Claude 1

sophos-xgs-ansible/inventory/group_vars/all.yml

@@ -0,0 +1,128 @@
+---
+# ============================================================================
+# Global Variables for All Sophos XGS Firewalls
+# ============================================================================
+# This file contains default values applied to ALL firewalls in the inventory.
+# These can be overridden in group_vars/sophos_firewalls.yml or in individual
+# host_vars files.
+#
+# Author: Network Automation Team
+# ============================================================================
+
+# ============================================================================
+# API Connection Settings
+# ============================================================================
+
+# Management port (Sophos XGS default is 4444, web interface is 443)
+sophos_mgmt_port: 4444
+
+# SSL certificate validation (set to false for self-signed certs in lab)
+sophos_validate_certs: false
+
+# API timeout in seconds
+sophos_api_timeout: 30
+
+# Enable/disable logging of sensitive data (passwords, API keys)
+sophos_no_log_sensitive: true
+
+# Retry settings for API calls
+sophos_api_retries: 3
+sophos_api_retry_delay: 5
+
+# ============================================================================
+# Execution Control
+# ============================================================================
+
+# Serial execution limit (number of firewalls to configure simultaneously)
+sophos_serial_execution: 5
+
+# Feature toggles (can be disabled to skip entire roles)
+sophos_manage_network: true
+sophos_manage_firewall_rules: true
+sophos_manage_site_to_site_vpn: true
+sophos_manage_remote_access_vpn: true
+sophos_manage_waf: true
+sophos_manage_device_access: true
+sophos_manage_snmp_logging: true
+
+# Automatically save configuration after changes
+sophos_save_config: true
+
+# ============================================================================
+# Global Network Settings (defaults)
+# ============================================================================
+
+# Default DNS servers (can be overridden per firewall)
+sophos_default_dns_servers:
+  - 8.8.8.8
+  - 8.8.4.4
+
+# Default NTP servers
+sophos_default_ntp_servers:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+
+# Default timezone
+sophos_timezone: "America/New_York"
+
+# Default MTU
+sophos_default_mtu: 1500
+
+# ============================================================================
+# Global Security Settings (defaults)
+# ============================================================================
+
+# Default firewall rule logging
+sophos_default_rule_log: true
+
+# Default firewall rule action
+sophos_default_rule_action: "deny"
+
+# Default VPN encryption settings
+sophos_default_ike_encryption: "aes256"
+sophos_default_ike_hash: "sha256"
+sophos_default_ike_dh_group: 14
+sophos_default_ike_lifetime: 28800
+
+sophos_default_ipsec_encryption: "aes256"
+sophos_default_ipsec_hash: "sha256"
+sophos_default_ipsec_pfs_group: 14
+sophos_default_ipsec_lifetime: 3600
+
+# ============================================================================
+# Global SNMP Settings (defaults)
+# ============================================================================
+
+sophos_snmp_enabled: true
+sophos_snmp_version: "v2c"
+sophos_snmp_community: "public"  # CHANGE THIS IN PRODUCTION
+sophos_snmp_location: "Data Center"
+sophos_snmp_contact: "netadmin@example.com"
+
+# ============================================================================
+# Global Logging Settings (defaults)
+# ============================================================================
+
+sophos_logging_enabled: true
+sophos_logging_facility: "local0"
+sophos_logging_severity: "informational"
+
+# Default syslog servers (can be extended per firewall)
+sophos_syslog_servers:
+  - host: "10.0.0.100"
+    port: 514
+    protocol: "udp"
+
+# ============================================================================
+# CI/CD and Version Control
+# ============================================================================
+
+# Configuration version (increment when making breaking changes)
+sophos_config_version: "1.0.0"
+
+# Tags for resource tracking
+sophos_default_tags:
+  managed_by: "ansible"
+  project: "sophos-xgs-automation"
+  environment: "production"

