Claude 1

sophos-xgs-ansible/inventory/host_vars/fw-baseline.yml

@@ -0,0 +1,206 @@
+---
+# ============================================================================
+# Sophos XGS Baseline Firewall Configuration
+# ============================================================================
+# Hostname: fw-baseline
+# Location: Data Center - Primary
+# Purpose: Baseline firewall for configuration export
+#
+# This firewall serves as the source for baseline WAF configuration that
+# is exported and applied to other firewalls in the fleet.
+# ============================================================================
+
+# ============================================================================
+# Management Connection
+# ============================================================================
+
+sophos_mgmt_host: "192.168.1.10"
+sophos_api_username: "admin"
+sophos_api_password: "P@ssw0rd123"  # CHANGE IN PRODUCTION - Use Ansible Vault
+
+# Firewall identification
+sophos_hostname: "fw-baseline"
+sophos_location: "datacenter-primary"
+sophos_device_role: "baseline-export"
+
+# ============================================================================
+# Network Configuration
+# ============================================================================
+
+sophos_interfaces:
+  # WAN Interface
+  - name: "Port1"
+    type: "physical"
+    zone: "WAN"
+    description: "Internet connection (ISP primary)"
+    mode: "static"
+    ip_address: "203.0.113.1"
+    netmask: "255.255.255.252"
+    gateway: "203.0.113.2"
+    mtu: 1500
+    enabled: true
+
+  # LAN Interface
+  - name: "Port2"
+    type: "physical"
+    zone: "LAN"
+    description: "Internal corporate network"
+    mode: "static"
+    ip_address: "10.0.0.1"
+    netmask: "255.255.255.0"
+    mtu: 1500
+    enabled: true
+
+  # DMZ Interface
+  - name: "Port3"
+    type: "physical"
+    zone: "DMZ"
+    description: "Public-facing servers"
+    mode: "static"
+    ip_address: "10.100.0.1"
+    netmask: "255.255.255.0"
+    mtu: 1500
+    enabled: true
+
+# VLANs
+sophos_vlans:
+  - name: "VLAN100-Servers"
+    vlan_id: 100
+    parent_interface: "Port2"
+    zone: "LAN"
+    description: "Server VLAN"
+    ip_address: "10.0.100.1"
+    netmask: "255.255.255.0"
+    enabled: true
+
+  - name: "VLAN200-Workstations"
+    vlan_id: 200
+    parent_interface: "Port2"
+    zone: "LAN"
+    description: "User workstation VLAN"
+    ip_address: "10.0.200.1"
+    netmask: "255.255.255.0"
+    enabled: true
+
+# ============================================================================
+# DHCP Configuration
+# ============================================================================
+
+sophos_dhcp_servers:
+  - name: "DHCP-VLAN200-Workstations"
+    interface: "VLAN200-Workstations"
+    enabled: true
+    start_ip: "10.0.200.100"
+    end_ip: "10.0.200.200"
+    netmask: "255.255.255.0"
+    gateway: "10.0.200.1"
+    dns_servers:
+      - "10.0.0.10"
+      - "10.0.0.11"
+    domain: "corp.example.com"
+    lease_time: 86400  # 24 hours
+    reservations:
+      - mac_address: "00:50:56:00:01:01"
+        ip_address: "10.0.200.10"
+        hostname: "printer-01"
+      - mac_address: "00:50:56:00:01:02"
+        ip_address: "10.0.200.11"
+        hostname: "printer-02"
+
+# ============================================================================
+# DNS Configuration
+# ============================================================================
+
+sophos_dns:
+  forwarders:
+    - "8.8.8.8"
+    - "8.8.4.4"
+  domain: "corp.example.com"
+  enable_dns_forwarder: true
+
+# ============================================================================
+# Static Routes
+# ============================================================================
+
+sophos_static_routes:
+  - name: "Route-to-HQ"
+    destination: "10.1.0.0"
+    netmask: "255.255.0.0"
+    gateway: "10.0.0.254"
+    interface: "Port2"
+    metric: 10
+    enabled: true
+
+# ============================================================================
+# Firewall Rules (in addition to common rules)
+# ============================================================================
+
+sophos_firewall_rules:
+  # DMZ to Internet
+  - name: "Allow-DMZ-WebServers-to-Internet"
+    source_zones: ["DMZ"]
+    dest_zones: ["WAN"]
+    source_networks: ["10.100.1.0/24"]
+    dest_networks: ["any"]
+    services: ["HTTP", "HTTPS", "DNS"]
+    action: "accept"
+    log: true
+    enabled: true
+    description: "Allow web servers in DMZ to access Internet for updates"
+
+  # LAN to DMZ
+  - name: "Allow-LAN-to-DMZ-Web"
+    source_zones: ["LAN"]
+    dest_zones: ["DMZ"]
+    source_networks: ["any"]
+    dest_networks: ["10.100.1.0/24"]
+    services: ["HTTP", "HTTPS"]
+    action: "accept"
+    log: false
+    enabled: true
+    description: "Allow internal users to access DMZ web servers"
+
+# ============================================================================
+# SNMP Configuration
+# ============================================================================
+
+sophos_snmp:
+  enabled: true
+  version: "v2c"
+  community: "mon1tor!ng"  # CHANGE IN PRODUCTION
+  location: "DC1-Rack15-U20"
+  contact: "netops@example.com"
+  allowed_networks:
+    - "10.0.0.0/24"
+  trap_destinations:
+    - host: "10.0.0.100"
+      port: 162
+      community: "mon1tor!ng"
+
+# ============================================================================
+# Logging Configuration
+# ============================================================================
+
+sophos_logging:
+  enabled: true
+  syslog_servers:
+    - host: "10.0.0.101"
+      port: 514
+      protocol: "udp"
+      facility: "local0"
+      severity: "informational"
+  categories:
+    - "firewall"
+    - "vpn"
+    - "waf"
+    - "system"
+
+# ============================================================================
+# NTP Configuration
+# ============================================================================
+
+sophos_ntp:
+  servers:
+    - "0.north-america.pool.ntp.org"
+    - "1.north-america.pool.ntp.org"
+  timezone: "America/New_York"