kasperj/chittick_projects
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Claude 1

Browse Source
This commit is contained in:
Jake Kasper
2025-12-09 09:33:48 -06:00
parent 228174e541
commit 4f1e8d3add
55 changed files with 4345 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

305
sophos-xgs-ansible/inventory/host_vars/fw-branch2.yml Normal file
View File

@@ -0,0 +1,305 @@
---
# ============================================================================
# Sophos XGS Firewall - Branch Office 2
# ============================================================================
# Hostname: fw-branch2
# Location: Branch Office - Los Angeles
# Purpose: Branch office firewall with remote access VPN
# ============================================================================
# ============================================================================
# Management Connection
# ============================================================================
sophos_mgmt_host: "192.168.20.1"
sophos_api_username: "admin"
sophos_api_password: "Br@nch2P@ss" # CHANGE IN PRODUCTION - Use Ansible Vault
# Firewall identification
sophos_hostname: "fw-branch2"
sophos_location: "branch-office-la"
sophos_device_role: "branch-firewall"
# ============================================================================
# Network Configuration
# ============================================================================
sophos_interfaces:
# WAN Interface
- name: "Port1"
type: "physical"
zone: "WAN"
description: "Internet connection (Branch ISP)"
mode: "static"
ip_address: "198.51.100.20"
netmask: "255.255.255.248"
gateway: "198.51.100.17"
mtu: 1500
enabled: true
# LAN Interface
- name: "Port2"
type: "physical"
zone: "LAN"
description: "Branch office local network"
mode: "static"
ip_address: "10.20.0.1"
netmask: "255.255.255.0"
mtu: 1500
enabled: true
# VLANs
sophos_vlans:
- name: "VLAN50-Users"
vlan_id: 50
parent_interface: "Port2"
zone: "LAN"
description: "User workstations and devices"
ip_address: "10.20.50.1"
netmask: "255.255.255.0"
enabled: true
- name: "VLAN60-Servers"
vlan_id: 60
parent_interface: "Port2"
zone: "LAN"
description: "Local servers"
ip_address: "10.20.60.1"
netmask: "255.255.255.0"
enabled: true
# ============================================================================
# DHCP Configuration
# ============================================================================
sophos_dhcp_servers:
- name: "DHCP-Users"
interface: "VLAN50-Users"
enabled: true
start_ip: "10.20.50.100"
end_ip: "10.20.50.250"
netmask: "255.255.255.0"
gateway: "10.20.50.1"
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
domain: "branch2.example.com"
lease_time: 86400 # 24 hours
- name: "DHCP-Servers"
interface: "VLAN60-Servers"
enabled: true
start_ip: "10.20.60.100"
end_ip: "10.20.60.200"
netmask: "255.255.255.0"
gateway: "10.20.60.1"
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
domain: "branch2.example.com"
lease_time: 86400
reservations:
- mac_address: "00:50:56:20:01:01"
ip_address: "10.20.60.10"
hostname: "branch2-fileserver"
- mac_address: "00:50:56:20:01:02"
ip_address: "10.20.60.11"
hostname: "branch2-printserver"
# ============================================================================
# DNS Configuration
# ============================================================================
sophos_dns:
forwarders:
- "10.0.0.10" # HQ DNS server
- "8.8.8.8"
domain: "branch2.example.com"
enable_dns_forwarder: true
# ============================================================================
# Static Routes
# ============================================================================
sophos_static_routes:
- name: "Route-to-HQ-via-VPN"
destination: "10.0.0.0"
netmask: "255.255.0.0"
gateway: "10.0.0.1"
interface: "VPN"
metric: 5
enabled: true
# ============================================================================
# Firewall Rules (in addition to common rules)
# ============================================================================
sophos_firewall_rules:
# Branch to HQ
- name: "Allow-Branch2-to-HQ"
source_zones: ["LAN"]
dest_zones: ["VPN"]
source_networks: ["10.20.0.0/16"]
dest_networks: ["10.0.0.0/16"]
services: ["any"]
action: "accept"
log: false
enabled: true
description: "Allow Branch 2 to access HQ resources"
# Remote access VPN to internal resources
- name: "Allow-RemoteVPN-to-Internal"
source_zones: ["VPN"]
dest_zones: ["LAN"]
source_networks: ["10.255.0.0/24"] # VPN pool
dest_networks: ["10.20.0.0/16"]
services: ["any"]
action: "accept"
log: true
enabled: true
description: "Allow remote VPN users to access branch resources"
# ============================================================================
# Site-to-Site VPN Configuration
# ============================================================================
sophos_site_to_site_vpns:
- name: "Branch2-to-HQ"
enabled: true
connection_type: "tunnel"
# Local settings
local_gateway: "198.51.100.20"
local_networks:
- "10.20.0.0/16"
local_id: "198.51.100.20"
# Remote settings
remote_gateway: "203.0.113.1"
remote_networks:
- "10.0.0.0/16"
remote_id: "203.0.113.1"
# Phase 1 (IKE) settings
ike_version: 2
ike_encryption: "aes256"
ike_hash: "sha256"
ike_dh_group: 14
ike_lifetime: 28800
authentication_method: "psk"
psk: "Br@nch2ToHQPr3Sh@r3dK3y456" # CHANGE IN PRODUCTION - Use Vault
# Phase 2 (IPsec) settings
ipsec_mode: "tunnel"
ipsec_encryption: "aes256"
ipsec_hash: "sha256"
ipsec_pfs_group: 14
ipsec_lifetime: 3600
# Advanced settings
dpd_enabled: true
dpd_interval: 30
dpd_retries: 3
nat_traversal: true
description: "Site-to-site VPN tunnel between Branch 2 (LA) and HQ"
# ============================================================================
# Remote Access VPN Configuration
# ============================================================================
sophos_remote_access_vpn:
enabled: true
type: "sslvpn"
name: "Branch2-RemoteAccess-VPN"
# Connection settings
listening_port: 443
listening_interface: "Port1" # WAN interface
# Authentication
authentication_method: "local" # Can be "local", "ldap", "radius"
user_groups:
- "Remote-Workers"
- "IT-Staff"
# IP address pool for VPN clients
address_pool:
network: "10.255.0.0"
netmask: "255.255.255.0"
start_ip: "10.255.0.10"
end_ip: "10.255.0.250"
# DNS and routing for VPN clients
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
wins_servers: []
# Split tunnel configuration
tunnel_mode: "split" # "split" or "full"
tunnel_networks: # Only these networks via VPN (split tunnel)
- "10.0.0.0/8"
- "172.16.0.0/12"
# Encryption settings
encryption: "aes256"
hash: "sha256"
# Advanced settings
idle_timeout: 1800 # 30 minutes
session_timeout: 43200 # 12 hours
max_concurrent_connections: 50
enable_compression: true
# Client settings
override_default_gateway: false # For split tunnel
block_lan_access: true # Prevent access to client's local LAN
description: "SSL VPN for remote workers and IT staff"
# ============================================================================
# SNMP Configuration
# ============================================================================
sophos_snmp:
enabled: true
version: "v2c"
community: "br@nch2mon" # CHANGE IN PRODUCTION
location: "Branch2-LA-ITCloset"
contact: "branch2-it@example.com"
allowed_networks:
- "10.20.0.0/16"
- "10.0.0.0/24" # Allow HQ monitoring
trap_destinations:
- host: "10.0.0.100"
port: 162
community: "br@nch2mon"
# ============================================================================
# Logging Configuration
# ============================================================================
sophos_logging:
enabled: true
syslog_servers:
- host: "10.0.0.101"
port: 514
protocol: "udp"
facility: "local2"
severity: "informational"
categories:
- "firewall"
- "vpn"
- "authentication"
- "system"
# ============================================================================
# NTP Configuration
# ============================================================================
sophos_ntp:
servers:
- "10.0.0.1" # HQ firewall as NTP source
- "time.google.com"
timezone: "America/Los_Angeles"