sophos-xgs-ansible/inventory/group_vars/baseline_web.yml

@@ -0,0 +1,135 @@
+---
+# ============================================================================
+# Sophos XGS Baseline WAF Configuration
+# ============================================================================
+# This file was automatically generated by the baseline_import.yml playbook
+#
+# Source: fw-baseline (192.168.1.10)
+# Exported: 2025-12-09T10:30:00Z
+# Exported by: ansible
+#
+# This configuration serves as the baseline WAF configuration for all
+# firewalls in the fleet. Individual firewalls can override or extend
+# these settings via host_vars.
+#
+# DO NOT EDIT THIS FILE MANUALLY - regenerate using baseline_import.yml
+# ============================================================================
+
+_metadata:
+  description: Baseline WAF configuration imported from fw-baseline
+  exported_by: ansible
+  export_timestamp: '2025-12-09T10:30:00Z'
+  source_firewall: fw-baseline
+  source_ip: 192.168.1.10
+  version: '1.0'
+
+# ============================================================================
+# WAF Backend Servers
+# ============================================================================
+
+sophos_waf_backends:
+  - health_check: true
+    host: 10.100.1.50
+    name: app-server-01
+    port: 8080
+    protocol: http
+
+  - health_check: true
+    host: 10.100.1.51
+    name: app-server-02
+    port: 8080
+    protocol: http
+
+  - health_check: true
+    host: 10.100.2.50
+    name: api-server-01
+    port: 8080
+    protocol: http
+
+# ============================================================================
+# WAF Protection Policies
+# ============================================================================
+
+sophos_waf_policies:
+  - allowed_methods:
+      - GET
+      - POST
+      - HEAD
+    block_common_attacks: true
+    file_upload_limit_mb: 100
+    max_url_length: 4096
+    mode: prevention
+    name: standard-web-protection
+    sql_injection_protection: true
+    xss_protection: true
+
+  - allowed_methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+      - PATCH
+    block_common_attacks: true
+    json_validation: true
+    mode: prevention
+    name: api-protection
+    rate_limit_requests_per_minute: 1000
+    sql_injection_protection: true
+    xss_protection: false
+
+# ============================================================================
+# Virtual Web Servers / WAF Rules
+# ============================================================================
+
+sophos_waf_virtual_hosts:
+  - backend_servers:
+      - app-server-01
+      - app-server-02
+    domain: www.example.com
+    enable_compression: true
+    enable_hsts: true
+    listening_ip: 203.0.113.10
+    listening_port: 443
+    load_balancing: round-robin
+    name: corporate-website
+    protocol: https
+    protection_policy: standard-web-protection
+    session_timeout: 1800
+    ssl_certificate: wildcard-example-com
+
+  - backend_servers:
+      - api-server-01
+    domain: api.example.com
+    enable_hsts: true
+    listening_ip: 203.0.113.11
+    listening_port: 443
+    name: api-gateway
+    protocol: https
+    protection_policy: api-protection
+    session_timeout: 3600
+    ssl_certificate: wildcard-example-com
+    websocket_support: true
+
+# ============================================================================
+# WAF Exceptions (Allow-list)
+# ============================================================================
+
+sophos_waf_exceptions:
+  - comment: Admin panel requires special characters in parameters
+    name: allow-admin-panel-special-chars
+    path: /admin/*
+    skip_rules:
+      - sql-injection-detection
+      - xss-detection
+    source_networks:
+      - 10.0.0.0/8
+    virtual_host: corporate-website
+
+  - comment: API endpoint accepts large JSON payloads
+    name: allow-api-large-json
+    path: /api/v1/upload
+    skip_rules:
+      - request-size-limit
+    source_networks:
+      - any
+    virtual_host: api-gateway

