Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=HABehavior

HA behavior

  • The following services do not run on the auxiliary device: routing service, VPN service, network service, sign-in server.
  • Session failover is not possible for AV scanned sessions or any other IPv4 forwarded traffic, like ICMP, UDP, multicast and broadcast traffic, traffic passing through proxy subsystem (transparent, direct and parent proxy traffic), and VPN traffic.
  • Session failover is not possible for IPv6 forwarded traffic like ICMPv6, UDP, multicast and broadcast traffic.
  • If any of the manual synchronization events from any of the HA cluster devices occur, all the masqueraded connections will be dropped.
  • Administrator privileges are required to access the auxiliary device the web admin console and can only be accessed by “admin” users and the live users/DHCP leases/IPsec live connections pages will not be displayed.
  • The deployment wizard will not be accessible for the auxiliary device.
  • If a backup without HA configuration is restored (after configuring HA) then HA will be disabled and the primary device will be accessible according to the backup configuration, while the auxiliary device will be accessible with the auxiliary admin IP address.
  • In active–active mode, mail will be quarantined separately on both the devices, as SMTP proxy traffic is load balanced in a round-robin manner.
  • In active–passive mode, mail will be quarantined only on the primary device.
  • If quarantine digest is configured, both devices in the cluster will send quarantine digest.
  • Administrators can release quarantined mail of any and all users from both devices.
  • Users can release quarantined mail from the user portal. The user portal displays only mail quarantined on the primary device. Users can also release them from the quarantine digest mailed from the primary.
  • HA will be disabled if you run the deployment wizard.