kasperj/chittick_projects
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Claude 1

Browse Source
This commit is contained in:
Jake Kasper
2025-12-09 09:33:48 -06:00
parent 228174e541
commit 4f1e8d3add
55 changed files with 4345 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

128
sophos-xgs-ansible/inventory/group_vars/all.yml Normal file
View File

@@ -0,0 +1,128 @@
---
# ============================================================================
# Global Variables for All Sophos XGS Firewalls
# ============================================================================
# This file contains default values applied to ALL firewalls in the inventory.
# These can be overridden in group_vars/sophos_firewalls.yml or in individual
# host_vars files.
#
# Author: Network Automation Team
# ============================================================================
# ============================================================================
# API Connection Settings
# ============================================================================
# Management port (Sophos XGS default is 4444, web interface is 443)
sophos_mgmt_port: 4444
# SSL certificate validation (set to false for self-signed certs in lab)
sophos_validate_certs: false
# API timeout in seconds
sophos_api_timeout: 30
# Enable/disable logging of sensitive data (passwords, API keys)
sophos_no_log_sensitive: true
# Retry settings for API calls
sophos_api_retries: 3
sophos_api_retry_delay: 5
# ============================================================================
# Execution Control
# ============================================================================
# Serial execution limit (number of firewalls to configure simultaneously)
sophos_serial_execution: 5
# Feature toggles (can be disabled to skip entire roles)
sophos_manage_network: true
sophos_manage_firewall_rules: true
sophos_manage_site_to_site_vpn: true
sophos_manage_remote_access_vpn: true
sophos_manage_waf: true
sophos_manage_device_access: true
sophos_manage_snmp_logging: true
# Automatically save configuration after changes
sophos_save_config: true
# ============================================================================
# Global Network Settings (defaults)
# ============================================================================
# Default DNS servers (can be overridden per firewall)
sophos_default_dns_servers:
- 8.8.8.8
- 8.8.4.4
# Default NTP servers
sophos_default_ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
# Default timezone
sophos_timezone: "America/New_York"
# Default MTU
sophos_default_mtu: 1500
# ============================================================================
# Global Security Settings (defaults)
# ============================================================================
# Default firewall rule logging
sophos_default_rule_log: true
# Default firewall rule action
sophos_default_rule_action: "deny"
# Default VPN encryption settings
sophos_default_ike_encryption: "aes256"
sophos_default_ike_hash: "sha256"
sophos_default_ike_dh_group: 14
sophos_default_ike_lifetime: 28800
sophos_default_ipsec_encryption: "aes256"
sophos_default_ipsec_hash: "sha256"
sophos_default_ipsec_pfs_group: 14
sophos_default_ipsec_lifetime: 3600
# ============================================================================
# Global SNMP Settings (defaults)
# ============================================================================
sophos_snmp_enabled: true
sophos_snmp_version: "v2c"
sophos_snmp_community: "public" # CHANGE THIS IN PRODUCTION
sophos_snmp_location: "Data Center"
sophos_snmp_contact: "netadmin@example.com"
# ============================================================================
# Global Logging Settings (defaults)
# ============================================================================
sophos_logging_enabled: true
sophos_logging_facility: "local0"
sophos_logging_severity: "informational"
# Default syslog servers (can be extended per firewall)
sophos_syslog_servers:
- host: "10.0.0.100"
port: 514
protocol: "udp"
# ============================================================================
# CI/CD and Version Control
# ============================================================================
# Configuration version (increment when making breaking changes)
sophos_config_version: "1.0.0"
# Tags for resource tracking
sophos_default_tags:
managed_by: "ansible"
project: "sophos-xgs-automation"
environment: "production"

135
sophos-xgs-ansible/inventory/group_vars/baseline_web.yml Normal file
View File

