136 lines
3.7 KiB
YAML
136 lines
3.7 KiB
YAML
---
|
|
# ============================================================================
|
|
# Sophos XGS Baseline WAF Configuration
|
|
# ============================================================================
|
|
# This file was automatically generated by the baseline_import.yml playbook
|
|
#
|
|
# Source: fw-baseline (192.168.1.10)
|
|
# Exported: 2025-12-09T10:30:00Z
|
|
# Exported by: ansible
|
|
#
|
|
# This configuration serves as the baseline WAF configuration for all
|
|
# firewalls in the fleet. Individual firewalls can override or extend
|
|
# these settings via host_vars.
|
|
#
|
|
# DO NOT EDIT THIS FILE MANUALLY - regenerate using baseline_import.yml
|
|
# ============================================================================
|
|
|
|
_metadata:
|
|
description: Baseline WAF configuration imported from fw-baseline
|
|
exported_by: ansible
|
|
export_timestamp: '2025-12-09T10:30:00Z'
|
|
source_firewall: fw-baseline
|
|
source_ip: 192.168.1.10
|
|
version: '1.0'
|
|
|
|
# ============================================================================
|
|
# WAF Backend Servers
|
|
# ============================================================================
|
|
|
|
sophos_waf_backends:
|
|
- health_check: true
|
|
host: 10.100.1.50
|
|
name: app-server-01
|
|
port: 8080
|
|
protocol: http
|
|
|
|
- health_check: true
|
|
host: 10.100.1.51
|
|
name: app-server-02
|
|
port: 8080
|
|
protocol: http
|
|
|
|
- health_check: true
|
|
host: 10.100.2.50
|
|
name: api-server-01
|
|
port: 8080
|
|
protocol: http
|
|
|
|
# ============================================================================
|
|
# WAF Protection Policies
|
|
# ============================================================================
|
|
|
|
sophos_waf_policies:
|
|
- allowed_methods:
|
|
- GET
|
|
- POST
|
|
- HEAD
|
|
block_common_attacks: true
|
|
file_upload_limit_mb: 100
|
|
max_url_length: 4096
|
|
mode: prevention
|
|
name: standard-web-protection
|
|
sql_injection_protection: true
|
|
xss_protection: true
|
|
|
|
- allowed_methods:
|
|
- GET
|
|
- POST
|
|
- PUT
|
|
- DELETE
|
|
- PATCH
|
|
block_common_attacks: true
|
|
json_validation: true
|
|
mode: prevention
|
|
name: api-protection
|
|
rate_limit_requests_per_minute: 1000
|
|
sql_injection_protection: true
|
|
xss_protection: false
|
|
|
|
# ============================================================================
|
|
# Virtual Web Servers / WAF Rules
|
|
# ============================================================================
|
|
|
|
sophos_waf_virtual_hosts:
|
|
- backend_servers:
|
|
- app-server-01
|
|
- app-server-02
|
|
domain: www.example.com
|
|
enable_compression: true
|
|
enable_hsts: true
|
|
listening_ip: 203.0.113.10
|
|
listening_port: 443
|
|
load_balancing: round-robin
|
|
name: corporate-website
|
|
protocol: https
|
|
protection_policy: standard-web-protection
|
|
session_timeout: 1800
|
|
ssl_certificate: wildcard-example-com
|
|
|
|
- backend_servers:
|
|
- api-server-01
|
|
domain: api.example.com
|
|
enable_hsts: true
|
|
listening_ip: 203.0.113.11
|
|
listening_port: 443
|
|
name: api-gateway
|
|
protocol: https
|
|
protection_policy: api-protection
|
|
session_timeout: 3600
|
|
ssl_certificate: wildcard-example-com
|
|
websocket_support: true
|
|
|
|
# ============================================================================
|
|
# WAF Exceptions (Allow-list)
|
|
# ============================================================================
|
|
|
|
sophos_waf_exceptions:
|
|
- comment: Admin panel requires special characters in parameters
|
|
name: allow-admin-panel-special-chars
|
|
path: /admin/*
|
|
skip_rules:
|
|
- sql-injection-detection
|
|
- xss-detection
|
|
source_networks:
|
|
- 10.0.0.0/8
|
|
virtual_host: corporate-website
|
|
|
|
- comment: API endpoint accepts large JSON payloads
|
|
name: allow-api-large-json
|
|
path: /api/v1/upload
|
|
skip_rules:
|
|
- request-size-limit
|
|
source_networks:
|
|
- any
|
|
virtual_host: api-gateway
|