Additional configuration for virtual hosts

When running a virtual HA cluster, additional configuration of the hypervisor is required.

VMWare ESXi

When using ESXi, change the port group security settings, MAC address changes and Forged transmit to accept. You can do this either at the vSwitch or port group level. If you configure this on the vSwitch, the port group settings must inherit the settings from the vSwitch.

The following image shows the changes at the vSwitch level.

vSwitch level settings.

The following image shows the port group settings when MAC address changes and Forged transmit have been configured on the vSwitch.

Port group settings when configuration is done on vSwitch.

The following image shows the MAC address changes and Forged transmit settings being configured at the port group level only.

Port group settings when no changes are made at the vSwitch level.

HyperV

If you use HyperV, you must turn on Enable MAC address spoofing on all network adapters of the Sophos Firewall HA virtual machine, except the network adapter used for the dedicated HA link. Do as follows:

  1. Go to Advanced features.
  2. Click Enable MAC address spoofing.

The following screenshot shows where you must turn on MAC address spoofing.

Enable MAC address spoofing in HyperV.