You can establish an HA link pair with one of the following methods:
- Directly, using a crossover cable.
- Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.
- Using a layer 2 switch. To avoid HA heartbeat information propagating to the rest of the network’s broadcast domain, you must only connect the dedicated HA link pair ports to that switch. HA traffic is non-routable traffic.
Use the network medium that is capable of forwarding non-routable multicast packets.
For 1U XGS series firewalls, HA is not automatically established when using a FleXi Port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.
- Make sure the LAN IP address of the primary and auxiliary devices is different (but part of the same subnet) to avoid confusion between the two.
- Connect the cables to all the monitored ports on both devices.
- The devices in the HA cluster must be the same model and revision.
- The devices must be registered.
- The devices must have the same number of interfaces.
- The devices must have the same firmware version installed (including maintenance releases and hotfixes). You can verify the firmware version by running the following console command:
system diagnostics show version-info
- For an active-active configuration, one license for each device is required.
- For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
- The devices must have the same subscription modules turned on.
- On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ and have a unique IP address.
- HA link latency increases with distance. We recommend that you turn off the spanning tree protocol (STP) on the dedicated HA link.
- For the switch ports that Sophos Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.
- The firewall doesn't support the following configurations and models:
- VLAN on the management interface.
- LAG on the management interface.
- Wireless XG (w).
- Take a backup of the firewalls and download them before configuring HA.
- If the firewalls have a long uptime, restart the firewalls before configuring HA.
- Both devices must be using a supported firmware version. We also recommend that both devices be on the latest firmware version.
- Turn on SSH access on the DMZ zone for both Sophos firewall devices.
- Turn off DHCP and PPPoE before you set up HA.
Make sure that all DDNS providers support HA.
- At any given point in time, the DDNS service runs only on the primary (active) device for both HA modes (active-active or active-passive).
- The database will be in sync with the auxiliary device.
- When the primary device fails, the auxiliary device takes over, and the DDNS service is triggered by HA calls (resolver now resolves the auxiliary device IP address).
It takes 5 to 6 minutes for the auxiliary device to start the DDNS service in the event of failure.
HA Active-Active + TAP
- Currently, HA active-active mode isn't possible with discover mode as it would need to convey through ARP. TAP mode is an incoming interface only and not applicable to outgoing traffic.
- Synchronized application control will be turned off if HA is turned on in active-active mode and not compatible with HA active-active mode.
HA Active-Passive + TAP
- Discover mode will work with HA active-passive mode.
- You can't configure HA if a TAP port is active. Deactivate the TAP port on both appliances using the command-line console first. After HA is established, you can activate the TAP port again.
- When HA is turned on, the passive device will have a TAP interface.