kasperj/chittick_projects
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f1e8d3adddc8d92a2ba348a7a3b7b0163c451e8
chittick_projects/sophos-xgs-ansible/inventory/host_vars/fw-branch1.yml
Jake Kasper 4f1e8d3add Claude 1
2025-12-09 09:33:48 -06:00

297 lines
7.9 KiB
YAML
Raw Blame History

---
# ============================================================================
# Sophos XGS Firewall - Branch Office 1
# ============================================================================
# Hostname: fw-branch1
# Location: Branch Office - New York
# Purpose: Branch office firewall with site-to-site VPN to HQ
# ============================================================================
# ============================================================================
# Management Connection
# ============================================================================
sophos_mgmt_host: "192.168.10.1"
sophos_api_username: "admin"
sophos_api_password: "Br@nch1P@ss" # CHANGE IN PRODUCTION - Use Ansible Vault
# Firewall identification
sophos_hostname: "fw-branch1"
sophos_location: "branch-office-nyc"
sophos_device_role: "branch-firewall"
# ============================================================================
# Network Configuration
# ============================================================================
sophos_interfaces:
# WAN Interface
- name: "Port1"
type: "physical"
zone: "WAN"
description: "Internet connection (Branch ISP)"
mode: "static"
ip_address: "198.51.100.10"
netmask: "255.255.255.248"
gateway: "198.51.100.9"
mtu: 1500
enabled: true
# LAN Interface
- name: "Port2"
type: "physical"
zone: "LAN"
description: "Branch office local network"
mode: "static"
ip_address: "10.10.0.1"
netmask: "255.255.255.0"
mtu: 1500
enabled: true
# WiFi Interface
- name: "Port3"
type: "physical"
zone: "LAN"
description: "Wireless AP connection"
mode: "static"
ip_address: "10.10.10.1"
netmask: "255.255.255.0"
mtu: 1500
enabled: true
# VLANs
sophos_vlans:
- name: "VLAN10-Voice"
vlan_id: 10
parent_interface: "Port2"
zone: "LAN"
description: "VoIP phones"
ip_address: "10.10.10.1"
netmask: "255.255.255.0"
enabled: true
- name: "VLAN20-Data"
vlan_id: 20
parent_interface: "Port2"
zone: "LAN"
description: "User workstations"
ip_address: "10.10.20.1"
netmask: "255.255.255.0"
enabled: true
- name: "VLAN30-Guest"
vlan_id: 30
parent_interface: "Port3"
zone: "LAN"
description: "Guest WiFi"
ip_address: "10.10.30.1"
netmask: "255.255.255.0"
enabled: true
# ============================================================================
# DHCP Configuration
# ============================================================================
sophos_dhcp_servers:
- name: "DHCP-Voice"
interface: "VLAN10-Voice"
enabled: true
start_ip: "10.10.10.100"
end_ip: "10.10.10.199"
netmask: "255.255.255.0"
gateway: "10.10.10.1"
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
domain: "branch1.example.com"
lease_time: 43200 # 12 hours
dhcp_options:
- option: 66 # TFTP server
value: "10.0.0.50"
- option: 150 # Cisco TFTP server
value: "10.0.0.50"
- name: "DHCP-Data"
interface: "VLAN20-Data"
enabled: true
start_ip: "10.10.20.50"
end_ip: "10.10.20.200"
netmask: "255.255.255.0"
gateway: "10.10.20.1"
dns_servers:
- "10.0.0.10"
- "8.8.8.8"
domain: "branch1.example.com"
lease_time: 86400 # 24 hours
reservations:
- mac_address: "00:50:56:10:01:01"
ip_address: "10.10.20.10"
hostname: "branch1-printer"
- name: "DHCP-Guest"
interface: "VLAN30-Guest"
enabled: true
start_ip: "10.10.30.100"
end_ip: "10.10.30.200"
netmask: "255.255.255.0"
gateway: "10.10.30.1"
dns_servers:
- "8.8.8.8"
- "8.8.4.4"
domain: "guest.example.com"
lease_time: 3600 # 1 hour
# ============================================================================
# DNS Configuration
# ============================================================================
sophos_dns:
