Seasoned Network Engineer Seeking Flexible Remote Role
Resume:
Amintha Ratnayake
*******.*********@*****.***
OBJECTIVE EXPERIENCE
Principal Network Engineer with 20+ years of experience designing, securing, and automating enterprise-scale networks across healthcare, finance, and cloud environments. Expert in Zscaler ZIA/ZPA, Secure Web Gateway (SWG), and cloud security integrations with Palo Alto, Cisco, and F5. Skilled in Zero Trust, DNS/proxy architectures, automation (Python, Ansible, Jinja2), and hybrid cloud networking (AWS, Azure). Proven leader in delivering secure, policy-driven, and compliant network transformations.
OMP Networks, Irving, TX (remote) – Sr. Network Engineer
January 2018 – PRESENT
Utilized Panorama to implement new Palo Alto policies leveraging Templates, Stacks, Device Groups, EDLs, DAGs etc.
Assessed and optimized enterprise Zscaler ZIA (SWG) deployment, performing configuration reviews, policy tuning, and remediation aligned to best practices.
Designed and deployed Zscaler Private Access (ZPA) for secure remote connectivity to private applications, integrating identity-based access controls and SSO via Azure AD.
Implemented and validated Zscaler DLP policies and SSL inspection for compliance-driven traffic inspection across SaaS and web workloads.
Collaborated with InfoSec to define ZIA policy frameworks, integrating threat intelligence feeds, custom URL categories, and user-based policy enforcement.
Leveraged Zscaler API and Python automation to audit configurations and generate compliance reports across global tenants.Designed and deployed enterprise Cisco ACI fabrics, integrating multi-pod VXLAN EVPN deployments with Nexus 9K platforms to support scalable, secure, and automated data center connectivity.
Architected and automated Cisco ACI multi-site fabric deployment, integrating on-prem and cloud workloads using APIC REST APIs and Ansible playbooks to enforce standardized contracts, EPG mappings, and Zero-Trust segmentation policies across data centers.
Project-managed complex LAN/WAN initiatives, coordinating implementation schedules, stakeholder communications, and training sessions for internal network teams.
Served as principal point of contact for vendor and carrier escalations, providing expert input on design validation, SOW reviews, and deployment readiness assessments.
Led end-to-end security architecture reviews and threat modeling for new data center and cloud integrations, aligning with MITRE ATT&CK and NIST CSF frameworks to identify control gaps and define compensating safeguards.
Led cross-functional security troubleshooting and validation of network segmentation policies across on-prem and cloud infrastructures, ensuring Zero Trust and SSE alignment for global M&A integration efforts.
Integrated IDS/IPS and network security monitoring tools (e.g. Zeek, Suricata, Log Analytics) with firewall and routing infrastructure to detect anomalous traffic and automate alerts for security violations.
Owned SD-WAN (Meraki/Viptela) lifecycle—architecture, migration, and cost optimization—reducing WAN spend 30% while maintaining 99.9% uptime.
Designed and implemented multi-tenant SD-WAN architecture integrating Palo Alto and Viptela fabrics, leveraging dynamic path selection and API-driven QoS policy orchestration to ensure deterministic performance and seamless cloud on-ramp connectivity across 100+ sites.
Implemented and maintained F5 BIG-IP appliances, developing iRules, health monitors, and SSL offload configurations for global web and application load-balancing.
Developed and automated network operations use cases leveraging Ansible, Python, JSON, and Jinja2 for configuration compliance and drift detection across multi-vendor environments.
Integrated AWS and Azure networking services, including VPC peering, Direct Connect, ExpressRoute, and hybrid routing using BGP to interconnect on-prem and cloud workloads.
Developed and maintained automation frameworks using Python and Ansible to drive configuration certification, feature validation, and production-grade MOPs, enabling consistent deployment, rapid scale-out, and advanced fault resolution in high-capacity, global network fabrics.
