Configure active-active HA using QuickHA mode
To configure the firewalls in an active-active HA cluster using QuickHA, make sure they meet the HA requirements.
Connect the Sophos Firewall devices using a network cable plugged into the dedicated HA port on both units.
Also, see HA requirements.
Configure HA on the primary device
- Sign in to the web admin console of the primary device and go to System services > High availability.
- Set Initial device role to Primary (active-active).
- Ensure QuickHA mode is selected.
(Optional) Change the node name.
The node name helps you easily identify the device.
The firewall automatically generates a passphrase. You can change it if you want.
The devices in the cluster must have the same passphrase. It's used only once to generate the SSH keys used to encrypt communication over the dedicated HA links. It's then deleted.
For Dedicated HA link, click Add new item and select the interfaces.
A dedicated HA link synchronizes data and heartbeat information between the HA devices.
You can select up to four interfaces for link redundancy. You can select unbound physical interfaces. You can also select DMZ interfaces that you've already configured, including physical, LAG, and VLAN interfaces.
If you select more than one unbound interface, the firewall automatically creates a LAG interface in QuickHA mode.
The firewall renames the interface and assigns an IPv4 address from the link-local range
169.254.192.0/24. A single interface is renamed HA link. A LAG interface is renamed HA redundant link. You can see it on Network > Interfaces.
If you select a DMZ port (physical, LAG, or VLAN) that's already in use, the firewall overwrites its IP address and removes it from its existing configurations.
Click Initiate HA.
Configure HA on the auxiliary device
- Sign in to the web admin console of the auxiliary device from PortA, and go to Network > Interfaces.
Make sure the IP address of PortA is in the same subnet as PortA of the primary device.
In this example, we'll configure PortA as the peer administration port. So, PortA of the auxiliary device must be in the same subnet as PortA of the primary device. QuickHA won't work if it isn't, and the following error message appears in /log/syslog.log on the primary device.
Validation Failed For Ha interface IP.
For example, if PortA of the primary device is 192.168.3.254/24, then PortA of the auxiliary device can be 192.168.3.253/24. However, it can't be 172.16.16.16/24.
Go to System services > High availability.
Set Initial device role to Auxiliary.
QuickHA assigns the peer administration port based on the interface you're currently using to access the web admin console of the auxiliary device. For example, if you're connected to PortA, this interface becomes the peer administration port on both devices.
Set HA configuration mode to QuickHA.
- (Optional) Enter a node name.
- Enter the same passphrase used on the primary device.
- For Dedicated HA link, click Add new item and select the interfaces. See Networking requirements.
Click Initiate HA.
You can see the progress under High availability status. See QuickHA status.
You'll see a message about the configuration being overwritten. This is because the configuration will be synchronized from the primary Sophos Firewall device.
(Optional) Configure advanced settings on primary
After HA is established, you can configure the advanced settings on the primary device. Do as follows:
(Optional) Select ports to be monitored: You can select physical or LAG interfaces to monitor the HA status. You can also select unbound interfaces if you've configured a VLAN on them.
If a monitored port goes down, the device is determined as unavailable, and failover occurs.
Enter the following Peer administration settings to access the web admin console of the auxiliary device:
- IPv4 address or IPv6 address
For Preferred primary device, select one of the HA devices.
This device automatically becomes the primary device when it recovers after a failover. See Failing back to the primary device.
Enter the Keepalive request interval in milliseconds.
The device sends a heartbeat over the dedicated link port to the peer device at these intervals. Heartbeats are used to determine if the peer device is available.
Enter the number of Keepalive attempts.
For example, if you configure the keepalive request interval as 250 ms and keepalive attempts as eight, the device is declared dead after 250 * 8 = 2 seconds.
You can't set the keepalive interval and keepalive attempts for devices in Standalone and Faulty modes.
Use host or hypervisor-assigned MAC address: Select the checkbox if you want to use the following:
- Host: Uses the physical MAC address if you're using hardware appliances for HA.
Hypervisor-assigned address: Uses the MAC address assigned by the hypervisor for virtual appliances. You won't need to turn on promiscuous mode on the vSwitch.
We recommend that you select this option for virtual appliances.
Click Initiate HA.
The primary device pushes its configuration to the auxiliary device.