forwarders:
- "10.0.0.10" # HQ DNS server
- "8.8.8.8"
domain: "branch1.example.com"
enable_dns_forwarder: true
# ============================================================================
# Static Routes
# ============================================================================
sophos_static_routes:
- name: "Route-to-HQ-via-VPN"
destination: "10.0.0.0"
netmask: "255.255.0.0"
gateway: "10.0.0.1"
interface: "VPN"
metric: 5
enabled: true
# ============================================================================
# Firewall Rules (in addition to common rules)
# ============================================================================
sophos_firewall_rules:
# Guest network isolation
- name: "Allow-Guest-to-Internet-Only"
source_zones: ["LAN"]
dest_zones: ["WAN"]
source_networks: ["10.10.30.0/24"]
dest_networks: ["any"]
services: ["HTTP", "HTTPS", "DNS"]
action: "accept"
log: false
enabled: true
description: "Guest WiFi can only access Internet"
- name: "Deny-Guest-to-Internal"
source_zones: ["LAN"]
dest_zones: ["LAN", "VPN"]
source_networks: ["10.10.30.0/24"]
dest_networks: ["any"]
services: ["any"]
action: "deny"
log: true
enabled: true
description: "Block guest network from accessing internal resources"
# Branch to HQ
- name: "Allow-Branch-to-HQ"
source_zones: ["LAN"]
dest_zones: ["VPN"]
source_networks: ["10.10.0.0/16"]
dest_networks: ["10.0.0.0/16"]
services: ["any"]
action: "accept"
log: false
enabled: true
description: "Allow branch office to access HQ resources"
# ============================================================================
# Site-to-Site VPN Configuration
# ============================================================================
sophos_site_to_site_vpns:
- name: "Branch1-to-HQ"
enabled: true
connection_type: "tunnel"
# Local settings
local_gateway: "198.51.100.10"
local_networks:
- "10.10.0.0/16"
local_id: "198.51.100.10"
# Remote settings
remote_gateway: "203.0.113.1"
remote_networks:
- "10.0.0.0/16"
remote_id: "203.0.113.1"
# Phase 1 (IKE) settings
ike_version: 2
ike_encryption: "aes256"
ike_hash: "sha256"
ike_dh_group: 14
ike_lifetime: 28800 # 8 hours
authentication_method: "psk"
psk: "Sup3rS3cr3tPr3Sh@r3dK3y123" # CHANGE IN PRODUCTION - Use Vault
# Phase 2 (IPsec) settings
ipsec_mode: "tunnel"
ipsec_encryption: "aes256"
ipsec_hash: "sha256"
ipsec_pfs_group: 14
ipsec_lifetime: 3600 # 1 hour
# Advanced settings
dpd_enabled: true
dpd_interval: 30
dpd_retries: 3
nat_traversal: true
description: "Site-to-site VPN tunnel between Branch 1 (NYC) and HQ"
# ============================================================================
# SNMP Configuration
# ============================================================================
sophos_snmp:
enabled: true
version: "v2c"
community: "br@nch1mon" # CHANGE IN PRODUCTION
location: "Branch1-NYC-NetworkCloset"
contact: "branch1-it@example.com"
allowed_networks:
- "10.10.0.0/16"
- "10.0.0.0/24" # Allow HQ monitoring
trap_destinations:
- host: "10.0.0.100"
port: 162
community: "br@nch1mon"
# ============================================================================
# Logging Configuration
# ============================================================================
sophos_logging:
enabled: true
syslog_servers:
- host: "10.0.0.101"
port: 514
protocol: "udp"
facility: "local1"
severity: "informational"
categories:
- "firewall"
- "vpn"
- "system"
# ============================================================================
# NTP Configuration
# ============================================================================
sophos_ntp:
servers:
- "10.0.0.1" # HQ firewall as NTP source
- "time.google.com"
timezone: "America/New_York"
Reference in New Issue View Git Blame Copy Permalink