Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

HA prerequisites

You can establish an HA link pair with one of the following methods:

  • Directly, using a crossover cable.
  • Indirectly, through a dedicated Ethernet network. The HA management traffic must be on an isolated network, for example, a dedicated VLAN over an Ethernet network.

Note

Use the network medium that is capable of forwarding non-routable multicast packets.

Restriction

For 1U XGS series firewalls, HA isn't automatically established when using a FleXi Port as the dedicated HA port. For more information, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.

Prerequisites

  • Cables to all the monitored ports on both devices must be connected.
  • The devices in the HA cluster must be the same model and revision.
  • The devices must be registered.
  • The devices must have the same number of interfaces.
  • The devices must have the same firmware version installed (including maintenance releases and hotfixes).
  • For an active-active configuration, one license for each device is required.
  • For an active-passive configuration, one license is required for the primary device. No license is needed for the auxiliary device.
  • The devices must have the same subscription modules turned on.
  • On both devices, the dedicated HA link port must be a member of the same zone with the type DMZ and must have a unique IP address. Also, SSH must be turned on for both devices on the DMZ zone.
  • Access over SSH on the DMZ zone must be turned on for both Sophos Firewall devices.
  • DHCP and PPPoE configuration must be disabled before attempting HA configuration.
  • HA link latency increases with distance. We recommend that you turn off spanning tree protocol (STP) on the dedicated HA link.
  • For the switch ports Sophos Firewall connects to, turn on portfast. Turn off the spanning tree protocols STP and RSTP.
  • The firewall doesn't support the following configurations and models:

    • VLAN on the management interface
    • LAG on the management interface
    • Wireless (w) models