Backup-restore in HA
Restore backups with HA to an HA cluster.
If you restore a backup with HA to a non-HA device, the HA configuration isn't restored. The rest of the configuration is restored.
Requirements
The dedicated HA link interface has some backup-restore requirements. See Backup and restore.
Restore backups to current primary
You must restore backups to the current primary device in both active-passive and active-active HA.
Restoring a backup to an HA cluster deregisters both firewalls from Sophos Central. You must register the firewalls to Sophos Central again. See Register Sophos Firewall in Sophos Central.
If the primary firewall is configured as a gateway for Sophos ZTNA, you must again add it as a gateway in Sophos ZTNA. See Set up a Sophos Cloud gateway.
Note
You can't restore backups to the auxiliary device. After the backup is restored to the primary device, it synchronizes the auxiliary device with the new configuration.
Warning
After a backup is restored to the primary device, the device restarts without failover. So, restoring a backup involves downtime in both active-passive and active-active HA.
When backups don't have HA
If a backup doesn't have HA configuration and is restored to the current primary device in an HA cluster, the following events take place:
- HA is disabled. You must configure HA again.
-
Deregisters both firewalls from Sophos Central. You must register the firewalls to Sophos Central again. See Register Sophos Firewall in Sophos Central.
If the primary firewall is configured as a gateway for Sophos ZTNA, you must add it as a gateway in Sophos ZTNA again. See Set up a Sophos Cloud gateway.
-
Backup is restored to the primary device.
- The auxiliary device retains the previous configuration. Backup isn't restored to it. To access the auxiliary device's web admin console, use the previous administration IP address and credentials.
Summary
Backup | Cluster | Primary device | Auxiliary device |
---|---|---|---|
Backup has HA. Restored to current primary device. | HA remains intact. | Restores backup. Deregisters the firewall from Sophos Central. Device restarts. | Restores backup. Deregisters the firewall from Sophos Central. Device restarts. |
Backup doesn't have HA. Restored to HA device. | Disables HA. | Restores backup. Deregisters the firewall from Sophos Central. | Removed from HA. It's reset to factory settings, but retains the peer administration port and dedicated HA link configurations. Access the web admin console using the previous admin IP address and credentials. Deregisters the firewall from Sophos Central. |
Backup has HA. Restored to non-HA device. | Doesn't restore HA. | Restores rest of the configuration to the firewall, including Sophos Central registration. Primary and auxiliary roles don't exist. | Doesn't apply. |