Configure active-passive HA using QuickHA
How to use QuickHA to configure an active-passive HA cluster.
To configure active-passive QuickHA, do as follows:
You must make sure that both appliances have different IP addresses initializing the QuickHA mode. For example, you can't have both devices using the default 172.16.16.16 address.
- Connect the Sophos Firewall devices using a network cable plugged into the dedicated HA port on both units.
- Sign in to the web admin console of the primary Sophos Firewall device and go to System services > High availability.
- Select Primary (Active-Passive) as the Initial device role
- Ensure QuickHA is selected. You’ll see default settings (which you can change), as described in the steps that follow.
QuickHA generates a passphrase automatically. You can also change the passphrase manually.
The passphrase is used only once to generate the SSH keys used to encrypt communication over the HA link. It's then deleted.
QuickHA selects a dedicated HA link automatically. You can also select an interface manually.
By default, QuickHA selects the first unbound interface. If this isn't available, it uses the first DMZ port. This interface is renamed QuickHA mode interface and is assigned an IPv4 address from the link local range,
If QuickHA selects a DMZ port that’s already in use, its current configuration will be overwritten.
Click Initiate HA.
Sign in to the web admin console of the auxiliary Sophos Firewall from PortA, and go to Network > Interfaces. Make sure the IP address of PortA is in same subnet as PortA of primary Sophos Firewall.
In this example, we will configure PortA as the peer administration port. So, PortA of the auxiliary node must be in same subnet as PortA of the primary node. If it isn't, QuickHA won't work, and the following error appears in /log/syslog.log on the primary node.
Validation Failed For Ha interface IP.
For example, if PortA of the primary node is 192.168.3.254/24, then PortA of the auxiliary node can be 192.168.3.253/24. However, it cannot be
Go to, System services > High availability.
Select Auxiliary as the device role.
QuickHA assigns the peer administration port based on the interface you are currently using to access the web admin console of the auxiliary Sophos Firewall web admin console. For example, if you're connected to PortA, this interface becomes the peer administration port on both Sophos Firewall devices.
Select QuickHA and enter the same passphrase used on the primary Sophos Firewall device.
- Click Initiate HA. You see a message about the configuration being overwritten. This is because the configuration will be synchronized from the primary Sophos Firewall device.