Skip to content

Reconfigure active-passive HA devices after RMA

You can replace high availability (HA) devices and reconfigure HA in active-passive mode after a Return Merchandise Authorization (RMA).

These steps don't apply to active-active HA.

Warning

An outage occurs when you reimage and replace HA devices and reconfigure HA. Plan your downtime accordingly.

Requirements

The requirements are as follows:

  1. Model: Check if the model and revision of the replacement device are correct. See Hardware and software requirements.
  2. Firmware version: Check the firmware version and build of the working firewall and the replacement firewall. To do this, do as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Enter 4 for Device Console.
    3. Run system diagnostics show version-info and check the firmware version and build of both firewalls.

      Example:

      Initial primary.

  3. Download the latest firmware. See Download firmware.

    Tip

    We recommend using the latest firmware. If you prefer to stay on your current firmware and it isn't available for download, contact Sophos Support to request the firmware version and build. See Sophos Support.

  4. Backup: Reimaging deletes the backup. First, take a backup from the available device.

  5. Check which firewall is the initial primary device. To do this, do as follows:

    1. Sign in to the web admin console.
    2. Go to System services > High availability and check which firewall is the initial primary device.

      Example:

      Initial primary.

Configuration

After an RMA, you can replace the auxiliary or the primary device and reconfigure active-passive HA.

To replace the faulty auxiliary device with a replacement and reconfigure HA, do as follows:

Reimage and connect the replacement device

  1. Reimage the replacement device using the same firmware version and build as the primary device. See Reimage Sophos Firewall.

    Skip this step if the firmware version and build are the same on both firewalls.

  2. Connect the replacement device's WAN interface to your network.

  3. Sign in to its web admin console and configure the WAN interface to allow internet access.

    Note

    Don't configure any LAN or DMZ interfaces yet.

  4. Claim the device from Sophos Central and transfer the license from the auxiliary to the replacement device. See Set up your Sophos Firewall and claim it in Sophos Central.

  5. Disconnect the cables from the auxiliary and connect them to the replacement device. See Deploy HA ports.

Disable HA on the primary device

  1. Go to System services > High availability and click Disable HA.
  2. To make sure that HA synchronization doesn't take place, verify the msync service status as follows:

    1. Sign in to the CLI console.
    2. Type 5 for Device Management, then type 3 for Advanced shell.
    3. Run service -S | grep msync.
    4. The status must show UNTOUCHED or STOPPED.

      Example:

      Msync status.

Configure active-passive HA

Configure active-passive HA with the replacement device as the auxiliary. See Configure active-passive HA.

To replace a faulty primary device and reconfigure active-passive HA, do as follows:

Deregister auxiliary device

  1. If the auxiliary device is registered for Sophos Central firewall management, do as follows:

    1. On the device's web admin console, go to the Sophos Central menu and click Deregister.
    2. Sign in to your Sophos Central account, go to My Products > Firewall Management and click Firewalls.

      Make sure the auxiliary device isn't listed.

Reimage and claim the replacement

  1. Reimage the replacement device using the same firmware and build version as the auxiliary if it differs. See Reimage Sophos Firewall.

    Skip this step if the firmware version and build are the same on both firewalls.

  2. Connect the replacement device's WAN interface to the network.

  3. Sign in to the replacement device and configure the WAN interface to allow internet access.

    Note

    Don't configure any LAN or DMZ interfaces yet.

  4. Claim the replacement device from Sophos Central and transfer the license from the primary to it. See Transfer licenses in HA devices.

  5. Restore the backup to the replacement device. See Backup and restore.
  6. Disconnect the cables from the primary and connect them to the replacement.

Reset auxiliary device

  1. Redirect traffic from the auxiliary to the replacement.

    1. Reset the auxiliary device to factory settings as follows:

      1. Go to Backup and firmware > Firmware.
      2. In the Firmware section, click Restarts with factory configuration. in the Manage column. See Reset to factory settings.
  2. Connect the auxiliary device's WAN interface to the network.

  3. Sign in to the auxiliary and configure the WAN interface to allow internet access.

    Note

    Don't configure any LAN or DMZ interfaces yet.

  4. Claim the auxiliary from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.

Configure active-passive HA

Configure active-passive HA with the replacement device as the primary. See Configure active-passive HA.

More resources