The challenge stemmed from years of decentralized growth clients using firewalls from Palo Alto, Fortinet, Cisco ASA, SonicWall, Juniper SRX, and Sophos XG, each with its own unique quirks, firmware versions, and outdated policies.

I started with a full audit of every active tunnel and firewall documenting firmware, topology, risk level, and performance. To bring consistency, I developed modular configuration templates per client, tested them in virtual lab environments (GNS3/EVE-NG), and validated them for encryption, authentication, NAT-T, and IKEv2 support. Pre-shared keys were securely managed through Keeper Enterprise.

Automation was key and I used Python scripts with REST APIs for FortiGate and Sophos, Ansible playbooks for Cisco ASA, and Pan-OS XML templates for Palo Alto deployments. For Juniper SRX, I scripted VPN provisioning with NETCONF/PyEZ, including dynamic routing updates. This reduced manual error, improved deployment time, and made the system scalable.

On the security front, I enforced strict segmentation and every tunnel had a dedicated firewall zone with application-layer restrictions. No universal rules allow. I monitored everything centrally using Panorama, and Microsoft Sentinel via syslog integration gave us real-time visibility across platforms.

Tunnel testing included throughput benchmarks with Iperf3, simulated failovers, and client-led UAT sessions. I also conducted DR testing using Azure route failovers to validate redundancy. As part of knowledge transfer, I built a SharePoint portal with full documentation, diagrams, config samples, and recorded walkthroughs for internal and client teams.