About HA

Sophos Firewall supports high availability. This ensures WAN connectivity, appliance availability, and failover of traffic and services, which minimizes downtime and disruption to your network.

High availability (HA) allows you to place two firewalls in a group and synchronize their configuration. This prevents a single point of failure on your network. The two firewalls have a heartbeat connection, which ensures failover if one of the firewalls goes down.

HA terminology

This table explains the HA deployment terms we use in this guide.

Term

Description

Cluster

A group of two firewalls configured to work as a single entity. Every HA cluster has one primary firewall and one auxiliary firewall. The primary firewall controls how the cluster operates. The role of the auxiliary firewall in the cluster depends on the configuration mode.

Primary

Sophos Firewall that's configured as the main Sophos Firewall for the network. If both firewalls are online, this is the Sophos Firewall through which traffic flows.

The designation is dynamic: When the auxiliary device takes over, the designation changes from primary to auxiliary.

Auxiliary

Sophos Firewall that's configured as the secondary Sophos Firewall for the network. If both firewalls are online, this is the Sophos Firewall that is the inactive hot spare in active-passive mode. In active-active mode, the auxiliary firewall also processes the traffic.

Active

Sophos Firewall that's currently acting as the edge firewall for the network.

Passive

Sophos Firewall that's currently acting as an inactive hot spare (in active-passive HA mode) with no traffic passing through it.

Dedicated HA link

The dedicated HA link is a direct physical link between the firewalls in an HA cluster.

Monitored interface

A set of interfaces that you select to be monitored. Each firewall monitors its own selected interfaces, and if any of them goes down, the firewall removes itself from the cluster, and a failover occurs.

Heartbeat connection

Sophos Firewall sends a heartbeat packet over the dedicated HA link to check the status of each firewall in an HA cluster.

Hot spare

The auxiliary firewall in an active-passive cluster.