Led the design and validation of secure, cloud-integrated routing architectures connecting global data centers with AWS and Azure, leveraging BGP, ExpressRoute, and Direct Connect to ensure high availability, fault isolation, and compliance with enterprise security standards.
Collaborated with cloud engineering and security teams to integrate Palo Alto, Zscaler, and AWS/Azure security controls, enhancing network segmentation, visibility, and Zero Trust policy enforcement across hybrid cloud environments.
Led cross-team engineering standards initiative, defining change-management and deployment governance while mentoring junior engineers.
Served as Tier-3/Tier-4 escalation resource for high-severity incidents and performance degradation, performing RCA, coordinating cross-team response, and implementing post-incident corrective actions.
Led vendor and partner engagements for WAN, firewall, and data-center initiatives — defined technical scopes, validated deliverables, and created supporting network documentation (topology diagrams, device inventories, and change logs) to ensure compliance and audit readiness.
Led cross-functional initiative to standardize Cisco ISE-based network access control and wireless configurations across enterprise sites, enhancing visibility, authentication consistency, and Zero-Trust enforcement.
Automated incident response and policy enforcement workflows using Python and Ansible playbooks tied into SIEM alerts, reducing time-to-containment and enhancing detection coverage across hybrid cloud and on-prem environments.
Developed CLI-based Arista configuration templates and automation hooks via eAPI for rapid provisioning and policy consistency.
Worked extensively with ASA 5585’s in both CLI and ASDM to implement rule sets and anyconnect VPN
Performed detailed troubleshooting with ASAs utilizing Packet Tracer and Packet Capture to figure out dropped traffic.
Built integrated monitoring with vManage APIs, SolarWinds, PRTG, and NetFlow to detect and auto-remediate anomalies proactively.
Implemented and supported F5 VIPs, pools, iRules, and persistence policies for load balancing and HA services.
Designed and validated next-generation data center architectures leveraging Cisco ACI and Arista EOS, integrating VXLAN EVPN fabrics and CloudVision for automated telemetry, centralized policy enforcement, and high-throughput scalability.
Partnered with Cybersecurity and IT operations teams to implement vulnerability management and continuous threat-monitoring pipelines, integrating NIST CSF and CIS Controls for proactive risk mitigation and compliance validation.
Familiar with InfiniBand interconnects and Nvidia UFM for GPU-cluster networking.
Configured basic AWS VPC, Direct Connects and Azure Express Route Networks and worked with server team to troubleshoot network connectivity from on premise to cloud environment.
Implemented Collapsed Core and Catalyst 9300’s as IDF switches for larger branch offices.
Configured Cisco 4300/4400/8300 series ISRs to support MPLS with eBGP with route maps and prefix lists.
As part of a new standard, implemented summarization at the WAN edge via BGP and redistributed BGP into OSPF internally in an Area 0 configuration.
Created new standard for dedicated data and voice vlans for each IDF stack so that trunking was simplified and avoided STP issues related to vlan sprawl.
As part of an M&A tech refresh, performed rip and replace of all legacy routers and switches to be compliant with the new standards. This involved procuring new hardware, staging, parallel build/migrate and Re-IP of DHCP scopes and static devices.
Mentored junior network engineers, leading technical training and documentation sessions on routing, firewalling, and automation best practices.
Implemented proactive network reliability and continuous-improvement testing programs for WAN and optical infrastructure, automating validation of throughput, latency, and failover performance to reduce incident recurrence and enhance operational resilience.
Developed technical documentation including detailed topology diagrams, design standards, and network operational runbooks to support cross-team collaboration and audit compliance.
Evaluated firepower and FMC in the proof of concept lab environment along with Palo Alto but decided to standardize on Palo Alto.
Utilized Infoblox for managing IPAM, DHCP and DNS throughout the enterprise.
Hennepin Health Care – Minneapolis, MN - Network Engineer
June 2005 – January 2018
Configured B2B IPsec VPNs between hospitals along with rule sets to allow traffic.