@@ -0,0 +1,135 @@
---
# ============================================================================
# Sophos XGS Baseline WAF Configuration
# ============================================================================
# This file was automatically generated by the baseline_import.yml playbook
#
# Source: fw-baseline (192.168.1.10)
# Exported: 2025-12-09T10:30:00Z
# Exported by: ansible
#
# This configuration serves as the baseline WAF configuration for all
# firewalls in the fleet. Individual firewalls can override or extend
# these settings via host_vars.
#
# DO NOT EDIT THIS FILE MANUALLY - regenerate using baseline_import.yml
# ============================================================================
_metadata:
description: Baseline WAF configuration imported from fw-baseline
exported_by: ansible
export_timestamp: '2025-12-09T10:30:00Z'
source_firewall: fw-baseline
source_ip: 192.168.1.10
version: '1.0'
# ============================================================================
# WAF Backend Servers
# ============================================================================
sophos_waf_backends:
- health_check: true
host: 10.100.1.50
name: app-server-01
port: 8080
protocol: http
- health_check: true
host: 10.100.1.51
name: app-server-02
port: 8080
protocol: http
- health_check: true
host: 10.100.2.50
name: api-server-01
port: 8080
protocol: http
# ============================================================================
# WAF Protection Policies
# ============================================================================
sophos_waf_policies:
- allowed_methods:
- GET
- POST
- HEAD
block_common_attacks: true
file_upload_limit_mb: 100
max_url_length: 4096
mode: prevention
name: standard-web-protection
sql_injection_protection: true
xss_protection: true
- allowed_methods:
- GET
- POST
- PUT
- DELETE
- PATCH
block_common_attacks: true
json_validation: true
mode: prevention
name: api-protection
rate_limit_requests_per_minute: 1000
sql_injection_protection: true
xss_protection: false
# ============================================================================
# Virtual Web Servers / WAF Rules
# ============================================================================
sophos_waf_virtual_hosts:
- backend_servers:
- app-server-01
- app-server-02
domain: www.example.com
enable_compression: true
enable_hsts: true
listening_ip: 203.0.113.10
listening_port: 443
load_balancing: round-robin
name: corporate-website
protocol: https
protection_policy: standard-web-protection
session_timeout: 1800
ssl_certificate: wildcard-example-com
- backend_servers:
- api-server-01
domain: api.example.com
enable_hsts: true
listening_ip: 203.0.113.11
listening_port: 443
name: api-gateway
protocol: https
protection_policy: api-protection
session_timeout: 3600
ssl_certificate: wildcard-example-com
websocket_support: true
# ============================================================================
# WAF Exceptions (Allow-list)
# ============================================================================
sophos_waf_exceptions:
- comment: Admin panel requires special characters in parameters
name: allow-admin-panel-special-chars
path: /admin/*
skip_rules:
- sql-injection-detection
- xss-detection
source_networks:
- 10.0.0.0/8
virtual_host: corporate-website
- comment: API endpoint accepts large JSON payloads
name: allow-api-large-json
path: /api/v1/upload
skip_rules:
- request-size-limit
source_networks:
- any
virtual_host: api-gateway

203
sophos-xgs-ansible/inventory/group_vars/sophos_firewalls.yml Normal file
View File

