Network Engineer

Lesaka Technologies Inc.

Purpose of the Role

Own the day-to-day operation, security, and evolution of the division's network infrastructure across data centre, cloud, and office environments. With the data centre consolidation complete, the focus of this role is refining, securing, and upgrading the established network estate — managing change control, firewall and VLAN changes, office LAN infrastructure, and Azure cloud networking in a regulated fintech environment where availability directly affects customer transactions.

Key Responsibilities

Change Management & Network Operations (primary focus)

  • Manage and execute network change controls end-to-end: raise, document, and implement firewall policy changes and switch VLAN changes through the formal CAB process, with implementation and rollback plans.
  • Configure, maintain, and troubleshoot enterprise firewalls (Fortinet FortiGate, including HA pairs, VIP/NAT policy design, VPN, and advanced session-level diagnostics).
  • Operate core and access switching (Aruba CX, including VSF stacking, VLAN design, and trunking) across the data centre estate.
  • Manage L2/L3 routing and segmentation across production, DMZ, and PCI-scoped network zones.
  • Operate dynamic routing with upstream carriers and peers — OSPF adjacencies with ISP-provided links and BGP where applicable — including route filtering, redistribution, and failover behaviour.
  • Coordinate with ISPs, carriers, and colocation providers on links, cross-connects, and circuit changes.

Office LAN & Edge

  • Own the LAN in the new office building: Ubiquiti (UniFi) switching, wireless, VLAN segmentation, and the perimeter firewalls serving the site.
  • Maintain secure connectivity between the office environment, data centre estate, and cloud.

Cloud Networking (Azure)

  • Design and manage Azure networking: VNets, subnets, NSGs, route tables, and VPN gateways.
  • Implement and maintain VNet peering, including cross-tenant peering between Azure tenants.
  • Maintain hybrid connectivity (site-to-site VPN / ExpressRoute) between on-premises and Azure environments.

Network Refinement & Lifecycle

  • Refine and harden the post-consolidation network: firewall rule-base reviews and cleanup, segmentation improvements, and redundancy testing.
  • Plan and execute firmware and OS upgrades across firewalls and switches, including after-hours change windows.
  • Produce and maintain network documentation: diagrams, IP address management, standards, and runbooks.

Security & Compliance

  • Maintain network controls that support PCI-DSS and SOX compliance: segmentation, firewall rule hygiene and review, access control, and audit evidence.
  • Support internal and external audits, vulnerability remediation, and security tooling integration (Zero Trust access, logging, and monitoring platforms).

Monitoring & Incident Response

  • Maintain network monitoring, alerting, and dashboards; drive root-cause analysis on network incidents rather than symptom-level fixes.
  • Participate in the team's weekly standby rotation and respond to Sev 1/Sev 2 incidents within agreed SLAs.

Technical Environment

  • Firewalls & security: Fortinet FortiGate (HA pairs), pfSense, Netskope Zero Trust, RADIUS.
  • Switching: Aruba switching (VSF stacks) in the data centres; Ubiquiti (UniFi) switching and wireless in the office environment; multi-vendor fibre optics (SFP/SFP+).
  • Routing & connectivity: OSPF peering with upstream carriers, BGP, 10Gb metro fibre backhaul, multiple ISP relationships, data centre cross-connects, site-to-site and remote-access VPN.
  • Cloud networking: Microsoft Azure — VNets, cross-tenant VNet peering, NSGs, VPN gateways, hybrid connectivity to on-premises.
  • Compute: VMware vSphere/vSAN clusters on-premises alongside Azure IaaS.
  • Monitoring & tooling: SolarWinds, Grafana, syslog/log aggregation, packet capture and flow analysis.
  • Governance: PCI-DSS and SOX regulated environment, Jira-based change and incident workflow, formal CAB.

Requirements

Essential

  • 5+ years of hands-on network engineering experience in production environments.
  • Strong Fortinet FortiGate experience: policy design, NAT/VIP, HA, VPN, and CLI-level troubleshooting (debug flow, packet sniffing, session diagnostics).
  • Working knowledge of dynamic routing protocols — OSPF and BGP — including configuring and troubleshooting adjacencies/peering with upstream providers.
  • Solid enterprise switching experience (Aruba CX preferred; comparable HPE/Cisco experience considered) including VLANs, trunking, spanning tree, and stacking.
  • Azure networking experience: VNets, subnets, NSGs, VPN gateways, and VNet peering (cross-tenant peering an advantage).
  • Deep TCP/IP fundamentals — able to read packet captures and diagnose complex issues such as asymmetric routing, MTU problems, and session handling.
  • Experience working in a regulated or compliance-driven environment (PCI-DSS, SOX, or similar) with formal change control — comfortable owning changes through a CAB process.
  • Own transport and willingness to travel between office and data centre sites in Gauteng, including occasional after-hours change windows.

Advantageous

  • NSE4/FCP (Fortinet), Aruba/HPE certification, or CCNP-level networking certification.
  • Ubiquiti/UniFi experience (switching, wireless, and controller management).
  • Scripting or automation experience (Python, PowerShell, or API-driven network configuration).
  • Physical data centre experience: racking, structured cabling, and fibre handling.
  • Fintech, banking, or payments industry background.

Personal Attributes

  • Works independently and takes ownership — comfortable being the network authority on a small, multi-skilled team.
  • Methodical under pressure: production cutovers and Sev 1 incidents require calm, evidence-driven troubleshooting.
  • Clear documenter and communicator — vendors, auditors, and non-network colleagues all rely on this role's output.
  • Team fit matters: the team is close-knit and collaborative, and mentors junior engineers as part of daily work.

Success Measures – First 12 Months

  • Owning firewall and VLAN change controls end-to-end through CAB within the first 3 months, with a clean implementation record.
  • Independent ownership of network-related standby incidents within the first 3 months.
  • Post-consolidation hardening delivered: firewall rule-base review and cleanup, and a firmware upgrade cycle across firewalls and switches, within the first 12 months.
  • Network estate fully documented (diagrams, IPAM, standards) within the first 6 months.
  • Zero audit findings attributable to network change control or segmentation gaps.