Answers to the most frequently asked questions covering licensing, Flexi port modules, feature, and hard support.
"Which licenses do I need when I have two devices in high-availability mode?"
For active-active mode:
- Each device requires its own subscriptions, and the active subscriptions must match on both devices.
- Zero-day protection doesn't affect the HA setup regardless of the expiry date on each device.
For active-passive mode:
Only the active device requires a license subscription. Sophos Firewall ensures the passive device has a copy of those subscriptions, so it can take on processing if the active device fails.
It’s therefore vital that the subscriptions are activated on the intended active device. You must ensure that HA is turned on only from the device which has a valid subscription.
For a virtual or software device, purchase only one base license, and once you've registered that serial number, Sophos Firewall creates the passive device. You don't need to purchase a separate base firewall license or a separate serial number for the passive device.
- The firewall that carries the license subscription must be configured as the primary node in the HA initial setup.
To check which node is the initial primary, do as follows:
- Sign in to the Sophos Firewall SSH terminal using the admin account.
- Press 5 to select 5. Device Management and then press 3 to select 3. Advanced Shell.
Enter the following commands:
nvram get "#li.serial"
nvram get "#li.master"
If the output of nvram get "#li.master" is YES, this Sophos Firewall is the initial HA primary device. For example:
XG210_WP02_SFOS 17.1.2 MR-2# nvram get "#li.master" YES
If the output of nvram get "#li.master" is NO, this Sophos Firewall is initial auxiliary device. For example:
XG210_WP02_SFOS 17.1.2 MR-2# nvram get "#li.master" No
The output of
nvram get "#li.serial"shows the serial number of Sophos Firewall.
Active–Passive mode isn’t available for Sophos Firewall in Azure.
"Is the synchronized application control feature supported in active-active mode?"
"Is it possible to establish an HA pair between XG 210 and an SG 210?"
No. XG 210 can only connect to another XG 210 in HA. An XG 230 or even an SG 210 can't be used.
"What happens if I manually synchronize the HA?"
If you manually synchronize any of the HA cluster devices, the firewall drops all the masqueraded connections.
"What happens if I restore a backup without HA configuration after enabling HA?"
If a backup without HA configuration is restored after configuring HA, then HA is disabled. The primary device is accessible according to the backup configuration. The auxiliary device is accessible with the auxiliary admin IP address.