@@ -0,0 +1,203 @@
---
# ============================================================================
# Sophos Firewalls Group Variables
# ============================================================================
# This file contains variables specific to all Sophos XGS firewalls.
# These override defaults in all.yml and can be overridden in host_vars.
#
# Author: Network Automation Team
# ============================================================================
# ============================================================================
# API Authentication Method
# ============================================================================
# Sophos XGS supports two authentication methods:
# 1. API Key (recommended for automation)
# 2. Username/Password
#
# Define ONE of the following in host_vars for each firewall:
# - sophos_api_key: "your-api-key-here"
# OR
# - sophos_api_username: "admin"
# - sophos_api_password: "secure-password"
# ============================================================================
# ============================================================================
# Standard Network Objects (shared across all firewalls)
# ============================================================================
sophos_standard_network_objects:
# RFC 1918 private networks
- name: "RFC1918-10.0.0.0/8"
type: "network"
address: "10.0.0.0"
netmask: "255.0.0.0"
description: "RFC 1918 Class A private network"
- name: "RFC1918-172.16.0.0/12"
type: "network"
address: "172.16.0.0"
netmask: "255.240.0.0"
description: "RFC 1918 Class B private network"
- name: "RFC1918-192.168.0.0/16"
type: "network"
address: "192.168.0.0"
netmask: "255.255.0.0"
description: "RFC 1918 Class C private network"
# Infrastructure services
- name: "DNS-Servers-Primary"
type: "host"
address: "8.8.8.8"
description: "Google Public DNS Primary"
- name: "DNS-Servers-Secondary"
type: "host"
address: "8.8.4.4"
description: "Google Public DNS Secondary"
# ============================================================================
# Standard Service Objects (shared across all firewalls)
# ============================================================================
sophos_standard_service_objects:
- name: "HTTP"
protocol: "tcp"
dst_port: 80
description: "Hypertext Transfer Protocol"
- name: "HTTPS"
protocol: "tcp"
dst_port: 443
description: "HTTP over TLS/SSL"
- name: "SSH"
protocol: "tcp"
dst_port: 22
description: "Secure Shell"
- name: "RDP"
protocol: "tcp"
dst_port: 3389
description: "Remote Desktop Protocol"
- name: "DNS"
protocol: "udp"
dst_port: 53
description: "Domain Name System"
- name: "NTP"
protocol: "udp"
dst_port: 123
description: "Network Time Protocol"
- name: "SNMP"
protocol: "udp"
dst_port: 161
description: "Simple Network Management Protocol"
# ============================================================================
# Standard Zones (expected on all firewalls)
# ============================================================================
sophos_standard_zones:
- name: "WAN"
description: "Internet-facing zone"
type: "wan"
- name: "LAN"
description: "Internal trusted network"
type: "lan"
- name: "DMZ"
description: "Demilitarized zone for public servers"
type: "dmz"
- name: "VPN"
description: "VPN client and site-to-site traffic"
type: "vpn"
# ============================================================================
# Common Firewall Rules (applied to all firewalls)
# ============================================================================
sophos_common_firewall_rules:
# Allow internal networks to access DNS
- name: "Allow-LAN-to-Internet-DNS"
source_zones: ["LAN"]
dest_zones: ["WAN"]
source_networks: ["any"]
dest_networks: ["any"]
services: ["DNS"]
action: "accept"
log: false
enabled: true
position: "top"
description: "Allow internal networks to resolve DNS"
# Allow internal networks to access NTP
- name: "Allow-LAN-to-Internet-NTP"
source_zones: ["LAN"]
dest_zones: ["WAN"]
source_networks: ["any"]
dest_networks: ["any"]
services: ["NTP"]
action: "accept"
log: false
enabled: true
description: "Allow internal networks to synchronize time"
# Allow HTTP/HTTPS from LAN to Internet
- name: "Allow-LAN-to-Internet-Web"
source_zones: ["LAN"]
dest_zones: ["WAN"]
source_networks: ["any"]
dest_networks: ["any"]
services: ["HTTP", "HTTPS"]
action: "accept"
log: false
enabled: true
description: "Allow web browsing from internal network"
# Deny all other traffic (implicit deny - logged)
- name: "Deny-All-Other-Traffic"
source_zones: ["any"]
dest_zones: ["any"]
source_networks: ["any"]
dest_networks: ["any"]
services: ["any"]
action: "deny"
log: true
enabled: true
position: "bottom"
description: "Default deny rule - logs all dropped traffic"
# ============================================================================
# Device Access Policies (management services)
# ============================================================================
sophos_common_device_access_policies:
# Allow HTTPS admin access from LAN
- service: "https"
allowed_zones: ["LAN"]
allowed_networks: [] # Empty means all networks in zone
enabled: true
# Allow SSH admin access from LAN
- service: "ssh"
allowed_zones: ["LAN"]
allowed_networks: []
enabled: true
# Allow ping from LAN and WAN (for monitoring)
- service: "ping"
allowed_zones: ["LAN", "WAN"]
allowed_networks: []
enabled: true
# Allow SNMP from management network only
- service: "snmp"
allowed_zones: ["LAN"]
allowed_networks: ["10.0.0.0/24"] # Restrict to management subnet
enabled: true

