kasperj/chittick_projects
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
chittick_projects/sophos-xgs-ansible/QUICKSTART.md
Jake Kasper 4f1e8d3add Claude 1
2025-12-09 09:33:48 -06:00

138 lines
3.2 KiB
Markdown
Raw Permalink Blame History

# Sophos XGS Ansible - Quick Start Guide
Get up and running with Sophos XGS firewall automation in 10 minutes.
## Step 1: Prerequisites Check
Ensure you have:
- [ ] Ansible 2.14+ installed
- [ ] Python 3.8+ installed
- [ ] Network access to your Sophos XGS firewalls on port 4444 (HTTPS)
- [ ] Admin credentials for each firewall
```bash
# Check versions
ansible --version
python3 --version
```
## Step 2: Install Dependencies
```bash
cd sophos-xgs-ansible
ansible-galaxy collection install -r collections/requirements.yml
```
## Step 3: Configure Your First Firewall
Edit `inventory/hosts.ini`:
```ini
[sophos_firewalls]
my-firewall ansible_host=192.168.1.1
```
Create `inventory/host_vars/my-firewall.yml`:
```yaml
---
sophos_mgmt_host: "192.168.1.1"
sophos_api_username: "admin"
sophos_api_password: "YourPassword" # Use vault in production!
sophos_hostname: "my-firewall"
sophos_location: "office"
# Minimal config - interfaces
sophos_interfaces:
- name: "Port1"
zone: "WAN"
mode: "dhcp"
enabled: true
- name: "Port2"
zone: "LAN"
mode: "static"
ip_address: "10.0.0.1"
netmask: "255.255.255.0"
enabled: true
```
## Step 4: Test Connection
```bash
# Test connectivity and authentication
ansible-playbook -i inventory/hosts.ini site.yml --tags validation --limit my-firewall
```
## Step 5: Apply Configuration
```bash
# Dry-run first (safe!)
ansible-playbook -i inventory/hosts.ini site.yml --limit my-firewall --check
# Apply for real
ansible-playbook -i inventory/hosts.ini site.yml --limit my-firewall
```
## Step 6: Secure Credentials (Production)
```bash
# Encrypt sensitive host_vars
ansible-vault encrypt inventory/host_vars/my-firewall.yml
# Run playbook with vault
ansible-playbook -i inventory/hosts.ini site.yml --ask-vault-pass
```
## Next Steps
1. **Add more firewalls**: Copy `my-firewall.yml` to create more host_vars files
2. **Configure VLANs**: Add `sophos_vlans` to your host_vars
3. **Setup DHCP**: Add `sophos_dhcp_servers` to your host_vars
4. **Add firewall rules**: Define `sophos_firewall_rules`
5. **Setup VPNs**: Configure `sophos_site_to_site_vpns`
6. **Import baseline WAF**: Run `baseline_import.yml` if you have an existing WAF setup
## Common Commands
```bash
# Configure only network settings
ansible-playbook -i inventory/hosts.ini site.yml --tags network
# Configure only firewall rules
ansible-playbook -i inventory/hosts.ini site.yml --tags firewall
# Configure specific firewall
ansible-playbook -i inventory/hosts.ini site.yml --limit fw-branch1
# Dry-run (check mode)
ansible-playbook -i inventory/hosts.ini site.yml --check
# Import baseline WAF config
ansible-playbook -i inventory/hosts.ini baseline_import.yml
```
## Troubleshooting
**Cannot connect to firewall:**
```bash
# Test basic connectivity
ping 192.168.1.1
nc -zv 192.168.1.1 4444
```
**Authentication failed:**
- Verify credentials in host_vars
- Check if API access is enabled on the firewall
- Verify user has admin privileges
**Getting help:**
- Review `README.md` for full documentation
- Check `group_vars_schema.md` for all variable options
- Review role tasks in `roles/*/tasks/main.yml`
---
**You're ready to go!** Start small with one firewall, then scale to your entire fleet.
Reference in New Issue View Git Blame Copy Permalink