--- # ============================================================================ # Sophos XGS Firewall - Branch Office 1 # ============================================================================ # Hostname: fw-branch1 # Location: Branch Office - New York # Purpose: Branch office firewall with site-to-site VPN to HQ # ============================================================================ # ============================================================================ # Management Connection # ============================================================================ sophos_mgmt_host: "192.168.10.1" sophos_api_username: "admin" sophos_api_password: "Br@nch1P@ss" # CHANGE IN PRODUCTION - Use Ansible Vault # Firewall identification sophos_hostname: "fw-branch1" sophos_location: "branch-office-nyc" sophos_device_role: "branch-firewall" # ============================================================================ # Network Configuration # ============================================================================ sophos_interfaces: # WAN Interface - name: "Port1" type: "physical" zone: "WAN" description: "Internet connection (Branch ISP)" mode: "static" ip_address: "198.51.100.10" netmask: "255.255.255.248" gateway: "198.51.100.9" mtu: 1500 enabled: true # LAN Interface - name: "Port2" type: "physical" zone: "LAN" description: "Branch office local network" mode: "static" ip_address: "10.10.0.1" netmask: "255.255.255.0" mtu: 1500 enabled: true # WiFi Interface - name: "Port3" type: "physical" zone: "LAN" description: "Wireless AP connection" mode: "static" ip_address: "10.10.10.1" netmask: "255.255.255.0" mtu: 1500 enabled: true # VLANs sophos_vlans: - name: "VLAN10-Voice" vlan_id: 10 parent_interface: "Port2" zone: "LAN" description: "VoIP phones" ip_address: "10.10.10.1" netmask: "255.255.255.0" enabled: true - name: "VLAN20-Data" vlan_id: 20 parent_interface: "Port2" zone: "LAN" description: "User workstations" ip_address: "10.10.20.1" netmask: "255.255.255.0" enabled: true - name: "VLAN30-Guest" vlan_id: 30 parent_interface: "Port3" zone: "LAN" description: "Guest WiFi" ip_address: "10.10.30.1" netmask: "255.255.255.0" enabled: true # ============================================================================ # DHCP Configuration # ============================================================================ sophos_dhcp_servers: - name: "DHCP-Voice" interface: "VLAN10-Voice" enabled: true start_ip: "10.10.10.100" end_ip: "10.10.10.199" netmask: "255.255.255.0" gateway: "10.10.10.1" dns_servers: - "10.0.0.10" - "8.8.8.8" domain: "branch1.example.com" lease_time: 43200 # 12 hours dhcp_options: - option: 66 # TFTP server value: "10.0.0.50" - option: 150 # Cisco TFTP server value: "10.0.0.50" - name: "DHCP-Data" interface: "VLAN20-Data" enabled: true start_ip: "10.10.20.50" end_ip: "10.10.20.200" netmask: "255.255.255.0" gateway: "10.10.20.1" dns_servers: - "10.0.0.10" - "8.8.8.8" domain: "branch1.example.com" lease_time: 86400 # 24 hours reservations: - mac_address: "00:50:56:10:01:01" ip_address: "10.10.20.10" hostname: "branch1-printer" - name: "DHCP-Guest" interface: "VLAN30-Guest" enabled: true start_ip: "10.10.30.100" end_ip: "10.10.30.200" netmask: "255.255.255.0" gateway: "10.10.30.1" dns_servers: - "8.8.8.8" - "8.8.4.4" domain: "guest.example.com" lease_time: 3600 # 1 hour # ============================================================================ # DNS Configuration # ============================================================================ sophos_dns: forwarders: - "10.0.0.10" # HQ DNS server - "8.8.8.8" domain: "branch1.example.com" enable_dns_forwarder: true # ============================================================================ # Static Routes # ============================================================================ sophos_static_routes: - name: "Route-to-HQ-via-VPN" destination: "10.0.0.0" netmask: "255.255.0.0" gateway: "10.0.0.1" interface: "VPN" metric: 5 enabled: true # ============================================================================ # Firewall Rules (in addition to common rules) # ============================================================================ sophos_firewall_rules: # Guest network isolation - name: "Allow-Guest-to-Internet-Only" source_zones: ["LAN"] dest_zones: ["WAN"] source_networks: ["10.10.30.0/24"] dest_networks: ["any"] services: ["HTTP", "HTTPS", "DNS"] action: "accept" log: false enabled: true description: "Guest WiFi can only access Internet" - name: "Deny-Guest-to-Internal" source_zones: ["LAN"] dest_zones: ["LAN", "VPN"] source_networks: ["10.10.30.0/24"] dest_networks: ["any"] services: ["any"] action: "deny" log: true enabled: true description: "Block guest network from accessing internal resources" # Branch to HQ - name: "Allow-Branch-to-HQ" source_zones: ["LAN"] dest_zones: ["VPN"] source_networks: ["10.10.0.0/16"] dest_networks: ["10.0.0.0/16"] services: ["any"] action: "accept" log: false enabled: true description: "Allow branch office to access HQ resources" # ============================================================================ # Site-to-Site VPN Configuration # ============================================================================ sophos_site_to_site_vpns: - name: "Branch1-to-HQ" enabled: true connection_type: "tunnel" # Local settings local_gateway: "198.51.100.10" local_networks: - "10.10.0.0/16" local_id: "198.51.100.10" # Remote settings remote_gateway: "203.0.113.1" remote_networks: - "10.0.0.0/16" remote_id: "203.0.113.1" # Phase 1 (IKE) settings ike_version: 2 ike_encryption: "aes256" ike_hash: "sha256" ike_dh_group: 14 ike_lifetime: 28800 # 8 hours authentication_method: "psk" psk: "Sup3rS3cr3tPr3Sh@r3dK3y123" # CHANGE IN PRODUCTION - Use Vault # Phase 2 (IPsec) settings ipsec_mode: "tunnel" ipsec_encryption: "aes256" ipsec_hash: "sha256" ipsec_pfs_group: 14 ipsec_lifetime: 3600 # 1 hour # Advanced settings dpd_enabled: true dpd_interval: 30 dpd_retries: 3 nat_traversal: true description: "Site-to-site VPN tunnel between Branch 1 (NYC) and HQ" # ============================================================================ # SNMP Configuration # ============================================================================ sophos_snmp: enabled: true version: "v2c" community: "br@nch1mon" # CHANGE IN PRODUCTION location: "Branch1-NYC-NetworkCloset" contact: "branch1-it@example.com" allowed_networks: - "10.10.0.0/16" - "10.0.0.0/24" # Allow HQ monitoring trap_destinations: - host: "10.0.0.100" port: 162 community: "br@nch1mon" # ============================================================================ # Logging Configuration # ============================================================================ sophos_logging: enabled: true syslog_servers: - host: "10.0.0.101" port: 514 protocol: "udp" facility: "local1" severity: "informational" categories: - "firewall" - "vpn" - "system" # ============================================================================ # NTP Configuration # ============================================================================ sophos_ntp: servers: - "10.0.0.1" # HQ firewall as NTP source - "time.google.com" timezone: "America/New_York"