206
sophos-xgs-ansible/inventory/host_vars/fw-baseline.yml Normal file
View File

@@ -0,0 +1,206 @@
---
# ============================================================================
# Sophos XGS Baseline Firewall Configuration
# ============================================================================
# Hostname: fw-baseline
# Location: Data Center - Primary
# Purpose: Baseline firewall for configuration export
#
# This firewall serves as the source for baseline WAF configuration that
# is exported and applied to other firewalls in the fleet.
# ============================================================================
# ============================================================================
# Management Connection
# ============================================================================
sophos_mgmt_host: "192.168.1.10"
sophos_api_username: "admin"
sophos_api_password: "P@ssw0rd123" # CHANGE IN PRODUCTION - Use Ansible Vault
# Firewall identification
sophos_hostname: "fw-baseline"
sophos_location: "datacenter-primary"
sophos_device_role: "baseline-export"
# ============================================================================
# Network Configuration
# ============================================================================
sophos_interfaces:
# WAN Interface
- name: "Port1"
type: "physical"
zone: "WAN"
description: "Internet connection (ISP primary)"
mode: "static"
ip_address: "203.0.113.1"
netmask: "255.255.255.252"
gateway: "203.0.113.2"
mtu: 1500
enabled: true
# LAN Interface
- name: "Port2"
type: "physical"
zone: "LAN"
description: "Internal corporate network"
mode: "static"
ip_address: "10.0.0.1"
netmask: "255.255.255.0"
mtu: 1500
enabled: true
# DMZ Interface
- name: "Port3"
type: "physical"
zone: "DMZ"
description: "Public-facing servers"
mode: "static"
ip_address: "10.100.0.1"
netmask: "255.255.255.0"
mtu: 1500
enabled: true
# VLANs
sophos_vlans:
- name: "VLAN100-Servers"
vlan_id: 100
parent_interface: "Port2"
zone: "LAN"
description: "Server VLAN"
ip_address: "10.0.100.1"
netmask: "255.255.255.0"
enabled: true
- name: "VLAN200-Workstations"
vlan_id: 200
parent_interface: "Port2"
zone: "LAN"
description: "User workstation VLAN"
ip_address: "10.0.200.1"
netmask: "255.255.255.0"
enabled: true
# ============================================================================
# DHCP Configuration
# ============================================================================
sophos_dhcp_servers:
- name: "DHCP-VLAN200-Workstations"
interface: "VLAN200-Workstations"
enabled: true
start_ip: "10.0.200.100"
end_ip: "10.0.200.200"
netmask: "255.255.255.0"
gateway: "10.0.200.1"
dns_servers:
- "10.0.0.10"
- "10.0.0.11"
domain: "corp.example.com"
lease_time: 86400 # 24 hours
reservations:
- mac_address: "00:50:56:00:01:01"
ip_address: "10.0.200.10"
hostname: "printer-01"
- mac_address: "00:50:56:00:01:02"
ip_address: "10.0.200.11"
hostname: "printer-02"
# ============================================================================
# DNS Configuration
# ============================================================================
sophos_dns:
forwarders:
- "8.8.8.8"
- "8.8.4.4"
domain: "corp.example.com"
enable_dns_forwarder: true
# ============================================================================
# Static Routes
# ============================================================================
sophos_static_routes:
- name: "Route-to-HQ"
destination: "10.1.0.0"
netmask: "255.255.0.0"
gateway: "10.0.0.254"
interface: "Port2"
metric: 10
enabled: true
# ============================================================================
# Firewall Rules (in addition to common rules)
# ============================================================================
sophos_firewall_rules:
# DMZ to Internet
- name: "Allow-DMZ-WebServers-to-Internet"
source_zones: ["DMZ"]
dest_zones: ["WAN"]
source_networks: ["10.100.1.0/24"]
dest_networks: ["any"]
services: ["HTTP", "HTTPS", "DNS"]
action: "accept"
log: true
enabled: true
description: "Allow web servers in DMZ to access Internet for updates"
# LAN to DMZ
- name: "Allow-LAN-to-DMZ-Web"
source_zones: ["LAN"]
dest_zones: ["DMZ"]
source_networks: ["any"]
dest_networks: ["10.100.1.0/24"]
services: ["HTTP", "HTTPS"]
action: "accept"
log: false
enabled: true
description: "Allow internal users to access DMZ web servers"
# ============================================================================
# SNMP Configuration
# ============================================================================
sophos_snmp:
enabled: true
version: "v2c"
community: "mon1tor!ng" # CHANGE IN PRODUCTION
location: "DC1-Rack15-U20"
contact: "netops@example.com"
allowed_networks:
- "10.0.0.0/24"
trap_destinations:
- host: "10.0.0.100"
port: 162
community: "mon1tor!ng"
# ============================================================================
# Logging Configuration
# ============================================================================
sophos_logging:
enabled: true
syslog_servers:
- host: "10.0.0.101"
port: 514
protocol: "udp"
facility: "local0"
severity: "informational"
categories:
- "firewall"
- "vpn"
- "waf"
- "system"
# ============================================================================
# NTP Configuration
# ============================================================================
sophos_ntp:
servers:
- "0.north-america.pool.ntp.org"
- "1.north-america.pool.ntp.org"
timezone: "America/New_York"

