# Sophos XGS Ansible - Quick Start Guide Get up and running with Sophos XGS firewall automation in 10 minutes. ## Step 1: Prerequisites Check Ensure you have: - [ ] Ansible 2.14+ installed - [ ] Python 3.8+ installed - [ ] Network access to your Sophos XGS firewalls on port 4444 (HTTPS) - [ ] Admin credentials for each firewall ```bash # Check versions ansible --version python3 --version ``` ## Step 2: Install Dependencies ```bash cd sophos-xgs-ansible ansible-galaxy collection install -r collections/requirements.yml ``` ## Step 3: Configure Your First Firewall Edit `inventory/hosts.ini`: ```ini [sophos_firewalls] my-firewall ansible_host=192.168.1.1 ``` Create `inventory/host_vars/my-firewall.yml`: ```yaml --- sophos_mgmt_host: "192.168.1.1" sophos_api_username: "admin" sophos_api_password: "YourPassword" # Use vault in production! sophos_hostname: "my-firewall" sophos_location: "office" # Minimal config - interfaces sophos_interfaces: - name: "Port1" zone: "WAN" mode: "dhcp" enabled: true - name: "Port2" zone: "LAN" mode: "static" ip_address: "10.0.0.1" netmask: "255.255.255.0" enabled: true ``` ## Step 4: Test Connection ```bash # Test connectivity and authentication ansible-playbook -i inventory/hosts.ini site.yml --tags validation --limit my-firewall ``` ## Step 5: Apply Configuration ```bash # Dry-run first (safe!) ansible-playbook -i inventory/hosts.ini site.yml --limit my-firewall --check # Apply for real ansible-playbook -i inventory/hosts.ini site.yml --limit my-firewall ``` ## Step 6: Secure Credentials (Production) ```bash # Encrypt sensitive host_vars ansible-vault encrypt inventory/host_vars/my-firewall.yml # Run playbook with vault ansible-playbook -i inventory/hosts.ini site.yml --ask-vault-pass ``` ## Next Steps 1. **Add more firewalls**: Copy `my-firewall.yml` to create more host_vars files 2. **Configure VLANs**: Add `sophos_vlans` to your host_vars 3. **Setup DHCP**: Add `sophos_dhcp_servers` to your host_vars 4. **Add firewall rules**: Define `sophos_firewall_rules` 5. **Setup VPNs**: Configure `sophos_site_to_site_vpns` 6. **Import baseline WAF**: Run `baseline_import.yml` if you have an existing WAF setup ## Common Commands ```bash # Configure only network settings ansible-playbook -i inventory/hosts.ini site.yml --tags network # Configure only firewall rules ansible-playbook -i inventory/hosts.ini site.yml --tags firewall # Configure specific firewall ansible-playbook -i inventory/hosts.ini site.yml --limit fw-branch1 # Dry-run (check mode) ansible-playbook -i inventory/hosts.ini site.yml --check # Import baseline WAF config ansible-playbook -i inventory/hosts.ini baseline_import.yml ``` ## Troubleshooting **Cannot connect to firewall:** ```bash # Test basic connectivity ping 192.168.1.1 nc -zv 192.168.1.1 4444 ``` **Authentication failed:** - Verify credentials in host_vars - Check if API access is enabled on the firewall - Verify user has admin privileges **Getting help:** - Review `README.md` for full documentation - Check `group_vars_schema.md` for all variable options - Review role tasks in `roles/*/tasks/main.yml` --- **You're ready to go!** Start small with one firewall, then scale to your entire fleet.