Skip to content
Last update: 2021-10-04

HA prerequisites

You can establish an HA link pair with one of the following methods:

  • Directly, using a crossover cable.
  • Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.

Note

Use the network medium that is capable of forwarding non-routable multicast packets.

Caution

For 1U XGS series firewalls, HA is not automatically established when using a FleXi Port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.

Prerequisites

  • Cables to all the monitored ports on both devices must be connected.
  • The devices in the HA cluster must be the same model and revision.
  • The devices must be registered.
  • The devices must have same number of interfaces.
  • The devices must have the same firmware version installed (including maintenance releases and hot fixes).
  • For an active-active configuration, one license for each device is required.
  • For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
  • The devices must have the same subscription modules enabled.
  • On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ, and must have a unique IP address. Also, SSH must be enabled for both devices on the DMZ zone.
  • Access over SSH on the DMZ zone must be enabled for both Sophos Firewall devices.
  • DHCP and PPPoE configuration must be disabled before attempting HA configuration.
  • HA link latency increases with distance. We recommend that you disable spanning tree protocol (STP) on the dedicated HA link.
  • For the switch ports Sophos Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.
Back to top