HA prerequisites
You can establish an HA link pair with one of the following methods:
- Directly, using a crossover cable.
- Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.
Note
Use the network medium that is capable of forwarding non-routable multicast packets.
Restriction
For 1U XGS series firewalls, HA isn't automatically established when using a FleXi Port as the dedicated HA port. For more information, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.
Prerequisites
- Cables to all the monitored ports on both devices must be connected.
- The devices in the HA cluster must be the same model and revision.
- The devices must be registered.
- The devices must have the same number of interfaces.
- The devices must have the same firmware version installed (including maintenance releases and hotfixes).
- For an active-active configuration, one license for each device is required.
- For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
- The devices must have the same subscription modules turned on.
- On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ and must have a unique IP address. Also, SSH must be turned on for both devices on the DMZ zone.
- Access over SSH on the DMZ zone must be turned on for both Sophos Firewall devices.
- DHCP and PPPoE configuration must be disabled before attempting HA configuration.
- HA link latency increases with distance. We recommend that you turn off spanning tree protocol (STP) on the dedicated HA link.
- For the switch ports Sophos Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.
-
The firewall doesn't support the following configurations and models:
- VLAN on the management interface
- LAG on the management interface
- Wireless (w) models