Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=c_202011231028280548

Manage HA

Actions you can perform to manage your HA cluster effectively.

Manually synchronize HA devices

The auxiliary device synchronizes automatically with the primary device. You can manually synchronize it with the primary device when needed.

You can start manual synchronization from either device. If you synchronize from the primary device, the primary device pushes the updates. If you synchronize from the auxiliary device, the auxiliary device pulls the updates from the primary device.

To manually synchronize the HA cluster, click Sync auxiliary device.

Here's an example:

Button to sync auxiliary device.

Points to remember:

  • The auxiliary device restarts, synchronizes its configuration, and remains the auxiliary device.
  • With manual synchronization, you receive all the data and configuration updates except reports from the primary device.
  • If you manually synchronize any of the HA cluster devices, the firewall drops all the masqueraded connections.

Turn off HA

You can turn off HA from either device.

To turn off HA, click Disable HA.

Here's an example:

Button to disable HA.

When you turn off HA from the primary device, it's turned off on both devices.

When you turn off HA from the auxiliary device, it factory resets, and HA isn't turned off on the primary device. The primary device becomes a standalone device.

Points to remember when disabling HA:

  • The primary device IP schema doesn't change.
  • Except for the dedicated HA link and peer administration ports, all ports are turned off for the auxiliary device. The IP schema for these two ports doesn't change.
  • If you turn off HA from a standalone device, the IP schema doesn't change.
  • You must have administrator privileges to access the auxiliary device's web admin console. When you access the web admin console, the live users, DHCP leases, and IPsec live connections pages aren't shown.

Switch a device to active or passive

If you've configured active-passive mode, you can force the auxiliary device to take over as the primary device by clicking Switch to passive device (from the current primary) or Switch to active (from the auxiliary device).

Here's an example of how to switch the passive Sophos Firewall to active:

Button to switch to active device.