HA requirements
You must meet the following requirements before you configure HA.
Devices and firmware
- Devices in the HA cluster (primary and auxiliary) must be the same model and revision. For example, an XG 210 rev3 can only connect to another XG 210 rev3. An XG 230 or even an SG 210 can't be used.
- All devices must have the same number of ports or interfaces. This includes when any FleXi port expansion modules are installed.
- The devices must have the same firmware version installed. This includes maintenance releases.
- For standalone firewalls already managed from Sophos Central, we recommend that you deregister them, configure HA, and reregister them for Sophos Central management. This will allow you to move the HA pair to a different group in Sophos Central if you want. See Manage an HA pair in Sophos Central.
Note
Wireless models don't support high availability.
Networking and access policy
- You must connect the cables to all the monitored ports on both devices.
- The dedicated HA link port must be a member of a zone with the type DMZ and have a unique IP address on both devices.
- You must turn on SSH on the DMZ zone for both devices.
- Ensure that the IP address of the HA link port of the primary and auxiliary devices is in the same subnet.
- Before you configure HA, you must turn off DHCP and PPPoE on the HA interface.
- If you connect the HA devices to an Ethernet switch that uses the spanning tree protocol (STP), you may need to adjust the link activation time on the switch port connected to the Sophos Firewall interfaces. For example, on a Cisco Catalyst-series switch, you must turn on spanning tree port-fast for each port connecting to Sophos Firewall interfaces. This means you must turn on port-fast and turn off both spanning tree protocol (STP) and RSTP for the switch ports Sophos Firewall connects to.
- The dedicated HA link must use the default link speed and MTU-MSS.
- The HA link latency increases with distance. We recommend you turn off Spanning Tree Protocol (STP) on the dedicated HA link.
- The HA interface must be active, the network cable must be connected to both devices, and the auxiliary device must be reachable to establish HA. You'll see the error message "HA could not be enabled" if one or more of these conditions isn't met.
Restriction
1U XGS series firewalls don't automatically establish HA when using a FleXi port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.
Licensing
- You must configure the firewall that carries the license subscription as the primary node during the initial HA setup.
- You must register the devices.
- In active-active mode, both devices require a license. Zero-day protection doesn't affect the HA setup regardless of the expiry date in each device.
- If a software or virtual device is used, you need to purchase only one base license. When you register the serial number of the primary device, SFOS creates the auxiliary device. You don't need to purchase a separate base firewall license or a separate serial number for the auxiliary device. In this case, you add the device to HA when you use the setup assistant.
For more information, see High availability licensing.
Unsupported configurations
The following configurations aren't supported on an HA cluster:
- DHCP and PPPoE: When interfaces are dynamically configured using DHCP or PPPoE, only HA in active-passive mode is supported. HA in active-active mode isn't supported. Cellular WAN configuration isn't supported in any HA mode.
- Alias IP addresses or VLANs on dedicated HA port.
- Overriding the MAC address on the dedicated port.
- Dynamic IP addresses on any interface in active-active mode.
- Session failover with dynamic interfaces in active-passive mode.
- LAG (LACP or LLDP) on the dedicated HA interface.