Skip to content

Advanced configuration

You can update the following settings when HA is active, and it won’t result in downtime.

Keepalive timer

The keepalive timer has the following settings:

  • The keepalive interval is the duration between two successive keepalive retransmissions.
  • The keepalive attempts are the number of attempts before determining a device has failed. For example, if you configure the keepalive request interval to 250 ms and keepalive attempts to eight, the device will be declared dead after 250 * 8 = 2 seconds.

The image below shows the keepalive timer settings.

Keepalive configuration options

Cluster ID

A cluster is a pair of devices operating in HA. Devices in the same cluster must share the same cluster ID. If you have multiple HA clusters, assign a different ID to each cluster.

Monitoring ports

If any monitored port goes down, the device leaves the cluster, and a failover takes place.

Peer administration port

The port used for administration purposes on the auxiliary device.

Using the hypervisor-assigned MAC address

When you run a virtual Sophos Firewall device, you don't need to turn on promiscuous mode on the vSwitch.

Failing back to the primary device

When a failover occurs, traffic is routed through the auxiliary device. Select this option if you want to move back automatically to the primary device when it recovers.

When you set a preferred primary device, the cluster behaves as follows:

  1. The device you're signed in to when you turn on this option becomes the preferred primary.
  2. Whenever the preferred primary device restarts or comes up again after a failover, it restarts the peer device once all services are started and synchronized. It then becomes the primary device again.

The image below shows how this process works.

Failback to primary device process