Provided Tier-4 escalation and mentorship to junior engineers and NOC staff, ensuring timely issue resolution and skills development in routing, switching, and firewall domains.
Supported secure network infrastructure for mission-critical clinical applications in a HIPAA-regulated
environment, ensuring data privacy and compliance.
Designed network segmentation and ACL policies tailored to electronic medical records (EMR) systems and connected medical devices.
Designed IP Addressing scheme for Infoblox including DHCP and IPAM for all sites in a HA configuration.
Assisted in early-stage exploration of Arista platforms for IDF refreshes, validating features like MLAG and VXLAN capabilities in a healthcare environment.
Cross-compared Arista and Cisco for cost-efficiency, reliability, and compliance in multi-vendor data center scenarios.
Built proof-of-concept lab using Arista EOS to test high availability and performance of healthcare-critical workloads under failover conditions.
Created VIPs, Pools, Health Checks, SNAT, Auto Map and basic iRules on F5 platforms.
Migrated from ASA to Palo Alto 5000 series HA devices for greater next gen features.
Troubleshot day to day issues that were escalated from Tier1 and Tier 2 support from a route/switch and security perspective.
Spearheaded SD-WAN pilot integrating Cisco ISR edge routers with dynamic path selection and QoS optimization, improving reliability and performance for mission-critical EMR traffic between data centers and remote clinics.
Collaborated on early-stage Cisco ACI proof-of-concept deployment, validating EPG segmentation and policy-based microsegmentation to enhance HIPAA compliance and isolate medical device networks within the data center.
Utilized Solarwinds for SNMP based management and reporting of all network devices.
Implemented Nexus 7k, 5k and 2k top of rack within the Data Center for all server connections.
Supported the OTV configuration to extend layer 2 over Layer 3 between data centers.
Migrated from T1s to higher bandwidth MPLS at all remote sites along with newer 2800 and 3800 series ISRs with BGP at the MPLS edge and EIGRP internally.
Staged all switches including 6500 Core Switches in HA with HSRP running OSPF.
Created detailed configuration templates for site standards so that configurations could be rolled out seamlessly and in a consistent manner.
Upgraded Supervisor and Line cards on 6500’s to SUP720 and 6700 series line cards for both copper and SFP connections to 3750 and 3850 IDF Switches.
Hennepin County Medical Center – Minneapolis, MN - Network Technician
May 2001 – June 2005
Converted from an ATM and Token Ring network to 10/100 for users and 1GB for server Ethernet network. This included coordinating the end user devices swapping out NICs etc.
Implemented Cisco 4500 and Cisco 5500 chassis in a Core, Distribution, Access model architecture.
Performed day to day management and administration of print servers and printers.
Administered and managed Microsoft DHCP, DNS, Active Directory related functions.
Managed rule sets and updated changes on Checkpoint firewalls utilizing the Provider-1 GUI.
Configured ASA 5500 Client VPN with Cisco VPN Client with client pools for internal and contractors.
Migrate from Cisco 5500 with RSMs to Cisco 6509s with SUP1, later SUP2 for better performance.
Managed print servers, drivers and supported printers on Windows NT 4.0 and Windows 2000 server.
Documented all circuits and site contacts in a centralized location so that logistics of troubleshooting and escalating to site contacts was simple.
Standardized circuit orders, QoS parameters, BOMs, IPAM so that all provisioning and orders were consistent.
Designed VPN business partner onboarding form to simplify capturing of all needed information such as Peer IP, encryption, encryption domain etc.
CERTIFICATIONS
Cisco Certified Network Associate (CCNA) – Routing and Switching
Cisco Certified Network Professional (CCNP) – Enterprise
Cisco Certified Internetwork Expert (CCIE) – Routing and Switching (written)
Certified Information Systems Security Professional (CISSP-in progress)
EDUCATION
Brown College, Graduated 2000
Management Information Systems
Contact this candidate