--- # ============================================================================ # Sophos Firewalls Group Variables # ============================================================================ # This file contains variables specific to all Sophos XGS firewalls. # These override defaults in all.yml and can be overridden in host_vars. # # Author: Network Automation Team # ============================================================================ # ============================================================================ # API Authentication Method # ============================================================================ # Sophos XGS supports two authentication methods: # 1. API Key (recommended for automation) # 2. Username/Password # # Define ONE of the following in host_vars for each firewall: # - sophos_api_key: "your-api-key-here" # OR # - sophos_api_username: "admin" # - sophos_api_password: "secure-password" # ============================================================================ # ============================================================================ # Standard Network Objects (shared across all firewalls) # ============================================================================ sophos_standard_network_objects: # RFC 1918 private networks - name: "RFC1918-10.0.0.0/8" type: "network" address: "10.0.0.0" netmask: "255.0.0.0" description: "RFC 1918 Class A private network" - name: "RFC1918-172.16.0.0/12" type: "network" address: "172.16.0.0" netmask: "255.240.0.0" description: "RFC 1918 Class B private network" - name: "RFC1918-192.168.0.0/16" type: "network" address: "192.168.0.0" netmask: "255.255.0.0" description: "RFC 1918 Class C private network" # Infrastructure services - name: "DNS-Servers-Primary" type: "host" address: "8.8.8.8" description: "Google Public DNS Primary" - name: "DNS-Servers-Secondary" type: "host" address: "8.8.4.4" description: "Google Public DNS Secondary" # ============================================================================ # Standard Service Objects (shared across all firewalls) # ============================================================================ sophos_standard_service_objects: - name: "HTTP" protocol: "tcp" dst_port: 80 description: "Hypertext Transfer Protocol" - name: "HTTPS" protocol: "tcp" dst_port: 443 description: "HTTP over TLS/SSL" - name: "SSH" protocol: "tcp" dst_port: 22 description: "Secure Shell" - name: "RDP" protocol: "tcp" dst_port: 3389 description: "Remote Desktop Protocol" - name: "DNS" protocol: "udp" dst_port: 53 description: "Domain Name System" - name: "NTP" protocol: "udp" dst_port: 123 description: "Network Time Protocol" - name: "SNMP" protocol: "udp" dst_port: 161 description: "Simple Network Management Protocol" # ============================================================================ # Standard Zones (expected on all firewalls) # ============================================================================ sophos_standard_zones: - name: "WAN" description: "Internet-facing zone" type: "wan" - name: "LAN" description: "Internal trusted network" type: "lan" - name: "DMZ" description: "Demilitarized zone for public servers" type: "dmz" - name: "VPN" description: "VPN client and site-to-site traffic" type: "vpn" # ============================================================================ # Common Firewall Rules (applied to all firewalls) # ============================================================================ sophos_common_firewall_rules: # Allow internal networks to access DNS - name: "Allow-LAN-to-Internet-DNS" source_zones: ["LAN"] dest_zones: ["WAN"] source_networks: ["any"] dest_networks: ["any"] services: ["DNS"] action: "accept" log: false enabled: true position: "top" description: "Allow internal networks to resolve DNS" # Allow internal networks to access NTP - name: "Allow-LAN-to-Internet-NTP" source_zones: ["LAN"] dest_zones: ["WAN"] source_networks: ["any"] dest_networks: ["any"] services: ["NTP"] action: "accept" log: false enabled: true description: "Allow internal networks to synchronize time" # Allow HTTP/HTTPS from LAN to Internet - name: "Allow-LAN-to-Internet-Web" source_zones: ["LAN"] dest_zones: ["WAN"] source_networks: ["any"] dest_networks: ["any"] services: ["HTTP", "HTTPS"] action: "accept" log: false enabled: true description: "Allow web browsing from internal network" # Deny all other traffic (implicit deny - logged) - name: "Deny-All-Other-Traffic" source_zones: ["any"] dest_zones: ["any"] source_networks: ["any"] dest_networks: ["any"] services: ["any"] action: "deny" log: true enabled: true position: "bottom" description: "Default deny rule - logs all dropped traffic" # ============================================================================ # Device Access Policies (management services) # ============================================================================ sophos_common_device_access_policies: # Allow HTTPS admin access from LAN - service: "https" allowed_zones: ["LAN"] allowed_networks: [] # Empty means all networks in zone enabled: true # Allow SSH admin access from LAN - service: "ssh" allowed_zones: ["LAN"] allowed_networks: [] enabled: true # Allow ping from LAN and WAN (for monitoring) - service: "ping" allowed_zones: ["LAN", "WAN"] allowed_networks: [] enabled: true # Allow SNMP from management network only - service: "snmp" allowed_zones: ["LAN"] allowed_networks: ["10.0.0.0/24"] # Restrict to management subnet enabled: true