296
sophos-xgs-ansible/inventory/host_vars/fw-branch1.yml Normal file
View File

@@ -0,0 +1,296 @@
---
# ============================================================================
# Sophos XGS Firewall - Branch Office 1
# ============================================================================
# Hostname: fw-branch1
# Location: Branch Office - New York
# Purpose: Branch office firewall with site-to-site VPN to HQ
# ============================================================================
# ============================================================================
# Management Connection
# ============================================================================
sophos_mgmt_host: "192.168.10.1"
sophos_api_username: "admin"
sophos_api_password: "Br@nch1P@ss" # CHANGE IN PRODUCTION - Use Ansible Vault
# Firewall identification
sophos_hostname: "fw-branch1"
sophos_location: "branch-office-nyc"
sophos_device_role: "branch-firewall"
# ============================================================================
# Network Configuration
# ============================================================================
sophos_interfaces:
# WAN Interface
- name: "Port1"
type: "physical"
zone: "WAN"
description: "Internet connection (Branch ISP)"
mode: "static"
ip_address: "198.51.100.10"
netmask: "255.255.255.248"
gateway: "198.51.100.9"
mtu: 1500
enabled: true
# LAN Interface
- name: "Port2"
type: "physical"
zone: "LAN"
description: "Branch office local network"
mode: "static"
ip_address: "10.10.0.1"
netmask: "255.255.255.0"
mtu: 1500
enabled: true
# WiFi Interface
- name: "Port3"
type: "physical"
zone: "LAN"
description: "Wireless AP connection"
mode: "static"
ip_address: "10.10.10.1"
netmask: "255.255.255.0"
mtu: 1500
enabled: true
# VLANs
sophos_vlans:
- name: "VLAN10-Voice"
vlan_id: 10
parent_interface: "Port2"
zone: "LAN"
description: "VoIP phones"
ip_address: "10.10.10.1"
netmask: "255.255.255.0"
enabled: true
- name: "VLAN20-Data"
vlan_id: 20
parent_interface: "Port2"
zone: "LAN"
description: "User workstations"
ip_address: "10.10.20.1"
netmask: "255.255.255.0"
enabled: true
- name: "VLAN30-Guest"
vlan_id: 30
parent_interface: "Port3"
zone: "LAN"
description: "Guest WiFi"
ip_address: "10.10.30.1"
netmask: "255.255.255.0"
enabled: true
# ============================================================================
# DHCP Configuration
# ============================================================================
sophos_dhcp_servers:
- name: "DHCP-Voice"
interface: "VLAN10-Voice"
enabled: true
start_ip: "10.10.10.100"
end_ip: "10.10.10.199"
netmask: "255.255.255.0"
gateway: "10.10.10.1"
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
domain: "branch1.example.com"
lease_time: 43200 # 12 hours
dhcp_options:
- option: 66 # TFTP server
value: "10.0.0.50"
- option: 150 # Cisco TFTP server
value: "10.0.0.50"
- name: "DHCP-Data"
interface: "VLAN20-Data"
enabled: true
start_ip: "10.10.20.50"
end_ip: "10.10.20.200"
netmask: "255.255.255.0"
gateway: "10.10.20.1"
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
domain: "branch1.example.com"
lease_time: 86400 # 24 hours
reservations:
- mac_address: "00:50:56:10:01:01"
ip_address: "10.10.20.10"
hostname: "branch1-printer"
- name: "DHCP-Guest"
interface: "VLAN30-Guest"
enabled: true
start_ip: "10.10.30.100"
end_ip: "10.10.30.200"
netmask: "255.255.255.0"
gateway: "10.10.30.1"
dns_servers:
- "8.8.8.8"
- "8.8.4.4"
domain: "guest.example.com"
lease_time: 3600 # 1 hour
# ============================================================================
# DNS Configuration
# ============================================================================
sophos_dns:
forwarders:
- "10.0.0.10" # HQ DNS server
- "8.8.8.8"
domain: "branch1.example.com"
enable_dns_forwarder: true
# ============================================================================
# Static Routes
# ============================================================================
sophos_static_routes:
- name: "Route-to-HQ-via-VPN"
destination: "10.0.0.0"
netmask: "255.255.0.0"
gateway: "10.0.0.1"
interface: "VPN"
metric: 5
enabled: true
# ============================================================================
# Firewall Rules (in addition to common rules)
# ============================================================================
sophos_firewall_rules:
# Guest network isolation
- name: "Allow-Guest-to-Internet-Only"
source_zones: ["LAN"]
dest_zones: ["WAN"]
source_networks: ["10.10.30.0/24"]
dest_networks: ["any"]
services: ["HTTP", "HTTPS", "DNS"]
action: "accept"
log: false
enabled: true
description: "Guest WiFi can only access Internet"
- name: "Deny-Guest-to-Internal"
source_zones: ["LAN"]
dest_zones: ["LAN", "VPN"]
source_networks: ["10.10.30.0/24"]
dest_networks: ["any"]
services: ["any"]
action: "deny"
log: true
enabled: true
description: "Block guest network from accessing internal resources"
# Branch to HQ
- name: "Allow-Branch-to-HQ"
source_zones: ["LAN"]
dest_zones: ["VPN"]
source_networks: ["10.10.0.0/16"]
dest_networks: ["10.0.0.0/16"]
services: ["any"]
action: "accept"
log: false
enabled: true
description: "Allow branch office to access HQ resources"
# ============================================================================
# Site-to-Site VPN Configuration
# ============================================================================
sophos_site_to_site_vpns:
- name: "Branch1-to-HQ"
enabled: true
connection_type: "tunnel"
# Local settings
local_gateway: "198.51.100.10"
local_networks:
- "10.10.0.0/16"
local_id: "198.51.100.10"
# Remote settings
remote_gateway: "203.0.113.1"
remote_networks:
- "10.0.0.0/16"
remote_id: "203.0.113.1"
# Phase 1 (IKE) settings
ike_version: 2
ike_encryption: "aes256"
ike_hash: "sha256"
ike_dh_group: 14
ike_lifetime: 28800 # 8 hours
authentication_method: "psk"
psk: "Sup3rS3cr3tPr3Sh@r3dK3y123" # CHANGE IN PRODUCTION - Use Vault
# Phase 2 (IPsec) settings
ipsec_mode: "tunnel"
ipsec_encryption: "aes256"
ipsec_hash: "sha256"
ipsec_pfs_group: 14
ipsec_lifetime: 3600 # 1 hour
# Advanced settings
dpd_enabled: true
dpd_interval: 30
dpd_retries: 3
nat_traversal: true
description: "Site-to-site VPN tunnel between Branch 1 (NYC) and HQ"
# ============================================================================
# SNMP Configuration
# ============================================================================
sophos_snmp:
enabled: true
version: "v2c"
community: "br@nch1mon" # CHANGE IN PRODUCTION
location: "Branch1-NYC-NetworkCloset"
contact: "branch1-it@example.com"
allowed_networks:
- "10.10.0.0/16"
- "10.0.0.0/24" # Allow HQ monitoring
trap_destinations:
- host: "10.0.0.100"
port: 162
community: "br@nch1mon"
# ============================================================================
# Logging Configuration
# ============================================================================
sophos_logging:
enabled: true
syslog_servers:
- host: "10.0.0.101"
port: 514
protocol: "udp"
facility: "local1"
severity: "informational"
categories:
- "firewall"
- "vpn"
- "system"
# ============================================================================
# NTP Configuration
# ============================================================================
sophos_ntp:
servers:
- "10.0.0.1" # HQ firewall as NTP source
- "time.google.com"
timezone: "America/New_York"

