About high availability

Sophos XG Firewall supports high availability. This ensures WAN connectivity, appliance availability, and failover of traffic and services, which minimizes downtime and disruption to your network.

High availability (HA) allows you to place two firewalls in a group and synchronize their configuration. This prevents a single point of failure on your network. The two firewalls have a heartbeat connection, which ensures failover if one of the firewalls goes down.

HA terminology

This table explains the HA deployment terms we use in this guide.

Term

Description

Cluster

A group of two firewalls configured to work as a single entity. Every HA cluster has one primary firewall and one auxiliary firewall. The primary firewall controls how the cluster operates. The role of the auxiliary firewall in the cluster depends on the configuration mode.

Primary

XG Firewall that's configured as the main XG Firewall for the network. If both firewalls are online, this is the XG Firewall through which traffic flows.

The designation is dynamic: When the auxiliary device takes over, the designation changes from primary to auxiliary.

Auxiliary

XG Firewall that's configured as the secondary XG Firewall for the network. If both firewalls are online, this is the XG Firewall that is the inactive hot spare in active-passive mode. In active-active mode, the auxiliary firewall also processes the traffic.

Active

XG Firewall that's currently acting as the edge firewall for the network.

Passive

XG Firewall that's currently acting as an inactive hot spare (in active-passive HA mode) with no traffic passing through it.

Dedicated HA link

The dedicated HA link is a direct physical link between the firewalls in an HA cluster.

Monitored interface

A set of interfaces that you select to be monitored. Each firewall monitors its own selected interfaces, and if any of them goes down, the firewall removes itself from the cluster, and a failover occurs.

Heartbeat connection

XG Firewall sends a heartbeat packet over the dedicated HA link to check the status of each firewall in an HA cluster.

Hot spare

The auxiliary firewall in an active-passive cluster.

High availability modes

XG Firewall supports two High availability modes.

Mode

Description

Active-passive

In active-passive mode, in the event of the primary XG Firewall experiencing a failure, the auxiliary XG Firewall automatically takes over the processing of traffic. This maintains network functionality.

Active-active

In active-active mode, both the primary and auxiliary firewalls process traffic. The primary firewall receives all network traffic and load-balances the traffic using the auxiliary device to handle some traffic processing. In the event of a failure of the primary firewall, the auxiliary firewall takes over all network traffic processing.

Supported configuration modes

You can configure high availability in two ways. These are:

  • QuickHA. We recommend using this mode.
  • Interactive

Configuration mode

Description

QuickHA

QuickHA provides a way to easily set up Sophos XG Firewall as a high availability system with the minimum configuration steps by automatically selecting default configuration values.

Once HA is configured and enabled with QuickHA, you can configure advanced HA options. For example, the monitoring port, keep-alive timer, and failback to primary settings.

Interactive

Interactive mode allows you more control over the HA settings. In this mode, you can choose parameters that QuickHA would otherwise select automatically, such as assigned virtual MAC address and peer administration settings.

In this mode, you configure the auxiliary firewall first, followed by the primary.