--- # ============================================================================ # Sophos XGS Baseline WAF Configuration # ============================================================================ # This file was automatically generated by the baseline_import.yml playbook # # Source: fw-baseline (192.168.1.10) # Exported: 2025-12-09T10:30:00Z # Exported by: ansible # # This configuration serves as the baseline WAF configuration for all # firewalls in the fleet. Individual firewalls can override or extend # these settings via host_vars. # # DO NOT EDIT THIS FILE MANUALLY - regenerate using baseline_import.yml # ============================================================================ _metadata: description: Baseline WAF configuration imported from fw-baseline exported_by: ansible export_timestamp: '2025-12-09T10:30:00Z' source_firewall: fw-baseline source_ip: 192.168.1.10 version: '1.0' # ============================================================================ # WAF Backend Servers # ============================================================================ sophos_waf_backends: - health_check: true host: 10.100.1.50 name: app-server-01 port: 8080 protocol: http - health_check: true host: 10.100.1.51 name: app-server-02 port: 8080 protocol: http - health_check: true host: 10.100.2.50 name: api-server-01 port: 8080 protocol: http # ============================================================================ # WAF Protection Policies # ============================================================================ sophos_waf_policies: - allowed_methods: - GET - POST - HEAD block_common_attacks: true file_upload_limit_mb: 100 max_url_length: 4096 mode: prevention name: standard-web-protection sql_injection_protection: true xss_protection: true - allowed_methods: - GET - POST - PUT - DELETE - PATCH block_common_attacks: true json_validation: true mode: prevention name: api-protection rate_limit_requests_per_minute: 1000 sql_injection_protection: true xss_protection: false # ============================================================================ # Virtual Web Servers / WAF Rules # ============================================================================ sophos_waf_virtual_hosts: - backend_servers: - app-server-01 - app-server-02 domain: www.example.com enable_compression: true enable_hsts: true listening_ip: 203.0.113.10 listening_port: 443 load_balancing: round-robin name: corporate-website protocol: https protection_policy: standard-web-protection session_timeout: 1800 ssl_certificate: wildcard-example-com - backend_servers: - api-server-01 domain: api.example.com enable_hsts: true listening_ip: 203.0.113.11 listening_port: 443 name: api-gateway protocol: https protection_policy: api-protection session_timeout: 3600 ssl_certificate: wildcard-example-com websocket_support: true # ============================================================================ # WAF Exceptions (Allow-list) # ============================================================================ sophos_waf_exceptions: - comment: Admin panel requires special characters in parameters name: allow-admin-panel-special-chars path: /admin/* skip_rules: - sql-injection-detection - xss-detection source_networks: - 10.0.0.0/8 virtual_host: corporate-website - comment: API endpoint accepts large JSON payloads name: allow-api-large-json path: /api/v1/upload skip_rules: - request-size-limit source_networks: - any virtual_host: api-gateway