305
sophos-xgs-ansible/inventory/host_vars/fw-branch2.yml Normal file
View File

@@ -0,0 +1,305 @@
---
# ============================================================================
# Sophos XGS Firewall - Branch Office 2
# ============================================================================
# Hostname: fw-branch2
# Location: Branch Office - Los Angeles
# Purpose: Branch office firewall with remote access VPN
# ============================================================================
# ============================================================================
# Management Connection
# ============================================================================
sophos_mgmt_host: "192.168.20.1"
sophos_api_username: "admin"
sophos_api_password: "Br@nch2P@ss" # CHANGE IN PRODUCTION - Use Ansible Vault
# Firewall identification
sophos_hostname: "fw-branch2"
sophos_location: "branch-office-la"
sophos_device_role: "branch-firewall"
# ============================================================================
# Network Configuration
# ============================================================================
sophos_interfaces:
# WAN Interface
- name: "Port1"
type: "physical"
zone: "WAN"
description: "Internet connection (Branch ISP)"
mode: "static"
ip_address: "198.51.100.20"
netmask: "255.255.255.248"
gateway: "198.51.100.17"
mtu: 1500
enabled: true
# LAN Interface
- name: "Port2"
type: "physical"
zone: "LAN"
description: "Branch office local network"
mode: "static"
ip_address: "10.20.0.1"
netmask: "255.255.255.0"
mtu: 1500
enabled: true
# VLANs
sophos_vlans:
- name: "VLAN50-Users"
vlan_id: 50
parent_interface: "Port2"
zone: "LAN"
description: "User workstations and devices"
ip_address: "10.20.50.1"
netmask: "255.255.255.0"
enabled: true
- name: "VLAN60-Servers"
vlan_id: 60
parent_interface: "Port2"
zone: "LAN"
description: "Local servers"
ip_address: "10.20.60.1"
netmask: "255.255.255.0"
enabled: true
# ============================================================================
# DHCP Configuration
# ============================================================================
sophos_dhcp_servers:
- name: "DHCP-Users"
interface: "VLAN50-Users"
enabled: true
start_ip: "10.20.50.100"
end_ip: "10.20.50.250"
netmask: "255.255.255.0"
gateway: "10.20.50.1"
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
domain: "branch2.example.com"
lease_time: 86400 # 24 hours
- name: "DHCP-Servers"
interface: "VLAN60-Servers"
enabled: true
start_ip: "10.20.60.100"
end_ip: "10.20.60.200"
netmask: "255.255.255.0"
gateway: "10.20.60.1"
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
domain: "branch2.example.com"
lease_time: 86400
reservations:
- mac_address: "00:50:56:20:01:01"
ip_address: "10.20.60.10"
hostname: "branch2-fileserver"
- mac_address: "00:50:56:20:01:02"
ip_address: "10.20.60.11"
hostname: "branch2-printserver"
# ============================================================================
# DNS Configuration
# ============================================================================
sophos_dns:
forwarders:
- "10.0.0.10" # HQ DNS server
- "8.8.8.8"
domain: "branch2.example.com"
enable_dns_forwarder: true
# ============================================================================
# Static Routes
# ============================================================================
sophos_static_routes:
- name: "Route-to-HQ-via-VPN"
destination: "10.0.0.0"
netmask: "255.255.0.0"
gateway: "10.0.0.1"
interface: "VPN"
metric: 5
enabled: true
# ============================================================================
# Firewall Rules (in addition to common rules)
# ============================================================================
sophos_firewall_rules:
# Branch to HQ
- name: "Allow-Branch2-to-HQ"
source_zones: ["LAN"]
dest_zones: ["VPN"]
source_networks: ["10.20.0.0/16"]
dest_networks: ["10.0.0.0/16"]
