectures using firewall zones, virtual routers, VRFs, and policy-based routing to enforce least-privilege east-west and north-south traffic controls.
- Deploy cloud-native firewall solutions including Palo Alto Cloud NGFW for AWS and Azure, and Cisco Secure Firewall Cloud Native for containerized and cloud workload environments.
- Implement firewall high availability designs including active/standby failover, active/active clustering, and multi-context deployments for service provider and large enterprise environments.
- Configure centralized logging, SIEM integration (Splunk, Microsoft Sentinel, syslog), and NetFlow/IPFIX for traffic analytics, threat correlation, and compliance reporting.
- Perform firewall rule base optimization, policy cleanup, and compliance auditing to reduce attack surface and align with regulatory frameworks (PCI-DSS, HIPAA, NIST).
- Integrate Cisco Secure Firewall with Cisco XDR for cross-platform threat detection, event correlation, and automated incident response across the security portfolio.
- Automate firewall provisioning, configuration backup, and policy deployment using infrastructure-as-code tools (Terraform, Ansible) and vendor APIs for repeatable, auditable workflows.
- Deploy Cisco Identity Services Engine (ISE) for 802.1X wired and wireless authentication, MAC Authentication Bypass (MAB), and RADIUS/TACACS+ device administration across campus, branch, and data center environments.
- Design and implement ISE authorization policies including Security Group Tags (SGTs) with TrustSec, downloadable ACLs (dACLs), VLAN assignment, and Adaptive Network Control (ANC) for dynamic threat response.
- Configure ISE profiling services, posture assessment, and compliance enforcement to provide endpoint visibility and ensure devices meet organizational security baselines before granting access.
- Integrate ISE with Cisco network infrastructure (Catalyst switches, wireless LAN controllers, Secure Firewall) and third-party network access devices for consistent policy enforcement across heterogeneous environments.
- Deploy ISE guest portals, BYOD onboarding workflows, and certificate-based authentication (EAP-TLS) with internal or external certificate authorities for secure device enrollment.
- Implement pxGrid integrations to share identity and session context between ISE, Cisco Secure Firewall, Splunk, and third-party security platforms for unified policy enforcement and threat intelligence.
- Design ISE distributed deployments spanning Policy Administration Nodes (PAN), Policy Service Nodes (PSN), and Monitoring and Troubleshooting Nodes (MnT) for scale, redundancy, and geographic distribution.
- Perform ISE upgrades, migrations (legacy ACS to ISE), and advanced troubleshooting using RADIUS live logs, policy trace, TCP dump, and debug utilities to resolve authentication and authorization issues.
- Design and implement SASE and Zero Trust architectures covering remote user, branch office, cloud workload, and data center connectivity use cases with a unified security policy framework.
- Configure and deploy Zscaler Internet Access (ZIA) including Secure Web Gateway, SSL inspection, URL filtering, cloud firewall, and sandbox policies, and Zscaler Private Access (ZPA) including ZTNA application segments, App Connectors, and browser-based access.
- Deploy Palo Alto Prisma Access including GlobalProtect remote user connectivity, explicit proxy for branch offices, and service connections to on-premises infrastructure managed through Strata Cloud Manager or Panorama.
- Implement Cisco Secure Access (SSE) including Zero Trust Network Access, Secure Web Gateway, Cloud Access Security Broker, and resource connector deployment for private application access.
- Configure Netskope Security Cloud including Next Gen SWG, CASB with API-enabled and inline protections, and Netskope Private Access (NPA) with traffic steering, real-time protection policies, and DLP controls.
- Leverage Guardicore micro-segmentation for east-west traffic control, application ring-fencing, and workload visibility to complement SASE north-south protections in hybrid and multi-cloud environments.
- Deploy identity-based access controls integrating with Okta, Microsoft Entra ID, SAML 2.0, and SCIM provisioning to enforce user and device trust across all SASE platforms.
- Develop and maintain Zero Trust maturity roadmaps for clients, mapping current-state gaps to phased adoption plans across identity, device, network, application, and data pillars.
