Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=rma-replace-reconfigure-HA

Reconfigure HA devices in active-passive mode after an RMA

You can replace high availability (HA) devices and reconfigure HA in active-passive mode after an RMA. The steps here only apply to HA active-passive mode and not to HA active-active mode.

Warning

An outage occurs when you reimage and replace HA devices and reconfigure HA. Plan your downtime accordingly.

Requirements

The requirements are as follows:

  • Check if the model and revision of the replacement device are correct.

  • Check the firmware version and build of the working firewall and the replacement firewall. To do this, do as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Type 4 to select Device Console.

    3. Run system diagnostics show version-info and check the firmware version and build of both firewalls.

      Example:

      Initial primary.

  • Download the latest firmware. See Download firmware.

    Tip

    We recommend using the latest firmware. If you prefer to stay on your current firmware and it isn't available for download, contact Sophos Support to request the firmware version and build. See Sophos Support.

  • Check which firewall is the initial primary device. To do this, do as follows:

    1. Sign in to the web admin console.

    2. Go to System services > High availability and check which firewall is the initial primary device.

      Example:

      Initial primary.

Configuration

After an RMA, you can replace the auxiliary or the primary device and reconfigure HA.

You want to replace the auxiliary device with the replacement device and reconfigure HA in active-passive mode.

  • Scenario

    • Firewall 1 is the primary device running as a standalone HA.
    • Firewall 2 is the faulty auxiliary device.
    • Firewall 3 is the replacement device.

Configure firewall 3

On firewall 3, do as follows:

  1. Reimage firewall 3 to the same firmware version and build as firewall 1. See Reimage Sophos Firewall. You can skip this step if the firmware version and build are the same on both firewalls.
  2. Sign in to firewall 3 , connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
  3. Claim firewall 3 from Sophos Central and transfer the license from firewall 2 to firewall 3. See Claim a device and transfer the license.
  4. Disconnect the cables from firewall 2 and connect them to firewall 3.

Configure firewall 1

On firewall 1, do as follows:

  1. Go to System services > High availability and click Disable HA.

  2. Check that the msync service shows as UNTOUCHED or STOPPED. To do this, do as follows:

    1. Sign in to the CLI console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.

    3. Run service -S | grep msync.

      Example:

      Msync status.

Configure firewall 1 and firewall 3 in HA active-passive mode. Make sure that firewall 1 is configured as the primary device and firewall 3 is configured as the auxiliary device. See Configure active-passive HA using interactive mode.

You want to replace the primary device with the replacement device and reconfigure HA in active-passive mode.

  • Scenario

    • Firewall 1 is the faulty primary device.
    • Firewall 2 is the auxiliary device running as a standalone HA.
    • Firewall 3 is the replacement device.

Configuration

To replace the primary device with the replacement device and reconfigure HA in active-passive mode, do as follows:

  1. If firewall 2 is registered to Sophos Central, go to Sophos Central and click Deregister.
  2. Sign in to your Sophos Central account. Go to My Products > Firewall Management and click Firewalls. Make sure that firewall 2 doesn't exist.
  3. On firewall 2, go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup and restore.
  4. Reimage firewall 3 to the same firmware and build version as firewall 2. See Reimage Sophos Firewall. You can skip this step if the firmware version and build are the same on both firewalls.
  5. Sign in to firewall 3, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
  6. Claim firewall 3 from Sophos Central and transfer the license from firewall 1 to firewall 3. See Claim a device and transfer the license.
  7. Restore the configuration backup to firewall 3. See Backup and restore.
  8. Disconnect the cables from firewall 1 and connect them to firewall 3.
  9. Redirect the traffic from firewall 2 to firewall 3.
  10. Reset firewall 2 to factory default settings. See Reset to factory settings.
  11. Sign in to firewall 2, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
  12. Claim firewall 2 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
  13. Configure firewall 2 and firewall 3 in HA active-passive mode. Make sure that firewall 3 is configured as the primary device and firewall 2 is configured as the auxiliary device. See Configure active-passive HA using interactive mode.

More resources