services: ["any"]
action: "accept"
log: false
enabled: true
description: "Allow Branch 2 to access HQ resources"
# Remote access VPN to internal resources
- name: "Allow-RemoteVPN-to-Internal"
source_zones: ["VPN"]
dest_zones: ["LAN"]
source_networks: ["10.255.0.0/24"] # VPN pool
dest_networks: ["10.20.0.0/16"]
services: ["any"]
action: "accept"
log: true
enabled: true
description: "Allow remote VPN users to access branch resources"
# ============================================================================
# Site-to-Site VPN Configuration
# ============================================================================
sophos_site_to_site_vpns:
- name: "Branch2-to-HQ"
enabled: true
connection_type: "tunnel"
# Local settings
local_gateway: "198.51.100.20"
local_networks:
- "10.20.0.0/16"
local_id: "198.51.100.20"
# Remote settings
remote_gateway: "203.0.113.1"
remote_networks:
- "10.0.0.0/16"
remote_id: "203.0.113.1"
# Phase 1 (IKE) settings
ike_version: 2
ike_encryption: "aes256"
ike_hash: "sha256"
ike_dh_group: 14
ike_lifetime: 28800
authentication_method: "psk"
psk: "Br@nch2ToHQPr3Sh@r3dK3y456" # CHANGE IN PRODUCTION - Use Vault
# Phase 2 (IPsec) settings
ipsec_mode: "tunnel"
ipsec_encryption: "aes256"
ipsec_hash: "sha256"
ipsec_pfs_group: 14
ipsec_lifetime: 3600
# Advanced settings
dpd_enabled: true
dpd_interval: 30
dpd_retries: 3
nat_traversal: true
description: "Site-to-site VPN tunnel between Branch 2 (LA) and HQ"
# ============================================================================
# Remote Access VPN Configuration
# ============================================================================
sophos_remote_access_vpn:
enabled: true
type: "sslvpn"
name: "Branch2-RemoteAccess-VPN"
# Connection settings
listening_port: 443
listening_interface: "Port1" # WAN interface
# Authentication
authentication_method: "local" # Can be "local", "ldap", "radius"
user_groups:
- "Remote-Workers"
- "IT-Staff"
# IP address pool for VPN clients
address_pool:
network: "10.255.0.0"
netmask: "255.255.255.0"
start_ip: "10.255.0.10"
end_ip: "10.255.0.250"
# DNS and routing for VPN clients
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
wins_servers: []
# Split tunnel configuration
tunnel_mode: "split" # "split" or "full"
tunnel_networks: # Only these networks via VPN (split tunnel)
- "10.0.0.0/8"
- "172.16.0.0/12"
# Encryption settings
encryption: "aes256"
hash: "sha256"
# Advanced settings
idle_timeout: 1800 # 30 minutes
session_timeout: 43200 # 12 hours
max_concurrent_connections: 50
enable_compression: true
# Client settings
override_default_gateway: false # For split tunnel
block_lan_access: true # Prevent access to client's local LAN
description: "SSL VPN for remote workers and IT staff"
# ============================================================================
# SNMP Configuration
# ============================================================================
sophos_snmp:
enabled: true
version: "v2c"
community: "br@nch2mon" # CHANGE IN PRODUCTION
location: "Branch2-LA-ITCloset"
contact: "branch2-it@example.com"
allowed_networks:
- "10.20.0.0/16"
- "10.0.0.0/24" # Allow HQ monitoring
trap_destinations:
- host: "10.0.0.100"
port: 162
community: "br@nch2mon"
# ============================================================================
# Logging Configuration
# ============================================================================
sophos_logging:
enabled: true
syslog_servers:
- host: "10.0.0.101"
port: 514
protocol: "udp"
facility: "local2"
severity: "informational"
categories:
- "firewall"
- "vpn"
- "authentication"
- "system"
# ============================================================================
# NTP Configuration
# ============================================================================
sophos_ntp:
servers:
- "10.0.0.1" # HQ firewall as NTP source
- "time.google.com"
timezone: "America/Los_Angeles"

