kasperj/chittick_projects
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f1e8d3adddc8d92a2ba348a7a3b7b0163c451e8
chittick_projects/sophos-xgs-ansible/inventory/group_vars/sophos_firewalls.yml
Jake Kasper 4f1e8d3add Claude 1
2025-12-09 09:33:48 -06:00

204 lines
5.9 KiB
YAML
Raw Blame History

---
# ============================================================================
# Sophos Firewalls Group Variables
# ============================================================================
# This file contains variables specific to all Sophos XGS firewalls.
# These override defaults in all.yml and can be overridden in host_vars.
#
# Author: Network Automation Team
# ============================================================================
# ============================================================================
# API Authentication Method
# ============================================================================
# Sophos XGS supports two authentication methods:
# 1. API Key (recommended for automation)
# 2. Username/Password
#
# Define ONE of the following in host_vars for each firewall:
# - sophos_api_key: "your-api-key-here"
# OR
# - sophos_api_username: "admin"
# - sophos_api_password: "secure-password"
# ============================================================================
# ============================================================================
# Standard Network Objects (shared across all firewalls)
# ============================================================================
sophos_standard_network_objects:
# RFC 1918 private networks
- name: "RFC1918-10.0.0.0/8"
type: "network"
address: "10.0.0.0"
netmask: "255.0.0.0"
description: "RFC 1918 Class A private network"
- name: "RFC1918-172.16.0.0/12"
type: "network"
address: "172.16.0.0"
netmask: "255.240.0.0"
description: "RFC 1918 Class B private network"
- name: "RFC1918-192.168.0.0/16"
type: "network"
address: "192.168.0.0"
netmask: "255.255.0.0"
description: "RFC 1918 Class C private network"
# Infrastructure services
- name: "DNS-Servers-Primary"
type: "host"
address: "8.8.8.8"
description: "Google Public DNS Primary"
- name: "DNS-Servers-Secondary"
type: "host"
address: "8.8.4.4"
description: "Google Public DNS Secondary"
# ============================================================================
# Standard Service Objects (shared across all firewalls)
# ============================================================================
sophos_standard_service_objects:
- name: "HTTP"
protocol: "tcp"
dst_port: 80
description: "Hypertext Transfer Protocol"
- name: "HTTPS"
protocol: "tcp"
dst_port: 443
description: "HTTP over TLS/SSL"
- name: "SSH"
protocol: "tcp"
dst_port: 22
description: "Secure Shell"
- name: "RDP"
protocol: "tcp"
dst_port: 3389
description: "Remote Desktop Protocol"
- name: "DNS"
protocol: "udp"
dst_port: 53
description: "Domain Name System"
- name: "NTP"
protocol: "udp"
dst_port: 123
description: "Network Time Protocol"
- name: "SNMP"
protocol: "udp"
dst_port: 161
description: "Simple Network Management Protocol"
# ============================================================================
# Standard Zones (expected on all firewalls)
# ============================================================================
sophos_standard_zones:
- name: "WAN"
description: "Internet-facing zone"
type: "wan"
- name: "LAN"
description: "Internal trusted network"
type: "lan"
- name: "DMZ"
description: "Demilitarized zone for public servers"
type: "dmz"
- name: "VPN"
description: "VPN client and site-to-site traffic"
type: "vpn"
# ============================================================================
# Common Firewall Rules (applied to all firewalls)
# ============================================================================
sophos_common_firewall_rules:
# Allow internal networks to access DNS
- name: "Allow-LAN-to-Internet-DNS"
source_zones: ["LAN"]
dest_zones: ["WAN"]
source_networks: ["any"]
dest_networks: ["any"]
services: ["DNS"]
action: "accept"
log: false
enabled: true
position: "top"
description: "Allow internal networks to resolve DNS"
# Allow internal networks to access NTP
- name: "Allow-LAN-to-Internet-NTP"
source_zones: ["LAN"]
dest_zones: ["WAN"]
source_networks: ["any"]
dest_networks: ["any"]
services: ["NTP"]
action: "accept"
log: false
enabled: true
description: "Allow internal networks to synchronize time"
# Allow HTTP/HTTPS from LAN to Internet
- name: "Allow-LAN-to-Internet-Web"
source_zones: ["LAN"]
dest_zones: ["WAN"]
source_networks: ["any"]
dest_networks: ["any"]
services: ["HTTP", "HTTPS"]
action: "accept"
log: false
enabled: true
description: "Allow web browsing from internal network"
# Deny all other traffic (implicit deny - logged)
- name: "Deny-All-Other-Traffic"
source_zones: ["any"]
dest_zones: ["any"]
source_networks: ["any"]
dest_networks: ["any"]
services: ["any"]
action: "deny"
log: true
enabled: true
position: "bottom"
description: "Default deny rule - logs all dropped traffic"
# ============================================================================
# Device Access Policies (management services)
# ============================================================================
sophos_common_device_access_policies:
# Allow HTTPS admin access from LAN
- service: "https"
allowed_zones: ["LAN"]
allowed_networks: [] # Empty means all networks in zone
enabled: true
# Allow SSH admin access from LAN
- service: "ssh"
allowed_zones: ["LAN"]
allowed_networks: []
enabled: true
# Allow ping from LAN and WAN (for monitoring)
- service: "ping"
allowed_zones: ["LAN", "WAN"]
allowed_networks: []
enabled: true
# Allow SNMP from management network only
- service: "snmp"
allowed_zones: ["LAN"]
allowed_networks: ["10.0.0.0/24"] # Restrict to management subnet
enabled: true
Reference in New Issue View Git Blame Copy Permalink