Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=HAPrerequisites

HA prerequisites

You can establish an HA link pair with one of the following methods:

  • Directly, using a crossover cable.
  • Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.

Note

Use the network medium that is capable of forwarding non-routable multicast packets.

Restriction

For 1U XGS series firewalls, HA isn't automatically established when using a FleXi Port as the dedicated HA port. For more information, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.

Prerequisites

  • Cables to all the monitored ports on both devices must be connected.
  • The devices in the HA cluster must be the same model and revision.
  • The devices must be registered.
  • The devices must have the same number of interfaces.
  • The devices must have the same firmware version installed (including maintenance releases and hotfixes).
  • For an active-active configuration, one license for each device is required.
  • For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
  • The devices must have the same subscription modules turned on.
  • On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ and must have a unique IP address. Also, SSH must be turned on for both devices on the DMZ zone.
  • Access over SSH on the DMZ zone must be turned on for both Sophos Firewall devices.
  • DHCP and PPPoE configuration must be disabled before attempting HA configuration.
  • HA link latency increases with distance. We recommend that you turn off spanning tree protocol (STP) on the dedicated HA link.
  • For the switch ports Sophos Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.

  • The firewall doesn't support the following configurations and models:

    • VLAN on the management interface
    • LAG on the management interface
    • Wireless (w) models