--- # ============================================================================ # Sophos XGS Firewall - Branch Office 2 # ============================================================================ # Hostname: fw-branch2 # Location: Branch Office - Los Angeles # Purpose: Branch office firewall with remote access VPN # ============================================================================ # ============================================================================ # Management Connection # ============================================================================ sophos_mgmt_host: "192.168.20.1" sophos_api_username: "admin" sophos_api_password: "Br@nch2P@ss" # CHANGE IN PRODUCTION - Use Ansible Vault # Firewall identification sophos_hostname: "fw-branch2" sophos_location: "branch-office-la" sophos_device_role: "branch-firewall" # ============================================================================ # Network Configuration # ============================================================================ sophos_interfaces: # WAN Interface - name: "Port1" type: "physical" zone: "WAN" description: "Internet connection (Branch ISP)" mode: "static" ip_address: "198.51.100.20" netmask: "255.255.255.248" gateway: "198.51.100.17" mtu: 1500 enabled: true # LAN Interface - name: "Port2" type: "physical" zone: "LAN" description: "Branch office local network" mode: "static" ip_address: "10.20.0.1" netmask: "255.255.255.0" mtu: 1500 enabled: true # VLANs sophos_vlans: - name: "VLAN50-Users" vlan_id: 50 parent_interface: "Port2" zone: "LAN" description: "User workstations and devices" ip_address: "10.20.50.1" netmask: "255.255.255.0" enabled: true - name: "VLAN60-Servers" vlan_id: 60 parent_interface: "Port2" zone: "LAN" description: "Local servers" ip_address: "10.20.60.1" netmask: "255.255.255.0" enabled: true # ============================================================================ # DHCP Configuration # ============================================================================ sophos_dhcp_servers: - name: "DHCP-Users" interface: "VLAN50-Users" enabled: true start_ip: "10.20.50.100" end_ip: "10.20.50.250" netmask: "255.255.255.0" gateway: "10.20.50.1" dns_servers: - "10.0.0.10" - "8.8.8.8" domain: "branch2.example.com" lease_time: 86400 # 24 hours - name: "DHCP-Servers" interface: "VLAN60-Servers" enabled: true start_ip: "10.20.60.100" end_ip: "10.20.60.200" netmask: "255.255.255.0" gateway: "10.20.60.1" dns_servers: - "10.0.0.10" - "8.8.8.8" domain: "branch2.example.com" lease_time: 86400 reservations: - mac_address: "00:50:56:20:01:01" ip_address: "10.20.60.10" hostname: "branch2-fileserver" - mac_address: "00:50:56:20:01:02" ip_address: "10.20.60.11" hostname: "branch2-printserver" # ============================================================================ # DNS Configuration # ============================================================================ sophos_dns: forwarders: - "10.0.0.10" # HQ DNS server - "8.8.8.8" domain: "branch2.example.com" enable_dns_forwarder: true # ============================================================================ # Static Routes # ============================================================================ sophos_static_routes: - name: "Route-to-HQ-via-VPN" destination: "10.0.0.0" netmask: "255.255.0.0" gateway: "10.0.0.1" interface: "VPN" metric: 5 enabled: true # ============================================================================ # Firewall Rules (in addition to common rules) # ============================================================================ sophos_firewall_rules: # Branch to HQ - name: "Allow-Branch2-to-HQ" source_zones: ["LAN"] dest_zones: ["VPN"] source_networks: ["10.20.0.0/16"] dest_networks: ["10.0.0.0/16"] services: ["any"] action: "accept" log: false enabled: true description: "Allow Branch 2 to access HQ resources" # Remote access VPN to internal resources - name: "Allow-RemoteVPN-to-Internal" source_zones: ["VPN"] dest_zones: ["LAN"] source_networks: ["10.255.0.0/24"] # VPN pool dest_networks: ["10.20.0.0/16"] services: ["any"] action: "accept" log: true enabled: true description: "Allow remote VPN users to access branch resources" # ============================================================================ # Site-to-Site VPN Configuration # ============================================================================ sophos_site_to_site_vpns: - name: "Branch2-to-HQ" enabled: true connection_type: "tunnel" # Local settings local_gateway: "198.51.100.20" local_networks: - "10.20.0.0/16" local_id: "198.51.100.20" # Remote settings remote_gateway: "203.0.113.1" remote_networks: - "10.0.0.0/16" remote_id: "203.0.113.1" # Phase 1 (IKE) settings ike_version: 2 ike_encryption: "aes256" ike_hash: "sha256" ike_dh_group: 14 ike_lifetime: 28800 authentication_method: "psk" psk: "Br@nch2ToHQPr3Sh@r3dK3y456" # CHANGE IN PRODUCTION - Use Vault # Phase 2 (IPsec) settings ipsec_mode: "tunnel" ipsec_encryption: "aes256" ipsec_hash: "sha256" ipsec_pfs_group: 14 ipsec_lifetime: 3600 # Advanced settings dpd_enabled: true dpd_interval: 30 dpd_retries: 3 nat_traversal: true description: "Site-to-site VPN tunnel between Branch 2 (LA) and HQ" # ============================================================================ # Remote Access VPN Configuration # ============================================================================ sophos_remote_access_vpn: enabled: true type: "sslvpn" name: "Branch2-RemoteAccess-VPN" # Connection settings listening_port: 443 listening_interface: "Port1" # WAN interface # Authentication authentication_method: "local" # Can be "local", "ldap", "radius" user_groups: - "Remote-Workers" - "IT-Staff" # IP address pool for VPN clients address_pool: network: "10.255.0.0" netmask: "255.255.255.0" start_ip: "10.255.0.10" end_ip: "10.255.0.250" # DNS and routing for VPN clients dns_servers: - "10.0.0.10" - "8.8.8.8" wins_servers: [] # Split tunnel configuration tunnel_mode: "split" # "split" or "full" tunnel_networks: # Only these networks via VPN (split tunnel) - "10.0.0.0/8" - "172.16.0.0/12" # Encryption settings encryption: "aes256" hash: "sha256" # Advanced settings idle_timeout: 1800 # 30 minutes session_timeout: 43200 # 12 hours max_concurrent_connections: 50 enable_compression: true # Client settings override_default_gateway: false # For split tunnel block_lan_access: true # Prevent access to client's local LAN description: "SSL VPN for remote workers and IT staff" # ============================================================================ # SNMP Configuration # ============================================================================ sophos_snmp: enabled: true version: "v2c" community: "br@nch2mon" # CHANGE IN PRODUCTION location: "Branch2-LA-ITCloset" contact: "branch2-it@example.com" allowed_networks: - "10.20.0.0/16" - "10.0.0.0/24" # Allow HQ monitoring trap_destinations: - host: "10.0.0.100" port: 162 community: "br@nch2mon" # ============================================================================ # Logging Configuration # ============================================================================ sophos_logging: enabled: true syslog_servers: - host: "10.0.0.101" port: 514 protocol: "udp" facility: "local2" severity: "informational" categories: - "firewall" - "vpn" - "authentication" - "system" # ============================================================================ # NTP Configuration # ============================================================================ sophos_ntp: servers: - "10.0.0.1" # HQ firewall as NTP source - "time.google.com" timezone: "America/Los_Angeles"