Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Configure active-passive HA

You can configure two Sophos Firewall devices in an active-passive HA cluster using QuickHA and interactive configuration modes.

You can establish HA between hardware appliances or between virtual appliances. Make sure the firewalls meet the following requirements:

Configuration modes

QuickHA

In QuickHA configuration mode, you only specify the Initial device role, Node name, and Dedicated HA link on each device. You can configure the devices in advance and ship them. The devices continue to try to discover the peer until they find it. They then complete the configuration and establish HA.

You can then change the other settings, such as the monitored port, the keep-alive values, and the preferred primary device.

Interactive

In interactive mode, you specify all the settings, such as the monitored port and peer administration settings.

Note

In interactive configuration mode, you configure the auxiliary device first and then the primary.

How to configure HA

See how to configure HA in QuickHA and interactive modes.

Port requirements

In QuickHA mode, the firewall automatically assigns interfaces to some HA ports. So, check the following configurations:

  1. Administration ports: These enable you to access the web admin console.

    1. Choose the interface to use for the administration port. Higher-end appliances have management ports.

      Tip

      QuickHA assigns the interface you're currently using to access the device's web admin console as the peer administration port. For example, if the web admin console's address is https://192.168.3.254:4444 and 192.168.3.254 is assigned to PortA, PortA becomes the peer administration port.

      After establishing HA, you can only access the auxiliary device using this IP address. You can access the primary device's web admin console from any LAN or WAN IP address if you allow access from these zones.

    2. Go to Network > Interfaces and make sure the administration or management ports in the primary and auxiliary devices are as follows:

      1. Belong to the same subnet. You can't establish HA if they belong to different subnets.
      2. IP addresses differ. You can't access the auxiliary device's web admin console if the IP address is the same in both devices.
    Example

    Primary device: 192.168.3.254/24

    Auxiliary device: 192.168.3.253/24

  2. Dedicated HA link: If you select interfaces used in configurations, the firewall rewrites the interface IP address and deletes the dependent configurations. This applies to physical, VLAN, and LAG interfaces.

    • Make sure the interface you want to select doesn't have dependent configurations.
    • Only use static IP addresses for the dedicated HA link's interfaces.

    Note

    Dedicated HA link and monitored ports can't use the same interface.

Configure HA on the primary device

  1. On the primary device, go to System services > High availability.
  2. Set Initial device role to Primary (active-passive).
  3. Set HA configuration mode to QuickHA mode.
  4. Optional: Change the node name to help you easily identify the device in the cluster.
  5. The firewall automatically generates a passphrase. You can change it.

    Note

    You must enter this passphrase in the auxiliary device. It's used only once to generate the SSH keys used to encrypt communication over the dedicated HA links. It's then deleted.

  6. Under Dedicated HA link, click Add new item and select the interface to synchronize data and heartbeat information between the HA devices. You can select up to four interfaces for link redundancy. The options are as follows:

    • DMZ interfaces, including physical, LAG, and VLAN interfaces.
    • Unbound physical interfaces:

      • Single interface: The firewall assigns the name HA link.
      • More than one interface: The firewall creates a LAG interface in QuickHA mode and assigns the name HA redundant link.

      Note

      In QuickHA mode, the firewall automatically assigns the DMZ zone and the default IP address 169.254.192.1 to the interface and turns on SSH for the zone.

  7. Click Initiate HA.

Configure HA on the auxiliary device

  1. On the auxiliary device's web admin console, go to System services > High availability.
  2. Set Initial device role to Auxiliary.
  3. Set HA configuration mode to QuickHA.
  4. Optional: Enter a node name.
  5. Enter the same passphrase used on the primary device.
  6. For Dedicated HA link, click Add new item and select the same interface you selected in the primary device.
  7. Click Initiate HA.

    You can see the progress under High availability status. See Manage HA.

    The auxiliary device's configuration is synchronized with that of the primary device.

Configure advanced settings on the primary device

After HA is established, you can configure the advanced settings in the primary device as follows:

  1. Under Select ports to be monitored, select one or more from the following options to monitor critical ports for their availability, such as WAN ports with internet connectivity and ports to critical DMZ servers:

    • Physical
    • LAG interfaces
    • Unbound interfaces if they have VLAN configured. You can't select unbound interfaces if they don't have a VLAN.

    If a monitored port goes down, the device considers itself unavailable, and failover occurs.

  2. Specify the following Peer administration settings to access the auxiliary device's web admin console:

    1. Select an Interface.
    2. Enter an IPv4 address or IPv6 address
  3. For Preferred primary device, select one of the HA devices.

    This device automatically becomes the primary device when it recovers after a failover. See Failing back to primary device.

    Tip

    We recommend that you select the initial primary device, making the license-holding device easy to identify. In active-passive HA, only the initial primary device holds the licenses.

  4. Enter the Keepalive request interval in milliseconds. You can enter a value from 250 to 500.

    The device sends a heartbeat over the dedicated link port to the peer device at these intervals. Heartbeats are used to determine if the peer device is available.

    Default: 250

  5. Enter the number of Keepalive attempts. You can enter a value from 16 to 24.

    Default: 16

    For example, if you enter a keepalive request interval of 250 milliseconds and keepalive attempts of 16, the device is declared dead after 250 * 16 = 4 seconds.

    Note

    You can't set the keepalive interval and keepalive attempts while the devices are in Standalone and Faulty statuses.

