How to manage a HA pair from Sophos Central

Follow these instructions to add a high availability (HA) pair to Sophos Central, and manage them in Sophos Central.

Introduction

Before you follow the steps in this topic, make sure that you do as follows:

  • Establish a HA link pair. In this example, you have two XG firewalls in a HA pair. XG1 is the primary device, and XG2 is the auxiliary device.
  • Make sure both firewalls are running version 18.0.MR3.
Restriction You must upgrade your firewalls to version 18.0.MR3 before registering them with Sophos Central. You won't be able to register your firewalls before upgrading them, and they won't show in Sophos Central.

Add XG1 to Sophos Central

  1. On XG1, go to Central synchronization and register the firewall with Sophos Central.
  2. Turn on central management.

    Image showing the Central Synchronization page.

    For more information, see Central Synchronization.

  3. In Sophos Central, go to Firewall Management > Firewalls.

    Under Ungrouped, you'll see XG1 and XG2. The Sync and Management status of XG1 is Approval Pending. The Sync and Management status of XG2 is Management Disabled.

    The following image shows the status of the HA pair on the Firewalls page.


    Image showing the HA pair on the firewalls page.
  4. Click Accept Services for XG1.

    Image showing how to accept services.

    XG1 connects to Sophos Central.

    The Sync and Management status of XG1 is now Connected. The Sync and Management status of XG2 is Management Disabled.

    Note XG2 may show as Disconnected if thirty minutes have passed since registration.

Add XG2 to Sophos Central

  1. Perform a manual failover, so the devices switch from primary to auxiliary and vice versa.

    You can either reboot XG1, or on XG1, go to System services > High availability and click Switch to passive device.

    XG2 is now the primary device, and XG1 is the auxiliary device.

  2. Sign into XG2.
  3. Go to Central synchronization, and register the firewall with Sophos Central.
  4. Turn on central management.

    For more information, see Central Synchronization.

  5. In Sophos Central, go to Firewall Management > Firewalls.
    The Sync and Management status of the XG2 is now Approval Pending.
  6. Click Accept Service for XG2.

    XG2 connects to Sophos Central.

    The following image shows both firewalls connected to Sophos Central.


    Image showing the firewalls connected to Sophos Central.

You can now move both the firewalls into a group and manage them as a HA pair. On failover, you won't need to re-register the firewalls or re-enable Central Management.

Points to note

  • You can't enable central management for both HA devices at the same time. You must enable central management on each device, by making each of them the active device sequentially. You only need to do this once.
  • Sophos Central doesn't show the devices as a pair. They are shown separately.
  • Don't move the devices into different groups. If you do this, the HA pair will get different configurations.
  • Configurations are pushed to the auxiliary device where they remain pending. You can ignore this because the configuration will synchronize using the local HA synchronizing mechanism.
  • In Sophos Central, the RP-SSO link is turned on for the auxiliary device, but you can't connect to the auxiliary device.
  • Configuration related to dynamic zones or gateways isn't replicated across the two devices. You need to do this manually.
  • HA pairs share Central Firewall Reporting licenses. The HA pair is treated as a single logical device for reporting purposes.