You must meet the following requirements before HA can be configured.
Devices and firmware
- Devices in the HA cluster (primary and auxiliary) must be the same model and revision. For example, an XG 210 rev3 can only connect to another XG 210 rev3. An XG 230 or even an SG 210 can't be used.
- All devices must have the same number of ports or interfaces. This includes when any FleXi port expansion modules are installed.
- The devices must have the same firmware version installed. This includes maintenance releases and hotfixes.
High availability isn’t supported on wireless models.
Networking and access policy
- The cables to all the monitored ports on both devices must be connected.
- The dedicated HA link port must be a member of a zone with the type DMZ, and have a unique IP address on both devices.
- You must turn on SSH, on the DMZ zone, for both devices.
- Ensure that the IP address of the HA link port of the primary and auxiliary devices is in the same subnet.
- DHCP and PPPoE must be disabled on the HA interface before attempting HA configuration.
- If you connect the HA devices to an Ethernet switch that uses the spanning tree protocol (STP), you may need to adjust the link activation time on the switch port connected to the Sophos Firewall interfaces. For example, on a Cisco Catalyst-series switch, it’s necessary to turn on spanning tree port-fast for each port connecting to Sophos Firewall interfaces. This means you must turn on port-fast and turn off both the spanning tree protocols (STP) and RSTP for the switch ports Sophos Firewall connects to.
- The dedicated HA link must use the default link speed and MTU-MSS.
- The HA link latency increases with distance. We also recommend that you turn off spanning tree protocol (STP) on the dedicated HA link.
For 1U XGS series firewalls, HA is not automatically established when using a FleXi Port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.
- You must configure the firewall that carries the license subscription as the primary node during the initial HA setup.
- You must register the devices.
- In active-active mode, both devices require a license. Sandstorm does not affect the HA setup regardless of the expiry date in each device.
- In active-passive mode, you require a license only for the primary device. No license is needed for the auxiliary device.
- If a software or virtual device is used, you need to purchase only one base license. When that serial number is registered, SFOS manages the creation of the passive device; there’s no need to purchase a separate base firewall license for the passive device or a separate serial number. In this case, you add the device to HA when you use the setup assistant.
The following configurations aren't supported on an HA cluster:
- DHCP and PPPoE: When interfaces are dynamically configured using DHCP or PPPoE, only HA in active-passive mode is supported. HA in active-active mode isn’t supported. Cellular WAN configuration isn’t supported in any HA mode.
- Alias IP addresses or VLANs on dedicated HA port.
- Overriding the MAC address on the dedicated port.
- Dynamic IP addresses on any interface in active-active mode.
- Session failover with dynamic interfaces in active-passive mode.
- LAG (LACP or LLDP) on the dedicated HA interface.