--- # ============================================================================ # Global Variables for All Sophos XGS Firewalls # ============================================================================ # This file contains default values applied to ALL firewalls in the inventory. # These can be overridden in group_vars/sophos_firewalls.yml or in individual # host_vars files. # # Author: Network Automation Team # ============================================================================ # ============================================================================ # API Connection Settings # ============================================================================ # Management port (Sophos XGS default is 4444, web interface is 443) sophos_mgmt_port: 4444 # SSL certificate validation (set to false for self-signed certs in lab) sophos_validate_certs: false # API timeout in seconds sophos_api_timeout: 30 # Enable/disable logging of sensitive data (passwords, API keys) sophos_no_log_sensitive: true # Retry settings for API calls sophos_api_retries: 3 sophos_api_retry_delay: 5 # ============================================================================ # Execution Control # ============================================================================ # Serial execution limit (number of firewalls to configure simultaneously) sophos_serial_execution: 5 # Feature toggles (can be disabled to skip entire roles) sophos_manage_network: true sophos_manage_firewall_rules: true sophos_manage_site_to_site_vpn: true sophos_manage_remote_access_vpn: true sophos_manage_waf: true sophos_manage_device_access: true sophos_manage_snmp_logging: true # Automatically save configuration after changes sophos_save_config: true # ============================================================================ # Global Network Settings (defaults) # ============================================================================ # Default DNS servers (can be overridden per firewall) sophos_default_dns_servers: - 8.8.8.8 - 8.8.4.4 # Default NTP servers sophos_default_ntp_servers: - 0.pool.ntp.org - 1.pool.ntp.org - 2.pool.ntp.org # Default timezone sophos_timezone: "America/New_York" # Default MTU sophos_default_mtu: 1500 # ============================================================================ # Global Security Settings (defaults) # ============================================================================ # Default firewall rule logging sophos_default_rule_log: true # Default firewall rule action sophos_default_rule_action: "deny" # Default VPN encryption settings sophos_default_ike_encryption: "aes256" sophos_default_ike_hash: "sha256" sophos_default_ike_dh_group: 14 sophos_default_ike_lifetime: 28800 sophos_default_ipsec_encryption: "aes256" sophos_default_ipsec_hash: "sha256" sophos_default_ipsec_pfs_group: 14 sophos_default_ipsec_lifetime: 3600 # ============================================================================ # Global SNMP Settings (defaults) # ============================================================================ sophos_snmp_enabled: true sophos_snmp_version: "v2c" sophos_snmp_community: "public" # CHANGE THIS IN PRODUCTION sophos_snmp_location: "Data Center" sophos_snmp_contact: "netadmin@example.com" # ============================================================================ # Global Logging Settings (defaults) # ============================================================================ sophos_logging_enabled: true sophos_logging_facility: "local0" sophos_logging_severity: "informational" # Default syslog servers (can be extended per firewall) sophos_syslog_servers: - host: "10.0.0.100" port: 514 protocol: "udp" # ============================================================================ # CI/CD and Version Control # ============================================================================ # Configuration version (increment when making breaking changes) sophos_config_version: "1.0.0" # Tags for resource tracking sophos_default_tags: managed_by: "ansible" project: "sophos-xgs-automation" environment: "production"