Active-active HA: Example configuration
You can configure two Sophos Firewall devices in an active-active HA cluster using QuickHA and interactive configuration modes.
This page shows an example configuration. For the complete details, see Configure active-active HA.
Requirements
Make sure the primary and auxiliary devices meet the requirements:
- They are the same firewall model.
- They have the same firmware version, including the build number. You can see it on the Control center in the upper-right corner.
- The primary device has all the licenses, and the auxiliary device doesn't have any.
- Register the devices to Sophos Central. See Firewall Management.
See Hardware and software requirements.
Deployment and interfaces
-
Plan your HA ports. See the following example:
Primary Auxiliary Description Dedicated HA link
Port2
DMZ
10.10.10.1
10.10.10.10
Same subnet
Different IP addresses
Monitored port
LAN or WAN
Port3
192.168.10.1
192.168.10.2
Administration port
WAN
Port1
172.16.16.16
172.16.16.17
Same subnet
Different IP addresses
-
Connect the dedicated HA links of the primary and auxiliary devices to each other.
- Connect all the monitored ports to your network devices.
- Go to Network > Cellular WAN and turn it off in both devices.
- Go to Network > Interfaces and configure the three HA ports with the planned configurations.
See Deploy HA ports.
How to configure HA
See how to configure HA in QuickHA or interactive modes.
In QuickHA, you only need to specify the basic settings to enable the firewall to establish HA. You can then specify the advanced settings.
Configure HA on the primary device
- On the primary device, go to System services > High availability.
- Set Initial device role to Primary (active-active).
- Set HA configuration mode to QuickHA mode.
- Optional: Change the node name to help you easily identify the device in the cluster.
-
The firewall automatically generates a passphrase. Copy the passphrase to a text editor. You must enter it on the auxiliary device later on.
-
Under Dedicated HA link, click Add new item and select
Port2
.Note
The firewall automatically assigns the DMZ zone and the default IP address
169.254.192.1
to the interface and turns on SSH for the zone. -
Click Initiate HA.
Configure HA on the auxiliary device
- On the auxiliary device's web admin console, go to System services > High availability.
- Set Initial device role to Auxiliary.
- Set HA configuration mode to QuickHA.
- Optional: Enter a node name.
- Enter the same passphrase used on the primary device.
- For Dedicated HA link, click Add new item and select the same interface you selected in the primary device.
-
Click Initiate HA.
You can see the progress under High availability status. See Manage HA.
The auxiliary device's configuration is synchronized with that of the primary device.
Configure advanced settings on the primary device
After HA is established, you can configure the advanced settings in the primary device as follows:
- Under Select ports to be monitored, select the ports you plan to monitor for this device, for example,
192.168.10.1
. -
Under Peer administration settings, specify the auxiliary device settings as follows:
- Interface:
Port1
- IPv4 address:
172.16.16.16
- Interface:
-
Under Preferred primary device, select
Node1
. - For virtual appliances, select Use host or hypervisor-assigned MAC address.
-
Click Initiate HA.
The primary device synchronizes the changes to the auxiliary device.
Warning
You can't stop QuickHA discovery after the device has discovered the peer and is establishing HA.
In interactive mode, you specify all the settings, such as the monitored port and peer administration settings.
Device access
Turn on SSH for DMZ on both devices.
- Go to Administration > Device access.
- Under SSH, select DMZ.
- Under Ping/Ping6, select DMZ.
- Click Apply.
Configure HA on the auxiliary device
- Sign in to the auxiliary device, and go to System services > High availability.
- Set Initial device role to Auxiliary.
- Set HA configuration mode to Interactive mode.
- Copy the passphrase to a text editor. You must enter it on the primary device later on.
- Under Dedicated HA link, select the DMZ interface you preferred, for example,
Port2
. - Click Save.
The following message appears:
Auxiliary device configuration has been applied successfully. You can now enable HA from primary device.
Configure HA on the primary device
- Sign in to the primary device and go to System services > High availability.
- Set Initial device role to Primary (active-active).
- Set HA configuration mode to Interactive mode.
- Under Cluster ID, enter a number that identifies this HA cluster.
- Paste the passphrase you copied from the auxiliary device.
- Under Dedicated HA link, select
Port2
. - Under Dedicated peer HA link IP address, enter the auxiliary device's IP address you planned, for example,
10.10.10.10
. - Under Select ports to be monitored, select the ports you plan to monitor for this device, for example,
192.168.10.1
. -
Under Peer administration settings, specify the auxiliary device settings as follows:
- Interface:
Port1
- IPv4 address:
172.16.16.17
- Interface:
-
For virtual appliances, select Use host or hypervisor-assigned MAC address.
- Under Preferred primary device, select
Node1
. - Click Initiate HA.
The following message appears: HA has been enabled successfully.
Refresh the devices
-
Refresh the auxiliary device's web admin console after a few minutes and sign in.
-
Refresh the primary device's web admin console.
More resources