Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=reimage-reconfigure-HA

Reimage active-passive HA devices

You can reimage high availability (HA) devices and reconfigure active-passive HA.

These steps don't apply to active-active HA.

Warning

An outage occurs when you reimage HA devices. Plan your downtime accordingly.

In this article, the primary device is the Initial primary in the HA configuration. It holds the licenses for the HA cluster.

Requirements

The requirements are as follows:

  1. Backup: Reimaging deletes the configuration. First, take a backup from the available device.

  2. Existing firmware version: Check the firmware version and build of both firewalls. To do this, do as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Enter 4 for Device Console.

    3. Run system diagnostics show version-info and check the firmware version and build of both firewalls.

      Example:

      Initial primary.

  3. Firmware: Download the latest firmware. See Download firmware.

    Tip

    We recommend using the latest firmware. If you prefer to stay on your current firmware and it isn't available for download, contact Sophos Support to request the firmware version and build. See Sophos Support.

  4. Initial primary: To identify the initial primary device, sign in to the web admin console of either device and go to System services > High availability.

    Example:

    Initial primary.

Reimage the devices

You can reimage the auxiliary, primary, or both HA devices.

You can reimage the auxiliary device and reconfigure HA in active-passive mode.

Deregister the primary and disable HA

You must deregister the primary device from Sophos Central management, disable HA, and make sure HA synchronization doesn't take place before you reconfigure HA.

  1. If the primary device is registered for Sophos Central firewall management, do as follows:

    1. On the device's web admin console, go to the Sophos Central menu and click Deregister.

    2. Sign in to your Sophos Central account, go to My Products > Firewall Management and click Firewalls.

      Make sure the primary device isn't listed.

  2. On the device's web admin console, go to System services > High availability and click Disable HA.

    If the dedicated HA links of the primary and auxiliary devices are connected, the auxiliary device restarts with factory settings, but retains the admin password and the peer administration IP address.

    Note

    Don't disable HA on the auxiliary device.

  3. To make sure that HA synchronization doesn't take place, verify the msync service status as follows:

    1. Sign in to the CLI console.
    2. Enter 5 for Device Management and enter 3 for Advanced Shell.
    3. Run service -S | grep msync.

    4. The status must show UNTOUCHED or STOPPED.

      Example:

      Msync status.

Reimage the auxiliary device

  1. Reimage the auxiliary device using the same firmware version and build as the primary. See Reimage Sophos Firewall.
  2. Make sure the auxiliary device's WAN interface is connected to the network.

  3. Sign in to the auxiliary's web admin console and configure the WAN interface to allow internet access.

    Note

    Don't configure any LAN or DMZ interfaces yet.

  4. Claim the auxiliary device from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.

You can reimage the primary device and reconfigure HA in active-passive mode.

Configure the primary device

  1. If the primary device is registered for Sophos Central firewall management, do as follows:

    1. On the device's web admin console, go to the Sophos Central menu and click Deregister.

    2. Sign in to your Sophos Central account, go to My Products > Firewall Management and click Firewalls.

      Make sure the primary device isn't listed.

  2. On the primary device's web admin console, go to System services > High availability and click Switch to passive device.

    The auxiliary device becomes the current primary.

  3. Reimage the primary device using the same firmware version and build as the auxiliary. See Reimage Sophos Firewall.

  4. Make sure the primary device's WAN interface is connected to the network.

  5. Sign in to the primary and configure the WAN interface to allow internet access.

    Note

    Don't configure any LAN or DMZ interfaces yet.

  6. Claim the primary device from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.

  7. Disconnect all cables from the primary except the cable connected to your endpoint.
  8. Restore the backup to the primary device. See Backup and restore.
  9. Reconnect the cables to the primary and redirect traffic from the auxiliary to the primary.

Configure the auxiliary device

  1. Reset the auxiliary device to factory settings as follows:

    1. Go to Backup and firmware > Firmware.
    2. In the Firmware section, click Restart with factory configuration. in the Manage column. See Reset to factory settings.

  2. Make sure the auxiliary device's WAN interface is connected to the network.

  3. Sign in to the auxiliary and configure the WAN interface to allow internet access.

    Note

    Don't configure any LAN or DMZ interfaces yet.

  4. Claim the auxiliary from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.

You can reimage and upgrade both HA devices to the latest firmware and reconfigure HA in active-passive mode.

Configure the primary device

On the primary device, do as follows:

  1. If the primary device is registered for Sophos Central firewall management, do as follows:

    1. On the device's web admin console, go to the Sophos Central menu and click Deregister.

    2. Sign in to your Sophos Central account, go to My Products > Firewall Management and click Firewalls.

      Make sure the primary device isn't listed.

  2. On the primary device's web admin console, go to System services > High availability and click Switch to passive device.

    The auxiliary device becomes the current primary.

  3. Reimage the primary device using the latest firmware version and build. See Reimage Sophos Firewall.

  4. Make sure the primary device's WAN interface is connected to the network.

  5. Sign in to the primary and configure the WAN interface to allow internet access.

    Note

    Don't configure any LAN or DMZ interfaces yet.

  6. Claim the primary device from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.

  7. Disconnect all cables from the primary except the cable connected to your computer.
  8. Restore the backup to the primary device. See Backup and restore.
  9. Reconnect the cables to the primary and redirect the traffic from the auxiliary to the primary device.

Configure the auxiliary device

  1. Reimage the auxiliary device to the same firmware version and build as the primary.
  2. Make sure the auxiliary device's WAN interface is connected to the network.

  3. Sign in to the auxiliary and configure the WAN interface to allow internet access.

    Note

    Don't configure any LAN or DMZ interfaces yet.

  4. Claim the auxiliary from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.

Configure active-passive HA

Configure HA in active-passive mode.

Make sure that you configure the primary and auxiliary devices with the same roles as the previous HA configuration. See Configure active-passive HA.

More resources