  6. For virtual appliances, select Use host or hypervisor-assigned MAC address to use the MAC address assigned by the hypervisor.

    You won't then need to turn on promiscuous mode on the vSwitch. If you don't select this checkbox, see Accept MAC address changes.

    Note

    If you turn the virtual MAC address selection on or off, interface configurations are updated, resulting in downtime.

  7. Click Initiate HA.

    The primary device synchronizes the changes to the auxiliary device.

Warning

You can't stop QuickHA discovery after the device has discovered the peer and is establishing HA.

Port requirements

In interactive mode, check the following configurations:

  1. Administration port: Go to Network > Interfaces and make sure the administration or management ports in the primary and auxiliary devices are as follows:

    1. Belong to the same subnet. You can't establish HA if they belong to different subnets.
    2. IP addresses differ. You can't access the auxiliary device's web admin console if the IP address is the same in both devices.
    Example

    Primary device: 192.168.3.254/24

    Auxiliary device: 192.168.3.253/24

  2. Dedicated HA link: The firewall deletes the dependent configurations of the interface you select.

    • Make sure the interface you want to select doesn't have dependent configurations.
    • Only use static IP addresses for the dedicated HA link's interfaces.

Device access

  1. Go to Administration > Device access.
  2. Select DMZ under SSH.
  3. Click Apply.

    The firewalls use the HA passphrase and establish an SSH tunnel between the dedicated HA links of the HA devices.

Configure HA on the auxiliary device

In interactive mode, we recommend that you first configure the auxiliary device. This ensures that peer discovery by the primary device doesn't time out.

  1. Sign in to the auxiliary device's web admin console.
  2. Go to System services > High availability.
  3. Set Initial device role to Auxiliary.
  4. Set HA configuration mode to Interactive mode.
  5. Optional: Change the node name to easily identify the device in the cluster.
  6. The firewall automatically generates a passphrase. You can change it.

    Note

    You must enter this passphrase in the primary device. It's used only once to generate the SSH keys used to encrypt communication between the dedicated HA links. It's then deleted.

  7. The firewall automatically selects the first DMZ interface as the dedicated HA link in interactive mode. You can change it to one of the following DMZ interfaces:

    • Physical interface
    • VLAN interface
    • LAG interface: You must first configure a LAG interface on Networks > Interfaces and select it here.

    Dedicated HA link synchronizes data and heartbeat information between the HA devices. You can see the selected interface on Network > Interfaces.

    Warning

    The firewall deletes existing configurations on the interface.

  8. Click Save.

Configure HA on the primary device

  1. Sign in to the primary device's web admin console.
  2. Go to System services > High availability.
  3. Set Initial device role to Primary (active-passive).
  4. Set HA configuration mode to Interactive mode.
  5. Optional: Under Cluster ID, enter a number that identifies this HA cluster.

    The firewall automatically assigns this ID to both devices in the cluster. If your network has multiple HA clusters, assign a different ID to each cluster to prevent virtual MAC address conflicts. See HA modes and device roles.

  6. Optional: Change the node name.

  7. The firewall automatically generates a passphrase. Paste the passphrase you copied from the auxiliary device.
  8. Under Dedicated HA link, select the same dedicated HA link port you selected in the auxiliary device. For example, if you selected PortE on the auxiliary device, select PortE here.
  9. Under Dedicated peer HA link IPv4 address, enter the auxiliary device's dedicated HA link address.

Note

Make sure the dedicated HA link IP addresses of both devices belong to the same subnet.

  1. Optional: Under Select ports to be monitored, select one or more from the following options to monitor critical ports for their availability, such as WAN ports with internet connectivity and ports to critical DMZ servers:

    • Physical interfaces
    • LAG interfaces
    • Unbound interfaces if they have VLAN configured. You can't select unbound interfaces if they don't have a VLAN.

    If a monitored port goes down, the device considers itself unavailable, and failover occurs.

  2. Specify the following Peer administration settings to access the auxiliary device's web admin console:

    1. Select an Interface.
    2. Enter an IPv4 address or IPv6 address.
  3. For Preferred primary device, select one of the HA devices.

    This device automatically becomes the primary device when it recovers after a failover. See Failing back to primary device.

    Tip

    We recommend that you select the initial primary device, making the license-holding device easy to identify. In active-passive HA, only the initial primary device holds the licenses.

  4. Enter the Keepalive request interval in milliseconds.

    The device sends a heartbeat over the dedicated link port to the peer device at these intervals. Heartbeats are used to determine if the peer device is available.

    Default: 250

  5. Enter the number of Keepalive attempts.

    Default: 16

    For example, if you enter a keepalive request interval of 250 milliseconds and keepalive attempts of 8, the device is declared dead after 250 * 8 = 2 seconds.

    Note

    You can't set the keepalive interval and keepalive attempts while the devices are in Standalone or Faulty statuses.

  6. For virtual appliances, select Use host or hypervisor-assigned MAC address to use the MAC address assigned by the hypervisor.

    You won't then need to turn on promiscuous mode on the vSwitch. If you don't select this checkbox, see Accept MAC address changes.

    Note

    If you turn the virtual MAC address selection on or off, interface configurations are updated, resulting in downtime.

  7. Click Initiate HA.

    The primary device synchronizes its configuration to the auxiliary device.

To see the HA details on the CLI, enter the following command: system ha show details