kasperj/chittick_projects
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f1e8d3adddc8d92a2ba348a7a3b7b0163c451e8
chittick_projects/sophos-xgs-ansible/QUICKSTART.md
Jake Kasper 4f1e8d3add Claude 1
2025-12-09 09:33:48 -06:00

3.2 KiB
Raw Blame History

Sophos XGS Ansible - Quick Start Guide

Get up and running with Sophos XGS firewall automation in 10 minutes.

Step 1: Prerequisites Check

Ensure you have:

  • Ansible 2.14+ installed
  • Python 3.8+ installed
  • Network access to your Sophos XGS firewalls on port 4444 (HTTPS)
  • Admin credentials for each firewall
# Check versions
ansible --version
python3 --version

Step 2: Install Dependencies

cd sophos-xgs-ansible
ansible-galaxy collection install -r collections/requirements.yml

Step 3: Configure Your First Firewall

Edit inventory/hosts.ini:

[sophos_firewalls]
my-firewall ansible_host=192.168.1.1

Create inventory/host_vars/my-firewall.yml:

---
sophos_mgmt_host: "192.168.1.1"
sophos_api_username: "admin"
sophos_api_password: "YourPassword"  # Use vault in production!

sophos_hostname: "my-firewall"
sophos_location: "office"

# Minimal config - interfaces
sophos_interfaces:
  - name: "Port1"
    zone: "WAN"
    mode: "dhcp"
    enabled: true

  - name: "Port2"
    zone: "LAN"
    mode: "static"
    ip_address: "10.0.0.1"
    netmask: "255.255.255.0"
    enabled: true

Step 4: Test Connection

# Test connectivity and authentication
ansible-playbook -i inventory/hosts.ini site.yml --tags validation --limit my-firewall

Step 5: Apply Configuration

# Dry-run first (safe!)
ansible-playbook -i inventory/hosts.ini site.yml --limit my-firewall --check

# Apply for real
ansible-playbook -i inventory/hosts.ini site.yml --limit my-firewall

Step 6: Secure Credentials (Production)

# Encrypt sensitive host_vars
ansible-vault encrypt inventory/host_vars/my-firewall.yml

# Run playbook with vault
ansible-playbook -i inventory/hosts.ini site.yml --ask-vault-pass

Next Steps

  1. Add more firewalls: Copy my-firewall.yml to create more host_vars files
  2. Configure VLANs: Add sophos_vlans to your host_vars
  3. Setup DHCP: Add sophos_dhcp_servers to your host_vars
  4. Add firewall rules: Define sophos_firewall_rules
  5. Setup VPNs: Configure sophos_site_to_site_vpns
  6. Import baseline WAF: Run baseline_import.yml if you have an existing WAF setup

Common Commands

# Configure only network settings
ansible-playbook -i inventory/hosts.ini site.yml --tags network

# Configure only firewall rules
ansible-playbook -i inventory/hosts.ini site.yml --tags firewall

# Configure specific firewall
ansible-playbook -i inventory/hosts.ini site.yml --limit fw-branch1

# Dry-run (check mode)
ansible-playbook -i inventory/hosts.ini site.yml --check

# Import baseline WAF config
ansible-playbook -i inventory/hosts.ini baseline_import.yml

Troubleshooting

Cannot connect to firewall:

# Test basic connectivity
ping 192.168.1.1
nc -zv 192.168.1.1 4444

Authentication failed:

  • Verify credentials in host_vars
  • Check if API access is enabled on the firewall
  • Verify user has admin privileges

Getting help:

  • Review README.md for full documentation
  • Check group_vars_schema.md for all variable options
  • Review role tasks in roles/*/tasks/main.yml

You're ready to go! Start small with one firewall, then scale to your entire fleet.

Reference in New Issue View Git Blame Copy Permalink