--- # ============================================================================ # Sophos XGS Firewall Fleet Management - Main Playbook # ============================================================================ # This playbook applies all configuration roles to Sophos XGS firewalls # in the inventory. It is designed to be idempotent and safe to run # repeatedly in production environments and CI/CD pipelines. # # Usage: # ansible-playbook -i inventory/hosts.ini site.yml # ansible-playbook -i inventory/hosts.ini site.yml --limit fw-branch1 # ansible-playbook -i inventory/hosts.ini site.yml --tags network # ansible-playbook -i inventory/hosts.ini site.yml --check # Dry-run mode # # Author: Network Automation Team # ============================================================================ - name: Configure Sophos XGS Firewalls hosts: sophos_firewalls gather_facts: false become: false # Set serial execution to avoid overwhelming API endpoints # In production, adjust based on your API rate limits serial: "{{ sophos_serial_execution | default(5) }}" # Define task execution order and tagging roles: # Phase 1: Establish connectivity and validate API access - role: sophos_common tags: ['always', 'common', 'validation'] # Phase 2: Configure network foundation (interfaces, VLANs, routing, DNS, DHCP) - role: sophos_network tags: ['network', 'interfaces', 'vlans', 'dhcp', 'dns', 'routing'] when: sophos_manage_network | default(true) # Phase 3: Configure firewall rules (after network objects exist) - role: sophos_firewall_rules tags: ['firewall', 'rules', 'security'] when: sophos_manage_firewall_rules | default(true) # Phase 4: Configure site-to-site VPN tunnels - role: sophos_vpn_site_to_site tags: ['vpn', 'site-to-site', 'ipsec'] when: sophos_manage_site_to_site_vpn | default(true) # Phase 5: Configure remote access VPN - role: sophos_vpn_remote_access tags: ['vpn', 'remote-access', 'ssl-vpn'] when: sophos_manage_remote_access_vpn | default(true) # Phase 6: Configure web application firewall (WAF) policies - role: sophos_waf tags: ['waf', 'web', 'application-firewall'] when: sophos_manage_waf | default(true) # Phase 7: Configure device access policies (management services) - role: sophos_device_access tags: ['device-access', 'management', 'security'] when: sophos_manage_device_access | default(true) # Phase 8: Configure SNMP, logging, and NTP - role: sophos_snmp_logging tags: ['snmp', 'logging', 'monitoring', 'ntp'] when: sophos_manage_snmp_logging | default(true) # Post-configuration tasks post_tasks: - name: Display configuration summary ansible.builtin.debug: msg: - "======================================" - "Sophos XGS Configuration Complete" - "======================================" - "Firewall: {{ inventory_hostname }}" - "Management IP: {{ sophos_mgmt_host }}" - "Roles Applied: {{ ansible_play_role_names | join(', ') }}" - "Configuration Version: {{ sophos_config_version | default('N/A') }}" tags: ['always'] - name: Save configuration to file (optional) ansible.builtin.uri: url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController?reqxml={{ sophos_api_username }}{{ sophos_api_password }}" method: POST validate_certs: "{{ sophos_validate_certs }}" headers: Content-Type: "application/x-www-form-urlencoded" status_code: [200, 201] when: sophos_save_config | default(false) tags: ['always'] no_log: "{{ sophos_no_log_sensitive | default(true) }}" # End of site.yml