You must meet the following requirements before you configure HA.
Devices and firmware
- Devices in the HA cluster (primary and auxiliary) must be the same model and hardware revision. For example, an XG 210 can only connect to another XG 210. An XG 230 or even an SG 210 can't be used.
The hardware revision restrictions only apply for XG series firewalls. You can use XGS series firewalls in an HA cluster when they're the same model but different hardware revisions. For example, you can use XGS desktop R2 and R3 models in HA.
- All devices must have the same number of ports or interfaces. This includes when any FleXi port expansion modules are installed.
- The devices must have the same firmware version installed. This includes maintenance releases and hotfixes.
- For standalone firewalls already managed from Sophos Central, we recommend that you deregister them, configure HA, and reregister them for Sophos Central management. This will allow you to move the HA pair to a different group in Sophos Central if you want. See Manage an HA pair in Sophos Central.
Wireless models don't support high availability.
- You must connect the cables to all the monitored ports on both devices.
The dedicated HA links must have unique IP addresses on both devices and can be one of the following:
- DMZ or unbound physical interfaces
- LAG or VLAN interfaces
You must turn on SSH on the DMZ zone for both devices.
- Ensure that the IP address of the dedicated HA link interface of the primary and auxiliary devices is in the same subnet.
- Before you configure HA, you must turn off DHCP and PPPoE on the HA interface.
- If you connect the HA devices to an Ethernet switch that uses the spanning tree protocol (STP), you may need to adjust the link activation time on the switch port connected to the Sophos Firewall interfaces. For example, on a Cisco Catalyst-series switch, you must turn on spanning tree port-fast for each port connecting to Sophos Firewall interfaces. This means you must turn on port-fast and turn off both spanning tree protocol (STP) and RSTP for the switch ports Sophos Firewall connects to.
- The dedicated HA link must use the default link speed and MTU-MSS.
- The HA link latency increases with distance. We recommend you turn off Spanning Tree Protocol (STP) on the dedicated HA link.
- The HA interface must be active, the network cable must be connected to both devices, and the auxiliary device must be reachable to establish HA. You'll see the error message "HA could not be enabled" if one or more of these conditions isn't met.
- If you have breakout interfaces in an HA cluster, see High availability.
1U XGS series firewalls don't automatically establish HA when using a FleXi port as the dedicated HA port. To solve this issue, see 1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link.
- You must configure the firewall that carries the license subscription as the primary node during the initial HA setup.
- You must register the devices.
- In active-active mode, both devices require a license. Zero-day protection doesn't affect the HA setup regardless of the expiry date in each device.
- In active-passive mode, you require a license only for the primary device. You don't require a license for the auxiliary device.
- If a software or virtual device is used, you need to purchase only one base license. When you register the serial number of the primary device, SFOS creates the auxiliary device. You don't need to purchase a separate base firewall license or a separate serial number for the auxiliary device. In this case, you add the device to HA when you use the setup assistant.
When configuring physical devices in active-passive mode, you need a license activated on the passive node to configure the network interfaces. You can use the trial license for this. If the trial license has already been used, for example, if the device has been reset, you must contact customer care to obtain a new trial license.
The following configurations aren't supported for HA:
DHCP and PPPoE: When the interfaces are dynamically configured using DHCP or PPPoE, the following applies:
- Active-active mode: Not supported.
- Active-passive mode: Supported, but session failover isn't supported.
Cellular WAN configuration.
- Alias IP addresses.
- Overriding the MAC address on the dedicated port.