You can establish an HA link pair with one of the following methods:
- Directly, using a crossover cable.
- Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.
Use the network medium that is capable of forwarding non-routable multicast packets.
For 1U XGS series firewalls, HA is not automatically established when using a FleXi Port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.
- Cables to all the monitored ports on both devices must be connected.
- The devices in the HA cluster must be the same model and revision.
- The devices must be registered.
- The devices must have same number of interfaces.
- The devices must have the same firmware version installed (including maintenance releases and hot fixes).
- For an active-active configuration, one license for each device is required.
- For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
- The devices must have the same subscription modules enabled.
- On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ, and must have a unique IP address. Also, SSH must be enabled for both devices on the DMZ zone.
- Access over SSH on the DMZ zone must be enabled for both Sophos Firewall devices.
- DHCP and PPPoE configuration must be disabled before attempting HA configuration.
- HA link latency increases with distance. We recommend that you disable spanning tree protocol (STP) on the dedicated HA link.
- For the switch ports Sophos Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.