Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=HABehavior

HA behavior

  • The following services don't run on the auxiliary device: routing service, VPN service, network service, sign-in server.
  • Session failover isn't possible for AV scanned sessions or any other IPv4 forwarded traffic, like ICMP, UDP, multicast and broadcast traffic, traffic passing through proxy subsystem (transparent, direct, and parent proxy traffic), and VPN traffic.
  • Session failover isn't possible for IPv6 forwarded traffic, such as ICMPv6, UDP, multicast, and broadcast traffic.
  • All the masqueraded connections are dropped if any manual synchronization events from any HA cluster devices occur.
  • Administrator privileges are required to access the auxiliary device. Only administrators can access the web admin console. Live users, DHCP leases, and IPsec live connections pages aren't shown on the auxiliary device.
  • You can't access the setup assistant on the auxiliary device.
  • If a backup without HA configuration is restored (after configuring HA), HA will be turned off and the primary device will be accessible according to the backup configuration, while the auxiliary device will be accessible with the auxiliary admin IP address.
  • If a backup containing HA configuration is restored on the primary device, it restores the configuration and restarts the primary device. It then restores the configuration to the auxiliary device and restarts the auxiliary device. HA will be restored automatically and no additional configuration is required. Failover won't take place when the backup is being restored. Restoring the backup results in downtime.
  • If a backup containing HA configuration is restored to a new or factory-reset device, HA is turned off for the device. You must configure HA again.
  • In active-active mode, emails are quarantined separately on both devices because the SMTP proxy traffic is load-balanced in a round-robin manner.
  • In active-passive mode, emails are quarantined only on the primary device.
  • If quarantine digest is configured, both devices in the cluster send a quarantine digest.
  • Administrators can release quarantined emails of some or all users from both devices.
  • Users can release quarantined emails from the user portal. The user portal shows only emails quarantined on the primary device. Users can also release them from the quarantine digest emailed from the primary.
  • HA is turned off if you run the setup assistant.
  • Cellular WAN configuration isn't supported in any HA mode.
  • You can't use Synchronized Application Control (SAC) in active-active mode.

  • HA Load balancing: The following traffic is load-balanced in an active-active HA cluster:

    • Regular forwarded TCP traffic.
    • Translated (SNAT and Virtual host) forwarded TCP traffic.
    • TCP traffic passing through the proxy subsystem: transparent proxy, direct proxy, parent proxy, and VLAN traffic.

  • HA Load balancing: The following traffic isn't load-balanced in an active-active HA cluster:

    • VPN sessions.
    • UDP, ICMP, multicast, and broadcast sessions.
    • Scanned FTP traffic.
    • Traffic related to wireless RED devices and access points.
    • TCP traffic for the user portal, web admin console, and telnet console.
    • H.323 traffic sessions.
    • Control traffic for all modules.

  • When you turn off HA, all ports except the dedicated HA link port and peer administration port are turned off for the auxiliary device. The dedicated HA link port's IPv4 address is assigned to the peer HA link. The peer administration port's IP address becomes the peer device's administration IP address.

  • After disabling HA, all the administrative services for the LAN zone (HTTP, HTTPS, Telnet, SSH) are allowed while the DMZ zone only allows HTTPS and SSH services.
  • The device failover detection time (peer time-out) is 4 seconds. When the primary device stops sending heartbeat packets, it’s declared dead at the end of 4 seconds (250 milliseconds x 16 time-outs). The peer is considered active if a heartbeat is received within 14 time-outs. Failover is triggered at the end of 7 seconds (3-second link uptime + 4-second device failover detection time) from the time the cluster has come up. You can't change the failover threshold.
  • DHCP and PPPoE: When interfaces are dynamically configured using DHCP or PPPoE, you can only configure active-passive HA. You can't configure active-active HA.
  • The firewall can load-balance HTTPS traffic.
  • You can configure HA on a bridge interface if you've configured the bridge interface from Network > Interfaces. However, if you run the assistant on bridge mode after configuring HA, HA is turned off.
  • HA will not work correctly when a shared port is being used as the dedicated HA link.
  • The endpoint from which you access the web admin or CLI consoles of the primary or the auxiliary device must be within the same subnet as the device's management IP address.