You must meet the following requirements before you configure HA.
Devices and firmware
- Devices in the HA cluster (primary and auxiliary) must be the same model and revision. For example, an XG 210 rev3 can only connect to another XG 210 rev3. An XG 230 or even an SG 210 can't be used.
- All devices must have the same number of ports or interfaces. This includes when any FleXi port expansion modules are installed.
- The devices must have the same firmware version installed. This includes maintenance releases and hotfixes.
- Don't use Port4 (SFP and RJ45 shared port) when setting up HA on XG 105 Rev.3, XG 115 Rev.3 and XG 106 Rev.1 firewall models.
- For standalone firewalls already managed from Sophos Central, we recommend that you deregister them, configure HA, and reregister them for Sophos Central management. This will allow you to move the HA pair to a different group in Sophos Central if you want. See Manage an HA pair in Sophos Central.
High availability isn’t supported on wireless models.
Networking and access policy
- You must connect the cables to all the monitored ports on both devices.
The dedicated HA links must have unique IP addresses on both devices and can be one of the following:
- DMZ or unbound physical interfaces
- LAG or VLAN interfaces
You must turn on SSH on the DMZ zone for both devices.
- Ensure that the IP address of the dedicated HA link interface of the primary and auxiliary devices is in the same subnet.
- Before you configure HA, you must turn off DHCP and PPPoE on the HA interface.
- If you connect the HA devices to an Ethernet switch that uses the spanning tree protocol (STP), you may need to adjust the link activation time on the switch port connected to the Sophos Firewall interfaces. For example, on a Cisco Catalyst-series switch, you must turn on spanning tree port-fast for each port connecting to Sophos Firewall interfaces. This means you must turn on port-fast and turn off both spanning tree protocol (STP) and RSTP for the switch ports Sophos Firewall connects to.
- The dedicated HA link must use the default link speed and MTU-MSS.
- The HA link latency increases with distance. We recommend you turn off Spanning Tree Protocol (STP) on the dedicated HA link.
- The HA interface must be active, the network cable must be connected to both devices, and the auxiliary device must be reachable to establish HA. You'll see the error message "HA could not be enabled" if one or more of these conditions isn't met.
1U XGS series firewalls don't automatically establish HA when using a FleXi port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.
- You must configure the firewall that carries the license subscription as the primary node during the initial HA setup.
- You must register the devices.
- In active-active mode, both devices require a license. Zero-day protection doesn't affect the HA setup regardless of the expiry date in each device.
- In active-passive mode, you require a license only for the primary device. You don't require a license for the auxiliary device.
- If a software or virtual device is used, you need to purchase only one base license. When you register the serial number of the primary device, SFOS creates the auxiliary device. You don't need to purchase a separate base firewall license or a separate serial number for the auxiliary device. In this case, you add the device to HA when you use the setup assistant.
Unsupported configurations for dedicated link port
The following configurations aren't supported for the dedicated HA link port:
DHCP and PPPoE: When the interfaces are dynamically configured using DHCP or PPPoE, the following applies:
- Active-active mode: Not supported.
- Active-passive mode: Supported, but session failover isn't supported.
Cellular WAN configuration.
- Alias IP addresses.
- Overriding the MAC address on the dedicated port.