kasperj/chittick_projects
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f1e8d3adddc8d92a2ba348a7a3b7b0163c451e8
chittick_projects/sophos-xgs-ansible/inventory/group_vars/all.yml
Jake Kasper 4f1e8d3add Claude 1
2025-12-09 09:33:48 -06:00

129 lines
4.1 KiB
YAML
Raw Blame History

---
# ============================================================================
# Global Variables for All Sophos XGS Firewalls
# ============================================================================
# This file contains default values applied to ALL firewalls in the inventory.
# These can be overridden in group_vars/sophos_firewalls.yml or in individual
# host_vars files.
#
# Author: Network Automation Team
# ============================================================================
# ============================================================================
# API Connection Settings
# ============================================================================
# Management port (Sophos XGS default is 4444, web interface is 443)
sophos_mgmt_port: 4444
# SSL certificate validation (set to false for self-signed certs in lab)
sophos_validate_certs: false
# API timeout in seconds
sophos_api_timeout: 30
# Enable/disable logging of sensitive data (passwords, API keys)
sophos_no_log_sensitive: true
# Retry settings for API calls
sophos_api_retries: 3
sophos_api_retry_delay: 5
# ============================================================================
# Execution Control
# ============================================================================
# Serial execution limit (number of firewalls to configure simultaneously)
sophos_serial_execution: 5
# Feature toggles (can be disabled to skip entire roles)
sophos_manage_network: true
sophos_manage_firewall_rules: true
sophos_manage_site_to_site_vpn: true
sophos_manage_remote_access_vpn: true
sophos_manage_waf: true
sophos_manage_device_access: true
sophos_manage_snmp_logging: true
# Automatically save configuration after changes
sophos_save_config: true
# ============================================================================
# Global Network Settings (defaults)
# ============================================================================
# Default DNS servers (can be overridden per firewall)
sophos_default_dns_servers:
- 8.8.8.8
- 8.8.4.4
# Default NTP servers
sophos_default_ntp_servers:
- 0.pool.ntp.org
- 1.pool.ntp.org
- 2.pool.ntp.org
# Default timezone
sophos_timezone: "America/New_York"
# Default MTU
sophos_default_mtu: 1500
# ============================================================================
# Global Security Settings (defaults)
# ============================================================================
# Default firewall rule logging
sophos_default_rule_log: true
# Default firewall rule action
sophos_default_rule_action: "deny"
# Default VPN encryption settings
sophos_default_ike_encryption: "aes256"
sophos_default_ike_hash: "sha256"
sophos_default_ike_dh_group: 14
sophos_default_ike_lifetime: 28800
sophos_default_ipsec_encryption: "aes256"
sophos_default_ipsec_hash: "sha256"
sophos_default_ipsec_pfs_group: 14
sophos_default_ipsec_lifetime: 3600
# ============================================================================
# Global SNMP Settings (defaults)
# ============================================================================
sophos_snmp_enabled: true
sophos_snmp_version: "v2c"
sophos_snmp_community: "public" # CHANGE THIS IN PRODUCTION
sophos_snmp_location: "Data Center"
sophos_snmp_contact: "netadmin@example.com"
# ============================================================================
# Global Logging Settings (defaults)
# ============================================================================
sophos_logging_enabled: true
sophos_logging_facility: "local0"
sophos_logging_severity: "informational"
# Default syslog servers (can be extended per firewall)
sophos_syslog_servers:
- host: "10.0.0.100"
port: 514
protocol: "udp"
# ============================================================================
# CI/CD and Version Control
# ============================================================================
# Configuration version (increment when making breaking changes)
sophos_config_version: "1.0.0"
# Tags for resource tracking
sophos_default_tags:
managed_by: "ansible"
project: "sophos-xgs-automation"
environment: "production"
Reference in New Issue View Git Blame Copy Permalink