Reconfigure active-passive HA devices after RMA
You can replace high availability (HA) devices and reconfigure HA in active-passive mode after a Return Merchandise Authorization (RMA).
These steps don't apply to active-active HA.
Warning
An outage occurs when you reimage and replace HA devices and reconfigure HA. Plan your downtime accordingly.
Requirements
The requirements are as follows:
- Model: Check if the model and revision of the replacement device are correct. See Hardware and software requirements.
-
Firmware version: Check the firmware version and build of the working firewall and the replacement firewall. To do this, do as follows:
- Sign in to the CLI console. See Accessing Command Line Console.
- Enter 4 for Device Console.
-
Run
system diagnostics show version-info
and check the firmware version and build of both firewalls.Example:
-
Download the latest firmware. See Download firmware.
Tip
We recommend using the latest firmware. If you prefer to stay on your current firmware and it isn't available for download, contact Sophos Support to request the firmware version and build. See Sophos Support.
-
Backup: Reimaging deletes the backup. First, take a backup from the available device.
-
Check which firewall is the initial primary device. To do this, do as follows:
- Sign in to the web admin console.
-
Go to System services > High availability and check which firewall is the initial primary device.
Example:
Configuration
After an RMA, you can replace the auxiliary or the primary device and reconfigure active-passive HA.
To replace the faulty auxiliary device with a replacement and reconfigure HA, do as follows:
Reimage and connect the replacement device
-
Reimage the replacement device using the same firmware version and build as the primary device. See Reimage Sophos Firewall.
Skip this step if the firmware version and build are the same on both firewalls.
-
Connect the replacement device's WAN interface to your network.
-
Sign in to its web admin console and configure the WAN interface to allow internet access.
Note
Don't configure any LAN or DMZ interfaces yet.
-
Claim the device from Sophos Central and transfer the license from the auxiliary to the replacement device. See Set up your Sophos Firewall and claim it in Sophos Central.
-
Disconnect the cables from the auxiliary and connect them to the replacement device. See Deploy HA ports.
Disable HA on the primary device
- Go to System services > High availability and click Disable HA.
-
To make sure that HA synchronization doesn't take place, verify the
msync
service status as follows:- Sign in to the CLI console.
- Type 5 for Device Management, then type 3 for Advanced shell.
- Run
service -S | grep msync
. -
The status must show
UNTOUCHED
orSTOPPED
.Example:
Configure active-passive HA
Configure active-passive HA with the replacement device as the auxiliary. See Configure active-passive HA.
To replace a faulty primary device and reconfigure active-passive HA, do as follows:
Deregister auxiliary device
-
If the auxiliary device is registered for Sophos Central firewall management, do as follows:
- On the device's web admin console, go to the Sophos Central menu and click Deregister.
-
Sign in to your Sophos Central account, go to My Products > Firewall Management and click Firewalls.
Make sure the auxiliary device isn't listed.
Reimage and claim the replacement
-
Reimage the replacement device using the same firmware and build version as the auxiliary if it differs. See Reimage Sophos Firewall.
Skip this step if the firmware version and build are the same on both firewalls.
-
Connect the replacement device's WAN interface to the network.
-
Sign in to the replacement device and configure the WAN interface to allow internet access.
Note
Don't configure any LAN or DMZ interfaces yet.
-
Claim the replacement device from Sophos Central and transfer the license from the primary to it. See Transfer licenses in HA devices.
- Restore the backup to the replacement device. See Backup and restore.
- Disconnect the cables from the primary and connect them to the replacement.
Reset auxiliary device
-
Redirect traffic from the auxiliary to the replacement.
-
Reset the auxiliary device to factory settings as follows:
- Go to Backup and firmware > Firmware.
- In the Firmware section, click in the Manage column. See Reset to factory settings.
-
-
Connect the auxiliary device's WAN interface to the network.
-
Sign in to the auxiliary and configure the WAN interface to allow internet access.
Note
Don't configure any LAN or DMZ interfaces yet.
-
Claim the auxiliary from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
Configure active-passive HA
Configure active-passive HA with the replacement device as the primary. See Configure active-passive HA.
More resources