NETWORK - Firewall and segmentation

Network Segmentation Operations

• Implement and manage segmentation across VLANs, subnets, and security zones (e.g., User , Server , OT/IoT , DMZ , Partner , PCI zones).
• Enforce zone-based policies—least privilege, deny-by-default; maintain inter-zone matrix (who can talk to whom).
• Execute segmentation change requests : policy updates, NAT changes, and group membership changes.
• Maintain asset-to-zone mappings and tagging (e.g., using identity awareness / dynamic objects).
• Validate segmentation efficacy using test plans (ping/TCP checks, app flow validation).
• Solid understanding of TCP/IP, routing, VLANs, NAT, DNS, and VPN technologies.
• Proven experience in Network Segmentation / Micro-Segmentation projects
• Experience performing Network Risk Analysis and mitigation planning .
Configure, deploy, and manage Checkpoint Next-Generation Firewalls (NGFW) and related security gateways.

Check Point Firewall Administration

• Daily management in SmartConsole (R80.x): access policies, NAT, Application Control/URLF, IPS, Threat Prevention profiles.
• Manage Gateways & Clusters (Gaia OS): HA status, sync, failover readiness, VPN communities.
• Run policy verification (Hit counts, Unused/Shadowed rules, Rule order optimization).
• Maintain objects hygiene: networks, hosts, groups, services, dynamic objects.
Backups & snapshots of Gaia and SmartCenter; track policy revisions.

Monitoring & Incident Handling

• Monitor logs/SmartEvent for anomalies (deny spikes, drops, high CPU/conn table pressure).
• First-responder for connectivity issues related to segmentation (blocked flows, NAT misconfig, asymmetric routing).
• Perform packet captures (fw monitor, tcpdump) and interpret rule-matching logic.
• Escalate to L3 with structured analysis (flow diagrams, rule references, timestamps, correlations).
  

Operational Excellence

• Execute change windows with pre/post validation and rollback plans.
• Keep runbooks and as-built documentation updated (zones, policies, rule intent).
• Support audits/compliance (PCI/SOX/ISO): evidence collection, rule attestation, policy reviews.
• Participate in rule life-cycle : request risk review implement recertify retire
  

Required Skills & Experience

Technical Skills:

• Solid understanding of segmentation concepts: VLAN, VRF, DMZ, east–west vs north–south traffic, zero-trust principles.
• Hands-on with Check Point (R80.x): SmartConsole, Gaia CLI, policy layers, Threat Prevention, Identity Awareness.
• Networking fundamentals: TCP/IP , routing (static/OSPF/BGP basics), NAT (hide/static), HA clustering.
• Troubleshooting: fw monitor , tcpdump , log analysis, rule hit counts, connection table analysis.
• Familiarity with proxy/DNS/DHCP touchpoints for segmentation changes.
  

Experience:

• 7–10 years in network security operations or firewall management.
• Exposure to enterprise-scale segmentation projects.
• Certifications (Preferred):
  • Check Point Certified Security Administrator (CCSA) or higher.
  • CCNA/CCNP or equivalent networking certifications.