Skip to content

Manage an HA pair in Sophos Central

You want to add and manage a high availability (HA) pair in Sophos Central.

How you upgrade depends on how your firewalls are set up. You can set up the firewalls in either of the following ways:

  1. You're managing your firewalls in Sophos Central, but they aren't in an HA pair.
  2. Your firewalls are in an HA pair, but you aren't managing them in Sophos Central.

    Note

    If your HA devices are on 18.0 MR3 or earlier and are registered with Sophos Central, you must deregister them and upgrade them to 18.0 MR4 or later. You can then register the devices with Sophos Central.

Manage your HA pair in Sophos Central

You have two Sophos Firewall devices in an HA pair. You want to manage them as an HA pair in Sophos Central.

Here's an example of an active-passive HA pair.

An HA Pair in Sophos Firewall.

  1. Upgrade the primary firewall to 18.5 MR1. See Move to a different firmware version.

    This automatically upgrades the auxiliary firewall.

  2. On the primary Sophos Firewall, go to Central synchronization and click Register both HA devices to register the HA pair.

    Register your HA devices.

    The registration information is updated as follows:

    Sophos Firewall devices registered.

  3. Once registration is complete, turn on central management. See How to enable Sophos Central management of your Sophos Firewall.

  4. In Sophos Central, next to the primary firewall, select Approval Pending and click Accept Services.

    Accept Services.

    After a few minutes, Sophos Central shows the firewalls as a single HA pair.

    An HA pair managed in Sophos Central.

You can now manage the HA pair in Sophos Central. Any configuration changes you make in Sophos Central apply to both firewalls.

Create an HA pair from your centrally managed firewalls

You have two standalone firewalls running 18.0 MR3 managed from Sophos Central. You want to import the configuration from one of them and manage them as an HA pair.

Warning

For standalone firewalls already managed from Sophos Central, we recommend that you deregister them, configure HA, and reregister them for Sophos Central management. This will allow you to move the HA pair to a different group in Sophos Central if you want.

  1. Upgrade both firewalls to 18.5 MR1 or later. See Move to a different firmware version.

    Here's an example of two separate firewalls managed in Sophos Central.

    Two separate firewalls managed in Sophos Central.

  2. On your Sophos Firewall, create the HA pair. See High availability.

    You can form an active-active or active-passive HA pair.

    Once you create the HA pair, Sophos Central shows it as a single HA pair.

    An HA pair managed in Sophos Central.

You can now manage the firewalls as an HA pair in Sophos Central.