Skip to content
Last update: 2022-04-27

HA prerequisites

You can establish an HA link pair with one of the following methods:

  • Directly, using a crossover cable.
  • Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.
  • Using a layer 2 switch. To avoid HA heartbeat information propagating to the rest of the network’s broadcast domain, you must only connect the dedicated HA link pair ports to that switch. HA traffic is non-routable traffic.


Use the network medium that is capable of forwarding non-routable multicast packets.


For 1U XGS series firewalls, HA is not automatically established when using a FleXi Port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.


  • Make sure the LAN IP address of the primary and auxiliary devices is different (but part of the same subnet) to avoid confusion between the two.
  • Connect the cables to all the monitored ports on both devices.
  • The devices in the HA cluster must be the same model and revision.
  • The devices must be registered.
  • The devices must have the same number of interfaces.
  • The devices must have the same firmware version installed (including maintenance releases and hotfixes). You can verify the firmware version by running the following console command: system diagnostics show version-info
  • For an active-active configuration, one license for each device is required.
  • For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
  • The devices must have the same subscription modules turned on.
  • On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ and have a unique IP address.
  • HA link latency increases with distance. We recommend that you turn off the spanning tree protocol (STP) on the dedicated HA link.
  • For the switch ports that Sophos Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.
  • The firewall doesn't support the following configurations and models:
    • VLAN on the management interface.
    • LAG on the management interface.
    • Wireless XG (w).
  • Take a backup of the firewalls and download them before configuring HA.
  • If the firewalls have a long uptime, restart the firewalls before configuring HA.
  • Both devices must be using a supported firmware version. We also recommend that both devices be on the latest firmware version.
  • Turn on SSH access on the DMZ zone for both Sophos firewall devices.
  • Turn off DHCP and PPPoE before you set up HA.
  • Make sure that all DDNS providers support HA.

    • At any given point in time, the DDNS service runs only on the primary (active) device for both HA modes (active-active or active-passive).
    • The database will be in sync with the auxiliary device.
    • When the primary device fails, the auxiliary device takes over, and the DDNS service is triggered by HA calls (resolver now resolves the auxiliary device IP address).


    It takes 5 to 6 minutes for the auxiliary device to start the DDNS service in the event of failure.

  • HA Active-Active + TAP

    • Currently, HA active-active mode isn't possible with discover mode as it would need to convey through ARP. TAP mode is an incoming interface only and not applicable to outgoing traffic.
    • Synchronized application control will be turned off if HA is turned on in active-active mode and not compatible with HA active-active mode.
  • HA Active-Passive + TAP

    • Discover mode will work with HA active-passive mode.
    • You can't configure HA if a TAP port is active. Deactivate the TAP port on both appliances using the command-line console first. After HA is established, you can activate the TAP port again.
    • When HA is turned on, the passive device will have a TAP interface.
Back to top