sophos-xgs-ansible/inventory/group_vars/sophos_firewalls.yml

@@ -0,0 +1,203 @@
+---
+# ============================================================================
+# Sophos Firewalls Group Variables
+# ============================================================================
+# This file contains variables specific to all Sophos XGS firewalls.
+# These override defaults in all.yml and can be overridden in host_vars.
+#
+# Author: Network Automation Team
+# ============================================================================
+
+# ============================================================================
+# API Authentication Method
+# ============================================================================
+# Sophos XGS supports two authentication methods:
+#   1. API Key (recommended for automation)
+#   2. Username/Password
+#
+# Define ONE of the following in host_vars for each firewall:
+#   - sophos_api_key: "your-api-key-here"
+# OR
+#   - sophos_api_username: "admin"
+#   - sophos_api_password: "secure-password"
+# ============================================================================
+
+# ============================================================================
+# Standard Network Objects (shared across all firewalls)
+# ============================================================================
+
+sophos_standard_network_objects:
+  # RFC 1918 private networks
+  - name: "RFC1918-10.0.0.0/8"
+    type: "network"
+    address: "10.0.0.0"
+    netmask: "255.0.0.0"
+    description: "RFC 1918 Class A private network"
+
+  - name: "RFC1918-172.16.0.0/12"
+    type: "network"
+    address: "172.16.0.0"
+    netmask: "255.240.0.0"
+    description: "RFC 1918 Class B private network"
+
+  - name: "RFC1918-192.168.0.0/16"
+    type: "network"
+    address: "192.168.0.0"
+    netmask: "255.255.0.0"
+    description: "RFC 1918 Class C private network"
+
+  # Infrastructure services
+  - name: "DNS-Servers-Primary"
+    type: "host"
+    address: "8.8.8.8"
+    description: "Google Public DNS Primary"
+
+  - name: "DNS-Servers-Secondary"
+    type: "host"
+    address: "8.8.4.4"
+    description: "Google Public DNS Secondary"
+
+# ============================================================================
+# Standard Service Objects (shared across all firewalls)
+# ============================================================================
+
+sophos_standard_service_objects:
+  - name: "HTTP"
+    protocol: "tcp"
+    dst_port: 80
+    description: "Hypertext Transfer Protocol"
+
+  - name: "HTTPS"
+    protocol: "tcp"
+    dst_port: 443
+    description: "HTTP over TLS/SSL"
+
+  - name: "SSH"
+    protocol: "tcp"
+    dst_port: 22
+    description: "Secure Shell"
+
+  - name: "RDP"
+    protocol: "tcp"
+    dst_port: 3389
+    description: "Remote Desktop Protocol"
+
+  - name: "DNS"
+    protocol: "udp"
+    dst_port: 53
+    description: "Domain Name System"
+
+  - name: "NTP"
+    protocol: "udp"
+    dst_port: 123
+    description: "Network Time Protocol"
+
+  - name: "SNMP"
+    protocol: "udp"
+    dst_port: 161
+    description: "Simple Network Management Protocol"
+
+# ============================================================================
+# Standard Zones (expected on all firewalls)
+# ============================================================================
+
+sophos_standard_zones:
+  - name: "WAN"
+    description: "Internet-facing zone"
+    type: "wan"
+
+  - name: "LAN"
+    description: "Internal trusted network"
+    type: "lan"
+
+  - name: "DMZ"
+    description: "Demilitarized zone for public servers"
+    type: "dmz"
+
+  - name: "VPN"
+    description: "VPN client and site-to-site traffic"
+    type: "vpn"
+
+# ============================================================================
+# Common Firewall Rules (applied to all firewalls)
+# ============================================================================
+
+sophos_common_firewall_rules:
+  # Allow internal networks to access DNS
+  - name: "Allow-LAN-to-Internet-DNS"
+    source_zones: ["LAN"]
+    dest_zones: ["WAN"]
+    source_networks: ["any"]
+    dest_networks: ["any"]
+    services: ["DNS"]
+    action: "accept"
+    log: false
+    enabled: true
+    position: "top"
+    description: "Allow internal networks to resolve DNS"
+
+  # Allow internal networks to access NTP
+  - name: "Allow-LAN-to-Internet-NTP"
+    source_zones: ["LAN"]
+    dest_zones: ["WAN"]
+    source_networks: ["any"]
+    dest_networks: ["any"]
+    services: ["NTP"]
+    action: "accept"
+    log: false
+    enabled: true
+    description: "Allow internal networks to synchronize time"
+
+  # Allow HTTP/HTTPS from LAN to Internet
+  - name: "Allow-LAN-to-Internet-Web"
+    source_zones: ["LAN"]
+    dest_zones: ["WAN"]
+    source_networks: ["any"]
+    dest_networks: ["any"]
+    services: ["HTTP", "HTTPS"]
+    action: "accept"
+    log: false
+    enabled: true
+    description: "Allow web browsing from internal network"
+
+  # Deny all other traffic (implicit deny - logged)
+  - name: "Deny-All-Other-Traffic"
+    source_zones: ["any"]
+    dest_zones: ["any"]
+    source_networks: ["any"]
+    dest_networks: ["any"]
+    services: ["any"]
+    action: "deny"
+    log: true
+    enabled: true
+    position: "bottom"
+    description: "Default deny rule - logs all dropped traffic"
+
+# ============================================================================
+# Device Access Policies (management services)
+# ============================================================================
+
+sophos_common_device_access_policies:
+  # Allow HTTPS admin access from LAN
+  - service: "https"
+    allowed_zones: ["LAN"]
+    allowed_networks: []  # Empty means all networks in zone
+    enabled: true
+
+  # Allow SSH admin access from LAN
+  - service: "ssh"
+    allowed_zones: ["LAN"]
+    allowed_networks: []
+    enabled: true
+
+  # Allow ping from LAN and WAN (for monitoring)
+  - service: "ping"
+    allowed_zones: ["LAN", "WAN"]
+    allowed_networks: []
+    enabled: true
+
+  # Allow SNMP from management network only
+  - service: "snmp"
+    allowed_zones: ["LAN"]
+    allowed_networks: ["10.0.0.0/24"]  # Restrict to management subnet
+    enabled: true