Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=HA-configuration-active-active-interactive-mode

Configure active-active HA using interactive mode

To configure HA in interactive mode, you must first configure it on the auxiliary device.

See HA requirements.

Configure HA on the auxiliary device

  1. Sign in to the web admin console of the auxiliary device.
  2. Go to System services > High availability.
  3. Set Initial device role to Auxiliary.
  4. Set HA configuration mode to Interactive mode.

  5. (Optional) Change the node name.

    The node name helps you easily identify the device.

  6. The firewall automatically generates a passphrase. You can change it if you want.

    Note

    The devices in the cluster must have the same passphrase. It's used only once to generate the SSH keys used to encrypt communication over the dedicated HA links. It's then deleted.

  7. The firewall selects a dedicated HA link automatically in interactive mode. You can change this if you want.

    A dedicated HA link synchronizes data and heartbeat information between the HA devices.

    You can select physical, LAG, or VLAN interfaces in the DMZ. If you want link redundancy, in interactive mode, you must first configure a LAG interface on Networks > Interfaces and select it here.

    Note

    You must select the same dedicated HA link port on the peer device. For example, if you choose port E on the primary device, you must also choose port E on the auxiliary device.

    Note

    The IP address of the HA link for the peer device must be on the same subnet.

  8. Click Save.

Configure HA on the primary device

  1. Sign in to the web admin console of the primary device.
  2. Go to System services > High availability.
  3. Set Initial device role to Primary (active-active).
  4. Set HA configuration mode to Interactive mode.

  5. (Optional) Enter a Cluster ID.

    The firewall automatically assigns this ID to both devices in the cluster.

    If you have multiple HA clusters in the same subnet, assign a different ID to each cluster to prevent virtual MAC address (VMAC) conflicts. See HA architecture and design.

  6. (Optional) Change the node name.

  7. The firewall automatically generates a passphrase. If you've changed it on the auxiliary device, paste it here.

    Note

    The devices in the cluster must have the same passphrase.

  8. The firewall selects a dedicated HA link automatically in interactive mode. You can change this if you want.

    Note

    Select the same dedicated HA link port you selected on the auxiliary device. For example, if you choose port E on the auxiliary device, you must choose port E here.

    Note

    Make sure the IP address of the dedicated HA link is on the same subnet as the one on the auxiliary device.

  9. (Optional) Select ports to be monitored: You can select physical or LAG interfaces to monitor the HA status. You can also select unbound interfaces if you've configured a VLAN on them.

    If a monitored port goes down, the device is determined as unavailable, and failover occurs.

  10. Enter the following Peer administration settings to access the web admin console of the auxiliary device:

    1. Interface
    2. IPv4 address or IPv6 address

  11. For Preferred primary device, select one of the HA devices.

    This device automatically becomes the primary device when it recovers after a failover. See Failing back to the primary device.

  12. Enter the Keepalive request interval in milliseconds.

    The device sends a heartbeat over the dedicated link port to the peer device at these intervals. Heartbeats are used to determine if the peer device is available.

    Default: 250.

  13. Enter the number of Keepalive attempts.

    Default: 16.

    For example, if you configure the keepalive request interval as 250 ms and keepalive attempts as eight, the device is declared dead after 250 * 8 = 2 seconds.

    Note

    You can't set the keepalive interval and keepalive attempts for devices in Standalone and Faulty modes.

  14. Use host or hypervisor-assigned MAC address: Select the checkbox if you want to use the following:

    • Host: Uses the physical MAC address if you're using hardware appliances for HA.

    • Hypervisor-assigned address: Uses the MAC address assigned by the hypervisor for virtual appliances. You won't need to turn on promiscuous mode on the vSwitch.

      We recommend that you select this option for virtual appliances.

  15. Click Initiate HA.

    The primary device pushes its configuration to the auxiliary device.