Claude 1

sophos-xgs-ansible/inventory/group_vars/baseline_web.yml

@@ -0,0 +1,135 @@
+---
+# ============================================================================
+# Sophos XGS Baseline WAF Configuration
+# ============================================================================
+# This file was automatically generated by the baseline_import.yml playbook
+#
+# Source: fw-baseline (192.168.1.10)
+# Exported: 2025-12-09T10:30:00Z
+# Exported by: ansible
+#
+# This configuration serves as the baseline WAF configuration for all
+# firewalls in the fleet. Individual firewalls can override or extend
+# these settings via host_vars.
+#
+# DO NOT EDIT THIS FILE MANUALLY - regenerate using baseline_import.yml
+# ============================================================================
+
+_metadata:
+  description: Baseline WAF configuration imported from fw-baseline
+  exported_by: ansible
+  export_timestamp: '2025-12-09T10:30:00Z'
+  source_firewall: fw-baseline
+  source_ip: 192.168.1.10
+  version: '1.0'
+
+# ============================================================================
+# WAF Backend Servers
+# ============================================================================
+
+sophos_waf_backends:
+  - health_check: true
+    host: 10.100.1.50
+    name: app-server-01
+    port: 8080
+    protocol: http
+
+  - health_check: true
+    host: 10.100.1.51
+    name: app-server-02
+    port: 8080
+    protocol: http
+
+  - health_check: true
+    host: 10.100.2.50
+    name: api-server-01
+    port: 8080
+    protocol: http
+
+# ============================================================================
+# WAF Protection Policies
+# ============================================================================
+
+sophos_waf_policies:
+  - allowed_methods:
+      - GET
+      - POST
+      - HEAD
+    block_common_attacks: true
+    file_upload_limit_mb: 100
+    max_url_length: 4096
+    mode: prevention
+    name: standard-web-protection
+    sql_injection_protection: true
+    xss_protection: true
+
+  - allowed_methods:
+      - GET
+      - POST
+      - PUT
+      - DELETE
+      - PATCH
+    block_common_attacks: true
+    json_validation: true
+    mode: prevention
+    name: api-protection
+    rate_limit_requests_per_minute: 1000
+    sql_injection_protection: true
+    xss_protection: false
+
+# ============================================================================
+# Virtual Web Servers / WAF Rules
+# ============================================================================
+
+sophos_waf_virtual_hosts:
+  - backend_servers:
+      - app-server-01
+      - app-server-02
+    domain: www.example.com
+    enable_compression: true
+    enable_hsts: true
+    listening_ip: 203.0.113.10
+    listening_port: 443
+    load_balancing: round-robin
+    name: corporate-website
+    protocol: https
+    protection_policy: standard-web-protection
+    session_timeout: 1800
+    ssl_certificate: wildcard-example-com
+
+  - backend_servers:
+      - api-server-01
+    domain: api.example.com
+    enable_hsts: true
+    listening_ip: 203.0.113.11
+    listening_port: 443
+    name: api-gateway
+    protocol: https
+    protection_policy: api-protection
+    session_timeout: 3600
+    ssl_certificate: wildcard-example-com
+    websocket_support: true
+
+# ============================================================================
+# WAF Exceptions (Allow-list)
+# ============================================================================
+
+sophos_waf_exceptions:
+  - comment: Admin panel requires special characters in parameters
+    name: allow-admin-panel-special-chars
+    path: /admin/*
+    skip_rules:
+      - sql-injection-detection
+      - xss-detection
+    source_networks:
+      - 10.0.0.0/8
+    virtual_host: corporate-website
+
+  - comment: API endpoint accepts large JSON payloads
+    name: allow-api-large-json
+    path: /api/v1/upload
+    skip_rules:
+      - request-size-limit
+    source_networks:
+      - any
+    virtual_host: api-gateway