Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=HAPrerequisites

HA prerequisites

You can establish an HA link pair with one of the following methods:

  • Directly, using a crossover cable.
  • Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.
  • Using a layer 2 switch. To avoid HA heartbeat information propagating to the rest of the network’s broadcast domain, you must only connect the dedicated HA link pair ports to that switch. HA traffic is non-routable traffic.
  • Don't use Port4 (SFP and RJ45 shared port) when setting up HA on XG 105 Rev.3, XG 115 Rev.3 and XG 106 Rev.1 firewall models.

Note

Use the network medium that is capable of forwarding non-routable multicast packets.

Restriction

For 1U XGS series firewalls, HA is not automatically established when using a FleXi Port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.

Prerequisites

  • Make sure the LAN IP address of the primary and auxiliary devices is different (but part of the same subnet) to avoid confusion between the two.
  • Connect the cables to all the monitored ports on both devices.
  • The devices in the HA cluster must be the same model and revision.
  • The devices must be registered.
  • The devices must have the same number of interfaces.
  • The devices must have the same firmware version installed (including maintenance releases and hotfixes). You can verify the firmware version by running the following console command: system diagnostics show version-info
  • For an active-active configuration, one license for each device is required.
  • For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
  • The devices must have the same subscription modules turned on.
  • On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ and have a unique IP address.
  • HA link latency increases with distance. We recommend that you turn off the spanning tree protocol (STP) on the dedicated HA link.
  • For the switch ports that Sophos Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.

  • The firewall doesn't support the following configurations and models:

    • VLAN on the management interface.
    • LAG on the management interface.
    • Wireless XG (w).

  • Take a backup of the firewalls and download them before configuring HA.

  • If the firewalls have a long uptime, restart the firewalls before configuring HA.
  • Both devices must be using a supported firmware version. We also recommend that both devices be on the latest firmware version.
  • Turn on SSH access on the DMZ zone for both Sophos firewall devices.
  • Turn off DHCP and PPPoE before you set up HA.

  • Make sure that all DDNS providers support HA.

    • At any given point in time, the DDNS service runs only on the primary (active) device for both HA modes (active-active or active-passive).
    • The database will be in sync with the auxiliary device.
    • When the primary device fails, the auxiliary device takes over, and the DDNS service is triggered by HA calls (resolver now resolves the auxiliary device IP address).

    Note

    It takes 5 to 6 minutes for the auxiliary device to start the DDNS service in the event of failure.

  • HA Active-Active + TAP

    • Currently, HA active-active mode isn't possible with discover mode as it would need to convey through ARP. TAP mode is an incoming interface only and not applicable to outgoing traffic.
    • Synchronized application control will be turned off if HA is turned on in active-active mode and not compatible with HA active-active mode.

  • HA Active-Passive + TAP

    • Discover mode will work with HA active-passive mode.
    • You can't configure HA if a TAP port is active. Deactivate the TAP port on both appliances using the command-line console first. After HA is established, you can activate the TAP port again.
    • When HA is turned on, the passive device will have a TAP interface.