Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Accept MAC address changes

You must configure the virtual appliance platform to accept the virtual MAC address created for the HA cluster.

Alternatively, if you select Use host or hypervisor-assigned MAC address in the firewalls' HA configuration, you don't need to make the following changes.

In ESXi, change the port group security settings, MAC address changes and Forged transmit to Accept. You can do this either at the vSwitch or port group level. If you configure this on the vSwitch, the port group settings must inherit the settings from the vSwitch.

Here's an example of the changes at the vSwitch level.

vSwitch level settings.

Here's an example of the port group settings if you configure MAC address changes and Forged transmit on the vSwitch.

Port group settings when configuration is done on vSwitch.

Here's an example of the MAC address changes and Forged transmit settings if you configure them only at the port group level.

Port group settings when no changes are made at the vSwitch level.

In HyperV, turn on Enable MAC address spoofing on all network adapters of the Sophos Firewall HA virtual device, except the network adapter used for the dedicated HA link. Do as follows:

  1. Go to Advanced features.
  2. Click Enable MAC address spoofing.

Here's an example of where you must turn on MAC address spoofing.

Enable MAC address spoofing in HyperV.