- Lead client-facing discovery sessions, design workshops, and architecture reviews to define firewall, NAC, and SASE strategies aligned with business objectives and compliance requirements. Own the creation of High-Level Design (HLD) and Low-Level Design (LLD) documents, network diagrams, implementation runbooks, and as-built documentation for firewall, ISE, and SASE deployments.
- Develop migration and cutover plans with rollback procedures, change management workflows, and CAB review packages
- Conduct knowledge transfer sessions and train client operations teams on day-2 firewall management, ISE policy administration, SASE platform operations, and incident response procedures.
- Manage project workstreams, track milestones and deliverables, and escalate risks proactively to project and account leadership
- Serve as the technical escalation point for junior engineers during engagements, conducting reviews of policy configurations and providing mentorship
- Contribute to internal practice development including reusable templates, deployment runbooks, and automation playbooks for firewall, ISE, and SASE engagements.
- 7+ years of network security, infrastructure security, or security engineering experience, with at least 3 years in a consulting, professional services, or client-facing delivery role.
- Demonstrated hands-on experience designing and deploying Cisco Secure Firewall (FTD/FMC) and Palo Alto Networks NGFW (PAN-OS/Panorama) in enterprise production environments.
- Production experience deploying Cisco ISE for 802.1X authentication, TACACS+ device administration, and network access policy enforcement across wired, wireless, and VPN environments.
- Production experience with at least one SASE platform (Zscaler ZIA/ZPA, Palo Alto Prisma Access, Cisco Secure Access, or Netskope) including SWG, CASB, and ZTNA configuration.
- Strong understanding of routing protocols (BGP, OSPF, EIGRP), VPN technologies (IPsec, SSL/TLS), network segmentation, and Zero Trust architecture principles.
- Experience with cloud platforms (AWS VPC, Azure VNet, GCP VPC) including security groups, network firewalls, and hybrid connectivity architectures.
- Experience with identity and access management platforms (Okta, Microsoft Entra ID, SAML 2.0, SCIM) and their integration with firewall, NAC, and SASE solutions.
- Experience integrating security platforms with SIEM (Splunk, Microsoft Sentinel), syslog infrastructure, and automation tools (Terraform, Ansible) for centralized visibility and repeatable deployments.
- CCIE Security or CCNP Security certification.
- Palo Alto PCNSE or PCNSC certification; Zscaler ZCCA/ZCCP; Cisco Secure Access or Netskope certifications.
- CISSP, CompTIA Security+, or equivalent industry security certification.
- Firewall migration experience including ASA to FTD conversions and cross-vendor platform migrations with rule translation and optimization.
Why AHEAD:
Through our daily work and internal groups like Moving Women AHEAD and RISE AHEAD, we value and benefit from diversity of people, ideas, experience, and everything in between.
We fuel growth by stacking our office with top-notch technologies in a multi-million-dollar lab, by encouraging cross department training and development, sponsoring certifications and credentials for continued learning.
USA Employment Benefits include:
- Medical, Dental, and Vision Insurance
- 401(k)
- Paid company holidays
- Paid time off
- Paid parental and caregiver leave
- Plus more! See benefits https://www.aheadbenefits.com/ for additional details.
The compensation range indicated in this posting reflects the On-Target Earnings (“OTE”) for this role, which includes a base salary and any applicable target bonus amount. This OTE range may vary based on the candidate’s relevant experience, qualifications, and geographic location.
$170,000 - $200,000 a year
Scan to Apply
Just scan this QR code to apply from your phone.
Job Location
Chicago, Illinois, 60606, United States
Frequently asked questions about this position
Latest Job Openings in Illinois
Hospice Liaison (RN)
Northern Illinois Hospice
DeKalb, IL
Financial Advisor - Illinois
JMG Financial Group
Downers Grove, IL
Mortgage Loan Originator
Midland States Bank
Sterling, IL
Signing (ASL) Paraprofessional-DHH Program-For the 2026-2027 School Year
Northwestern Illinois Association
Algonquin, IL
CDL-A - New pay increase - Team Van Truckload truck driver
Schneider
Joliet, IL
Continue to apply
Enter your email to continue. You’ll be redirected to the employer’s application.By clicking Continue, you understand and agree to JobTarget's Terms of Service and Privacy Policy.
Apply Now