Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=c_202011251710370116

HA architecture and design

Read about how the firewall assigns virtual MAC addresses and how packets flow through an HA cluster.

Virtual MAC design

The HA cluster uses a virtual MAC address, which is always owned by the current primary device. The virtual MAC address isn't the same as the physical MAC address of any interface in the cluster.

The primary device uses the virtual MAC address to respond to ARP requests made to the cluster. The auxiliary device never responds to ARP requests. The auxiliary device uses its own physical MAC address.

All clients connecting to the cluster use the virtual MAC address. There's one virtual MAC address for each interface, except the dedicated HA link.

The virtual MAC address is calculated based on the cluster ID that you assign. Therefore, you must use a unique ID for each HA cluster.

Here's an example of how the virtual MAC address is assigned to the primary device, and how it responds to an ARP request.

Diagram showing virtual MAC address and response to an ARP packet.

Packet flow

Traffic is always sent to the primary device because it responds to ARP requests with the virtual MAC address. The primary device sends the packet to the destination. When the primary device receives the reply from the destination, it sends it back to the source.

Here's an example of the packet flow when the primary device processes a packet. This could be either:

  • Active-passive, where the primary is processing all the traffic.
  • Active-active, where the primary is processing a packet.

Primary device packet flow.

Note

The IP addresses shown in the image are examples only. The IP addresses of your network may be different.