52
sophos-xgs-ansible/inventory/hosts.ini Normal file
View File

@@ -0,0 +1,52 @@
# ============================================================================
# Sophos XGS Firewall Inventory
# ============================================================================
# This inventory defines all Sophos XGS firewalls managed by Ansible.
#
# Groups:
# - sophos_firewalls: All production Sophos XGS devices
# - sophos_baseline: The baseline firewall used for config export
# - sophos_headquarters: Firewalls at HQ location
# - sophos_branches: Firewalls at branch locations
#
# Connection Method:
# All firewalls are managed via HTTPS API (no SSH required)
#
# Author: Network Automation Team
# ============================================================================
# ============================================================================
# Baseline Firewall (for configuration import/export)
# ============================================================================
[sophos_baseline]
fw-baseline ansible_host=192.168.1.10
# ============================================================================
# Headquarters Firewalls
# ============================================================================
[sophos_headquarters]
fw-hq-primary ansible_host=192.168.1.20
fw-hq-secondary ansible_host=192.168.1.21
# ============================================================================
# Branch Office Firewalls
# ============================================================================
[sophos_branches]
fw-branch1 ansible_host=192.168.10.1
fw-branch2 ansible_host=192.168.20.1
fw-branch3 ansible_host=192.168.30.1
# ============================================================================
# All Sophos Firewalls (parent group)
# ============================================================================
[sophos_firewalls:children]
sophos_baseline
sophos_headquarters
sophos_branches
# ============================================================================
# Connection Variables (applied to all Sophos firewalls)
# ============================================================================
[sophos_firewalls:vars]
ansible_connection=local
ansible_python_interpreter=/usr/bin/python3