95 lines
3.9 KiB
YAML
95 lines
3.9 KiB
YAML
---
|
|
# ============================================================================
|
|
# Sophos XGS Firewall Fleet Management - Main Playbook
|
|
# ============================================================================
|
|
# This playbook applies all configuration roles to Sophos XGS firewalls
|
|
# in the inventory. It is designed to be idempotent and safe to run
|
|
# repeatedly in production environments and CI/CD pipelines.
|
|
#
|
|
# Usage:
|
|
# ansible-playbook -i inventory/hosts.ini site.yml
|
|
# ansible-playbook -i inventory/hosts.ini site.yml --limit fw-branch1
|
|
# ansible-playbook -i inventory/hosts.ini site.yml --tags network
|
|
# ansible-playbook -i inventory/hosts.ini site.yml --check # Dry-run mode
|
|
#
|
|
# Author: Network Automation Team
|
|
# ============================================================================
|
|
|
|
- name: Configure Sophos XGS Firewalls
|
|
hosts: sophos_firewalls
|
|
gather_facts: false
|
|
become: false
|
|
|
|
# Set serial execution to avoid overwhelming API endpoints
|
|
# In production, adjust based on your API rate limits
|
|
serial: "{{ sophos_serial_execution | default(5) }}"
|
|
|
|
# Define task execution order and tagging
|
|
roles:
|
|
# Phase 1: Establish connectivity and validate API access
|
|
- role: sophos_common
|
|
tags: ['always', 'common', 'validation']
|
|
|
|
# Phase 2: Configure network foundation (interfaces, VLANs, routing, DNS, DHCP)
|
|
- role: sophos_network
|
|
tags: ['network', 'interfaces', 'vlans', 'dhcp', 'dns', 'routing']
|
|
when: sophos_manage_network | default(true)
|
|
|
|
# Phase 3: Configure firewall rules (after network objects exist)
|
|
- role: sophos_firewall_rules
|
|
tags: ['firewall', 'rules', 'security']
|
|
when: sophos_manage_firewall_rules | default(true)
|
|
|
|
# Phase 4: Configure site-to-site VPN tunnels
|
|
- role: sophos_vpn_site_to_site
|
|
tags: ['vpn', 'site-to-site', 'ipsec']
|
|
when: sophos_manage_site_to_site_vpn | default(true)
|
|
|
|
# Phase 5: Configure remote access VPN
|
|
- role: sophos_vpn_remote_access
|
|
tags: ['vpn', 'remote-access', 'ssl-vpn']
|
|
when: sophos_manage_remote_access_vpn | default(true)
|
|
|
|
# Phase 6: Configure web application firewall (WAF) policies
|
|
- role: sophos_waf
|
|
tags: ['waf', 'web', 'application-firewall']
|
|
when: sophos_manage_waf | default(true)
|
|
|
|
# Phase 7: Configure device access policies (management services)
|
|
- role: sophos_device_access
|
|
tags: ['device-access', 'management', 'security']
|
|
when: sophos_manage_device_access | default(true)
|
|
|
|
# Phase 8: Configure SNMP, logging, and NTP
|
|
- role: sophos_snmp_logging
|
|
tags: ['snmp', 'logging', 'monitoring', 'ntp']
|
|
when: sophos_manage_snmp_logging | default(true)
|
|
|
|
# Post-configuration tasks
|
|
post_tasks:
|
|
- name: Display configuration summary
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "======================================"
|
|
- "Sophos XGS Configuration Complete"
|
|
- "======================================"
|
|
- "Firewall: {{ inventory_hostname }}"
|
|
- "Management IP: {{ sophos_mgmt_host }}"
|
|
- "Roles Applied: {{ ansible_play_role_names | join(', ') }}"
|
|
- "Configuration Version: {{ sophos_config_version | default('N/A') }}"
|
|
tags: ['always']
|
|
|
|
- name: Save configuration to file (optional)
|
|
ansible.builtin.uri:
|
|
url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController?reqxml=<Request><Login><Username>{{ sophos_api_username }}</Username><Password>{{ sophos_api_password }}</Password></Login><Set operation='update'><System><Configuration><SaveConfiguration/></Configuration></System></Set></Request>"
|
|
method: POST
|
|
validate_certs: "{{ sophos_validate_certs }}"
|
|
headers:
|
|
Content-Type: "application/x-www-form-urlencoded"
|
|
status_code: [200, 201]
|
|
when: sophos_save_config | default(false)
|
|
tags: ['always']
|
|
no_log: "{{ sophos_no_log_sensitive | default(true) }}"
|
|
|
|
# End of site.yml
|