Claude 1

sophos-xgs-ansible/QUICKSTART.md

@@ -0,0 +1,137 @@
+# Sophos XGS Ansible - Quick Start Guide
+
+Get up and running with Sophos XGS firewall automation in 10 minutes.
+
+## Step 1: Prerequisites Check
+
+Ensure you have:
+- [ ] Ansible 2.14+ installed
+- [ ] Python 3.8+ installed
+- [ ] Network access to your Sophos XGS firewalls on port 4444 (HTTPS)
+- [ ] Admin credentials for each firewall
+
+```bash
+# Check versions
+ansible --version
+python3 --version
+```
+
+## Step 2: Install Dependencies
+
+```bash
+cd sophos-xgs-ansible
+ansible-galaxy collection install -r collections/requirements.yml
+```
+
+## Step 3: Configure Your First Firewall
+
+Edit `inventory/hosts.ini`:
+
+```ini
+[sophos_firewalls]
+my-firewall ansible_host=192.168.1.1
+```
+
+Create `inventory/host_vars/my-firewall.yml`:
+
+```yaml
+---
+sophos_mgmt_host: "192.168.1.1"
+sophos_api_username: "admin"
+sophos_api_password: "YourPassword"  # Use vault in production!
+
+sophos_hostname: "my-firewall"
+sophos_location: "office"
+
+# Minimal config - interfaces
+sophos_interfaces:
+  - name: "Port1"
+    zone: "WAN"
+    mode: "dhcp"
+    enabled: true
+
+  - name: "Port2"
+    zone: "LAN"
+    mode: "static"
+    ip_address: "10.0.0.1"
+    netmask: "255.255.255.0"
+    enabled: true
+```
+
+## Step 4: Test Connection
+
+```bash
+# Test connectivity and authentication
+ansible-playbook -i inventory/hosts.ini site.yml --tags validation --limit my-firewall
+```
+
+## Step 5: Apply Configuration
+
+```bash
+# Dry-run first (safe!)
+ansible-playbook -i inventory/hosts.ini site.yml --limit my-firewall --check
+
+# Apply for real
+ansible-playbook -i inventory/hosts.ini site.yml --limit my-firewall
+```
+
+## Step 6: Secure Credentials (Production)
+
+```bash
+# Encrypt sensitive host_vars
+ansible-vault encrypt inventory/host_vars/my-firewall.yml
+
+# Run playbook with vault
+ansible-playbook -i inventory/hosts.ini site.yml --ask-vault-pass
+```
+
+## Next Steps
+
+1. **Add more firewalls**: Copy `my-firewall.yml` to create more host_vars files
+2. **Configure VLANs**: Add `sophos_vlans` to your host_vars
+3. **Setup DHCP**: Add `sophos_dhcp_servers` to your host_vars
+4. **Add firewall rules**: Define `sophos_firewall_rules`
+5. **Setup VPNs**: Configure `sophos_site_to_site_vpns`
+6. **Import baseline WAF**: Run `baseline_import.yml` if you have an existing WAF setup
+
+## Common Commands
+
+```bash
+# Configure only network settings
+ansible-playbook -i inventory/hosts.ini site.yml --tags network
+
+# Configure only firewall rules
+ansible-playbook -i inventory/hosts.ini site.yml --tags firewall
+
+# Configure specific firewall
+ansible-playbook -i inventory/hosts.ini site.yml --limit fw-branch1
+
+# Dry-run (check mode)
+ansible-playbook -i inventory/hosts.ini site.yml --check
+
+# Import baseline WAF config
+ansible-playbook -i inventory/hosts.ini baseline_import.yml
+```
+
+## Troubleshooting
+
+**Cannot connect to firewall:**
+```bash
+# Test basic connectivity
+ping 192.168.1.1
+nc -zv 192.168.1.1 4444
+```
+
+**Authentication failed:**
+- Verify credentials in host_vars
+- Check if API access is enabled on the firewall
+- Verify user has admin privileges
+
+**Getting help:**
+- Review `README.md` for full documentation
+- Check `group_vars_schema.md` for all variable options
+- Review role tasks in `roles/*/tasks/main.yml`
+
+---
+
+**You're ready to go!** Start small with one firewall, then scale to your entire fleet.