Claude 1

2025-12-09 09:33:48 -06:00
parent 228174e541
commit 4f1e8d3add
55 changed files with 4345 additions and 0 deletions
--- a/sophos-xgs-ansible/inventory/group_vars/all.yml
+++ b/sophos-xgs-ansible/inventory/group_vars/all.yml
@@ -0,0 +1,128 @@
+---
+# ============================================================================
+# Global Variables for All Sophos XGS Firewalls
+# ============================================================================
+# This file contains default values applied to ALL firewalls in the inventory.
+# These can be overridden in group_vars/sophos_firewalls.yml or in individual
+# host_vars files.
+#
+# Author: Network Automation Team
+# ============================================================================
+
+# ============================================================================
+# API Connection Settings
+# ============================================================================
+
+# Management port (Sophos XGS default is 4444, web interface is 443)
+sophos_mgmt_port: 4444
+
+# SSL certificate validation (set to false for self-signed certs in lab)
+sophos_validate_certs: false
+
+# API timeout in seconds
+sophos_api_timeout: 30
+
+# Enable/disable logging of sensitive data (passwords, API keys)
+sophos_no_log_sensitive: true
+
+# Retry settings for API calls
+sophos_api_retries: 3
+sophos_api_retry_delay: 5
+
+# ============================================================================
+# Execution Control
+# ============================================================================
+
+# Serial execution limit (number of firewalls to configure simultaneously)
+sophos_serial_execution: 5
+
+# Feature toggles (can be disabled to skip entire roles)
+sophos_manage_network: true
+sophos_manage_firewall_rules: true
+sophos_manage_site_to_site_vpn: true
+sophos_manage_remote_access_vpn: true
+sophos_manage_waf: true
+sophos_manage_device_access: true
+sophos_manage_snmp_logging: true
+
+# Automatically save configuration after changes
+sophos_save_config: true
+
+# ============================================================================
+# Global Network Settings (defaults)
+# ============================================================================
+
+# Default DNS servers (can be overridden per firewall)
+sophos_default_dns_servers:
+  - 8.8.8.8
+  - 8.8.4.4
+
+# Default NTP servers
+sophos_default_ntp_servers:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+
+# Default timezone
+sophos_timezone: "America/New_York"
+
+# Default MTU
+sophos_default_mtu: 1500
+
+# ============================================================================
+# Global Security Settings (defaults)
+# ============================================================================
+
+# Default firewall rule logging
+sophos_default_rule_log: true
+
+# Default firewall rule action
+sophos_default_rule_action: "deny"
+
+# Default VPN encryption settings
+sophos_default_ike_encryption: "aes256"
+sophos_default_ike_hash: "sha256"
+sophos_default_ike_dh_group: 14
+sophos_default_ike_lifetime: 28800
+
+sophos_default_ipsec_encryption: "aes256"
+sophos_default_ipsec_hash: "sha256"
+sophos_default_ipsec_pfs_group: 14
+sophos_default_ipsec_lifetime: 3600
+
+# ============================================================================
+# Global SNMP Settings (defaults)
+# ============================================================================
+
+sophos_snmp_enabled: true
+sophos_snmp_version: "v2c"
+sophos_snmp_community: "public"  # CHANGE THIS IN PRODUCTION
+sophos_snmp_location: "Data Center"
+sophos_snmp_contact: "netadmin@example.com"
+
+# ============================================================================
+# Global Logging Settings (defaults)
+# ============================================================================
+
+sophos_logging_enabled: true
+sophos_logging_facility: "local0"
+sophos_logging_severity: "informational"
+
+# Default syslog servers (can be extended per firewall)
+sophos_syslog_servers:
+  - host: "10.0.0.100"
+    port: 514
+    protocol: "udp"
+
+# ============================================================================
+# CI/CD and Version Control
+# ============================================================================
+
+# Configuration version (increment when making breaking changes)
+sophos_config_version: "1.0.0"
+
+# Tags for resource tracking
+sophos_default_tags:
+  managed_by: "ansible"
+  project: "sophos-xgs-automation"
+  environment: "production"