Skip to content

Configure active-passive HA using QuickHA

To configure the firewall as an active-passive HA cluster using QuickHA, do as follows:


You must make sure that both appliances have different IP addresses initializing the QuickHA mode. For example, you can't have both devices using the default address.

  1. Connect the Sophos Firewall devices using a network cable plugged into the dedicated HA port on both units.
  2. Sign in to the web admin console of the primary Sophos Firewall device and go to System services > High availability.
  3. Select Primary (Active-Passive) as the Initial device role.
  4. Ensure QuickHA is selected. You'll see default settings (which you can change), as described in the steps that follow.
  5. QuickHA generates a passphrase automatically. You can also change the passphrase manually.


    The passphrase is used only once to generate the SSH keys used to encrypt communication over the HA link. It's then deleted.

  6. QuickHA selects a dedicated HA link automatically. You can also select an interface manually.

    By default, QuickHA selects the first unbound interface. If this isn't available, it uses the first DMZ port. This interface is renamed QuickHA mode interface and is assigned an IPv4 address from the link local range,


    If QuickHA selects a DMZ port that's already in use, its current configuration will be overwritten.

  7. Click Initiate HA.

  8. Sign in to the web admin console of the auxiliary Sophos Firewall from PortA, and go to Network > Interfaces. Make sure the IP address of PortA is in the same subnet as PortA of the primary Sophos Firewall device.


    In this example, we'll configure PortA as the peer administration port. So, PortA of the auxiliary device must be in the same subnet as PortA of the primary device. QuickHA won't work if it isn't, and the following error appears in /log/syslog.log on the primary device.

    Validation Failed For Ha interface IP.

    For example, if PortA of the primary node is, then PortA of the auxiliary node can be However, it can't be

  9. Go to, System services > High availability.

  10. Select Auxiliary as the device role.


    QuickHA assigns the peer administration port based on the interface you're currently using to access the web admin console of the auxiliary Sophos Firewall web admin console. For example, if you're connected to PortA, this interface becomes the peer administration port on both Sophos Firewall devices.

  11. Select QuickHA and enter the same passphrase used on the primary Sophos Firewall device.

  12. Click Initiate HA. You see a message about the configuration being overwritten. This is because the configuration will be synchronized from the primary Sophos Firewall device.