Skip to content

Configure active-passive HA using interactive mode

How to use interactive mode to configure an active-passive HA cluster.

To configure active-passive HA, do as follows:

  1. Sign in to the firewall that will be the auxiliary device.
  2. Go to System services > High availability.
  3. Specify the initial HA device state.

    Option Description
    Initial device role Auxiliary
  4. Select Interactive mode.

  5. A passphrase is generated automatically. You can also change it manually.

    Note

    The devices in the cluster must have the same passphrase.

  6. Select a dedicated HA link.

    Option Description
    Dedicated HA link The link to be monitored. Peers in an HA cluster continuously monitor the dedicated HA link and the interfaces configured to be monitored.

    Note

    The peer device must use the same HA link. Specify this port as the HA link port on the peer. For example, if you choose port E on the primary device, you must also choose port E on the auxiliary device.

    Note

    The IP address of the HA link for the peer device must be on the same subnet.

  7. Click Save.

  8. Sign in to the firewall that will be the Primary device.
  9. Go to System services > High availability.
  10. Specify the initial HA device state.

    Option Description
    Initial device role Primary (active-passive)
  11. Select Interactive mode.

  12. Assign a cluster ID, if required.

    A cluster is a pair of devices operating in HA. Devices in the same cluster must share the same cluster ID.

    If you have multiple HA clusters, assign a different ID to each cluster.

    Note

    Sophos Firewall uses the cluster ID when it generates the virtual MAC address. For more information about the virtual MAC address, see HA architecture and design.

  13. A passphrase is generated automatically. You can also change it manually.

    Note

    The devices in the cluster must have the same passphrase.

  14. Select a dedicated HA link.

    Option Description
    Dedicated HA link The link to be monitored. Peers in an HA cluster continuously monitor the dedicated HA link and the interfaces configured to be monitored.

    Note

    The peer device must use the same HA link. Specify this port as the HA link port on the peer. For example, if you choose port E on the primary device, you must also choose port E on the auxiliary device.

    Note

    The IP address of the HA link for the peer device must be on the same subnet.

  15. Select ports to be monitored for HA status. If any monitored port goes down, the device leaves the cluster, and a failover takes place.

    Note

    This feature isn't supported in virtual security devices.

  16. Specify Peer administration settings.

    Option Description
    Interface Port that is used for administration purposes on the auxiliary device.
    IPv4 address IPv4 address that provides access to the web admin console of the auxiliary device.
    IPv6 address IPv6 address that provides access to the web admin console of the auxiliary device.

    Note

    You can't enable HA if you turned on STP on a bridge interface.

    Note

    To access the peer administration IP address, you must use a machine within the same LAN network, and the access must not be established through the primary device.

  17. Specify the keepalive request interval in milliseconds. You can use a value from 250 to 500. Default is 250.

  18. Specify the number of keepalive attempts. You can use a value from 16 to 24. Default is 16.

    Note

    You can't set the keepalive interval and keepalive attempts for devices in standalone and fault modes.

  19. Select the checkbox if you want to use the host or hypervisor-assigned MAC address. For hardware firewalls, this option will use the physical MAC address of the device instead of a virtual MAC address.

    This removes the need to turn on promiscuous mode on your physical switches or the vSwitch, but may cause downtime when route tables on neighbour switches update. If promiscuous mode is already turned on, you must turn it off.

    Note

    This setting is applicable for all models of firewall, including hardware firewalls.

  20. Specify if the system should fallback to the primary device when it recovers.

    In the event of a failover, traffic is routed through the auxiliary. If you want this to automatically move back to the primary device when it recovers, select this option.

    Note

    If the device is in standalone or fault mode, this functionality isn't supported.

  21. Click Initiate HA. The primary device pushes its configuration to the auxiliary.