Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=firewall-licenses-HA

High availability licensing

Active-passive HA

You must activate the licenses on the device you've configured as the initial primary. The licenses are synchronized with the secondary device.

The initial primary device can be the active or the passive device. The behavior is as follows:

  • Initial primary as the passive device: As long as the initial primary device works as the active or passive device, it synchronizes the licenses with the licensing server, and the HA cluster continues to protect the network.

  • Initial primary isn't working: If the initial primary device isn't working and can't synchronize with the licensing server at least once in 90 days, license protection is deactivated.

    For hardware appliances, only the Base Firewall and Enhanced Support license remain active.

    For virtual and software appliances, the Base Firewall license is also deactivated. As a result, HA is disabled.

For virtual appliances in HA, only one Base Firewall license is required. This doesn't apply to cloud appliances.

For active-passive mode, advance hardware replacement will be provided during the RMA process for the primary and auxiliary firewalls under warranty if you have an Enhanced Plus subscription for the primary firewall.

Active-active HA

Both devices carry licenses independently. When either of the devices is working and synchronizes with the licensing server, the HA cluster continues to protect the network. Both appliances must have the same type of licenses. License expiry dates can differ.

For a virtual appliance, the following conditions apply:

  • Both primary and auxiliary devices require individual Base Firewall licenses. If you purchase other licenses, both devices must have the same licenses.
  • HA is disabled if the Base Firewall license expires.
  • HA isn't disabled if active-active HA is established, but both devices have different license expiration dates.
  • If licenses are different during the initial setup, HA isn't enabled.

  • If the licenses on the two devices don't match, the following actions are taken:

    • If there's been a mismatch for less than or equal to three days, load balancing is disabled.
    • If there's been a mismatch for more than three days, HA is disabled.

More information