--- # ============================================================================ # Sophos XGS Baseline Firewall Configuration # ============================================================================ # Hostname: fw-baseline # Location: Data Center - Primary # Purpose: Baseline firewall for configuration export # # This firewall serves as the source for baseline WAF configuration that # is exported and applied to other firewalls in the fleet. # ============================================================================ # ============================================================================ # Management Connection # ============================================================================ sophos_mgmt_host: "192.168.1.10" sophos_api_username: "admin" sophos_api_password: "P@ssw0rd123" # CHANGE IN PRODUCTION - Use Ansible Vault # Firewall identification sophos_hostname: "fw-baseline" sophos_location: "datacenter-primary" sophos_device_role: "baseline-export" # ============================================================================ # Network Configuration # ============================================================================ sophos_interfaces: # WAN Interface - name: "Port1" type: "physical" zone: "WAN" description: "Internet connection (ISP primary)" mode: "static" ip_address: "203.0.113.1" netmask: "255.255.255.252" gateway: "203.0.113.2" mtu: 1500 enabled: true # LAN Interface - name: "Port2" type: "physical" zone: "LAN" description: "Internal corporate network" mode: "static" ip_address: "10.0.0.1" netmask: "255.255.255.0" mtu: 1500 enabled: true # DMZ Interface - name: "Port3" type: "physical" zone: "DMZ" description: "Public-facing servers" mode: "static" ip_address: "10.100.0.1" netmask: "255.255.255.0" mtu: 1500 enabled: true # VLANs sophos_vlans: - name: "VLAN100-Servers" vlan_id: 100 parent_interface: "Port2" zone: "LAN" description: "Server VLAN" ip_address: "10.0.100.1" netmask: "255.255.255.0" enabled: true - name: "VLAN200-Workstations" vlan_id: 200 parent_interface: "Port2" zone: "LAN" description: "User workstation VLAN" ip_address: "10.0.200.1" netmask: "255.255.255.0" enabled: true # ============================================================================ # DHCP Configuration # ============================================================================ sophos_dhcp_servers: - name: "DHCP-VLAN200-Workstations" interface: "VLAN200-Workstations" enabled: true start_ip: "10.0.200.100" end_ip: "10.0.200.200" netmask: "255.255.255.0" gateway: "10.0.200.1" dns_servers: - "10.0.0.10" - "10.0.0.11" domain: "corp.example.com" lease_time: 86400 # 24 hours reservations: - mac_address: "00:50:56:00:01:01" ip_address: "10.0.200.10" hostname: "printer-01" - mac_address: "00:50:56:00:01:02" ip_address: "10.0.200.11" hostname: "printer-02" # ============================================================================ # DNS Configuration # ============================================================================ sophos_dns: forwarders: - "8.8.8.8" - "8.8.4.4" domain: "corp.example.com" enable_dns_forwarder: true # ============================================================================ # Static Routes # ============================================================================ sophos_static_routes: - name: "Route-to-HQ" destination: "10.1.0.0" netmask: "255.255.0.0" gateway: "10.0.0.254" interface: "Port2" metric: 10 enabled: true # ============================================================================ # Firewall Rules (in addition to common rules) # ============================================================================ sophos_firewall_rules: # DMZ to Internet - name: "Allow-DMZ-WebServers-to-Internet" source_zones: ["DMZ"] dest_zones: ["WAN"] source_networks: ["10.100.1.0/24"] dest_networks: ["any"] services: ["HTTP", "HTTPS", "DNS"] action: "accept" log: true enabled: true description: "Allow web servers in DMZ to access Internet for updates" # LAN to DMZ - name: "Allow-LAN-to-DMZ-Web" source_zones: ["LAN"] dest_zones: ["DMZ"] source_networks: ["any"] dest_networks: ["10.100.1.0/24"] services: ["HTTP", "HTTPS"] action: "accept" log: false enabled: true description: "Allow internal users to access DMZ web servers" # ============================================================================ # SNMP Configuration # ============================================================================ sophos_snmp: enabled: true version: "v2c" community: "mon1tor!ng" # CHANGE IN PRODUCTION location: "DC1-Rack15-U20" contact: "netops@example.com" allowed_networks: - "10.0.0.0/24" trap_destinations: - host: "10.0.0.100" port: 162 community: "mon1tor!ng" # ============================================================================ # Logging Configuration # ============================================================================ sophos_logging: enabled: true syslog_servers: - host: "10.0.0.101" port: 514 protocol: "udp" facility: "local0" severity: "informational" categories: - "firewall" - "vpn" - "waf" - "system" # ============================================================================ # NTP Configuration # ============================================================================ sophos_ntp: servers: - "0.north-america.pool.ntp.org" - "1.north-america.pool.ntp.org" timezone: "America/New_York"