Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=reimage-reconfigure-HA

Reimage and reconfigure HA devices in active-passive mode

You can reimage high availability (HA) devices and reconfigure HA in active-passive mode. The steps here only apply to HA active-passive mode and not to HA active-active mode.

Warning

An outage occurs when you reimage and replace HA devices and reconfigure HA. Plan your downtime accordingly.

  • Scenario

    • Firewall 1 is the current primary device and the initial primary device with a purchased license subscription.
    • Firewall 2 is the current auxiliary device.

Requirements

The requirements are as follows:

  • Check the firmware version and build of both firewalls. To do this, do as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Type 4 to select Device Console.

    3. Run system diagnostics show version-info and check the firmware version and build of both firewalls.

      Example:

      Initial primary.

  • Download the latest firmware. See Download firmware.

    Tip

    We recommend using the latest firmware. If you prefer to stay on your current firmware and it isn't available for download, contact Sophos Support to request the firmware version and build. See Sophos Support.

  • Check which firewall is the initial primary device. To do this, do as follows:

    1. Sign in to the web admin console.

    2. Go to System services > High availability and check which firewall is the initial primary device.

      Example:

      Initial primary.

Configuration

You can reimage the auxiliary, primary, or both devices, then reconfigure HA.

You want to reimage the auxiliary device and reconfigure HA in active-passive mode.

Configure firewall 1

On firewall 1, do as follows:

  1. If firewall 1 is registered to Sophos Central, go to Sophos Central and click Deregister.
  2. Sign in to your Sophos Central account. Go to My Products > Firewall Management and click Firewalls. Make sure that firewall 1 doesn't exist.
  3. Go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup and restore.

  4. Go to System services > High availability and click Disable HA. If firewall 2 is connected to firewall 1, firewall 2 reboots with factory default settings, except for the admin password and peer administration IP address.

    Note

    Don't turn off HA via firewall 2.

  5. Check that the msync service shows as UNTOUCHED or STOPPED. To do this, do as follows:

    1. Sign in to the CLI console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.

    3. Run service -S | grep msync.

      Example:

      Msync status.

Configure firewall 2

On firewall 2, do as follows:

  1. Reimage firewall 2 to the same firmware version and build as firewall 1. See Reimage Sophos Firewall.
  2. Sign in to firewall 2, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
  3. Claim firewall 2 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.

Configure the firewalls in HA active-passive mode. Make sure that firewall 1 is configured as the primary device and firewall 2 is configured as the auxiliary device. See Configure active-passive HA using interactive mode.

You want to reimage the primary device and reconfigure HA in active-passive mode.

Configure firewall 1

On firewall 1, do as follows:

  1. If firewall 1 is registered to Sophos Central, go to Sophos Central and click Deregister.
  2. Sign in to your Sophos Central account. Go to My Products > Firewall Management and click Firewalls. Make sure that firewall 1 doesn't exist.
  3. Go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup and restore.
  4. Go to System services > High availability and click Switch to passive device. Firewall 2 becomes the primary device.
  5. Reimage firewall 1 to the same firmware version and build as firewall 2. See Reimage Sophos Firewall.
  6. Sign in to firewall 1, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
  7. Claim firewall 1 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
  8. Disconnect all cables from firewall 1, except the cable connected to your computer.
  9. Restore the configuration backup to firewall 1. See Backup and restore.
  10. Reconnect the cables to firewall 1 and redirect the traffic from firewall 2 to firewall 1.

Configure firewall 2

On firewall 2, do as follows:

  1. Reset firewall 2 to factory default settings. See Reset to factory settings.
  2. Sign in to firewall 2, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
  3. Claim firewall 2 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.

Configure the firewalls in HA active-passive mode. Make sure that firewall 1 is configured as the primary device and firewall 2 is configured as the auxiliary device. See Configure active-passive HA using interactive mode.

You want to reimage and upgrade both HA devices to the latest firmware and reconfigure HA in active-passive mode.

Configure firewall 1

On firewall 1, do as follows:

  1. If firewall 1 is registered to Sophos Central, go to Sophos Central and click Deregister.
  2. Sign in to your Sophos Central account. Go to My Products > Firewall Management and click Firewalls. Make sure that firewall 1 doesn't exist.
  3. On firewall 1, go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup and restore.
  4. Go to System services > High availability and click Switch to passive device. Firewall 2 becomes the primary device.
  5. Reimage firewall 1 to the latest firmware. See Reimage Sophos Firewall.
  6. Sign in to firewall 1, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
  7. Claim firewall 1 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
  8. Disconnect all cables from firewall 1, except the cable connected to your computer.
  9. Restore the configuration backup to firewall 1. See Backup and restore.
  10. Reconnect the cables to firewall 1 and redirect the traffic from firewall 2 to firewall 1.

Configure firewall 2

  1. Reimage firewall 2 to the same firmware version and build as firewall 1.
  2. Sign in to firewall 2, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interface.
  3. Claim firewall 2 from Sophos Central if you haven't claimed it yet.

Configure the firewalls in HA active-passive mode. Make sure that firewall 1 is configured as the primary device and firewall 2 is configured as the auxiliary device. See Configure active-passive HA using interactive mode.

More resources