Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Active-passive HA: Example configuration

You can configure two Sophos Firewall devices in an active-passive HA cluster using QuickHA and interactive configuration modes.

This page shows an example configuration. For the complete details, see Configure active-passive HA.

Requirements

Make sure the primary and auxiliary devices meet the requirements:

  1. They are the same firewall model.
  2. They have the same firmware version, including the build number. You can see it on the Control center in the upper-right corner.
  3. The primary device has all the licenses, and the auxiliary device doesn't have any.
  4. Register the devices to Sophos Central. See Firewall Management.

See Hardware and software requirements.

Deployment and interfaces

  1. Plan your HA ports. See the following example:

    Primary Auxiliary Description

    Dedicated HA link

    Port2

    DMZ

    10.10.10.1 10.10.10.10

    Same subnet

    Different IP addresses

    Monitored port

    LAN or WAN

    Port3

    192.168.10.1 192.168.10.2

    Administration port

    WAN

    Port1

    172.16.16.16 172.16.16.17

    Same subnet

    Different IP addresses

  2. Connect the dedicated HA links of the primary and auxiliary devices to each other.

  3. Connect all the monitored ports to your network devices.
  4. Go to Network > Cellular WAN and turn it off in both devices.
  5. Go to Network > Interfaces and configure the three HA ports with the planned configurations.

See Deploy HA ports.

How to configure HA

See how to configure HA in QuickHA or interactive modes.

In QuickHA, you only need to specify the basic settings to enable the firewall to establish HA. You can then specify the advanced settings.

Configure HA on the primary device

  1. On the primary device, go to System services > High availability.
  2. Set Initial device role to Primary (active-passive).
  3. Set HA configuration mode to QuickHA mode.
  4. Optional: Change the node name to help you easily identify the device in the cluster.
  5. The firewall automatically generates a passphrase. Copy the passphrase to a text editor. You must enter it on the auxiliary device later on.

  6. Under Dedicated HA link, click Add new item and select Port2.

    Note

    The firewall automatically assigns the DMZ zone and the default IP address 169.254.192.1 to the interface and turns on SSH for the zone.

  7. Click Initiate HA.

Configure HA on the auxiliary device

  1. On the auxiliary device's web admin console, go to System services > High availability.
  2. Set Initial device role to Auxiliary.
  3. Set HA configuration mode to QuickHA.
  4. Optional: Enter a node name.
  5. Enter the same passphrase used on the primary device.
  6. For Dedicated HA link, click Add new item and select the same interface you selected in the primary device.
  7. Click Initiate HA.

    You can see the progress under High availability status. See Manage HA.

    The auxiliary device's configuration is synchronized with that of the primary device.

Configure advanced settings on the primary device

After HA is established, you can configure the advanced settings in the primary device as follows:

  1. Under Select ports to be monitored, select the ports you plan to monitor for this device, for example, 192.168.10.1.
  2. Under Peer administration settings, specify the auxiliary device settings as follows:

    1. Interface: Port1
    2. IPv4 address: 172.16.16.16
  3. Under Preferred primary device, select Node1.

  4. For virtual appliances, select Use host or hypervisor-assigned MAC address.
  5. Click Initiate HA.

    The primary device synchronizes the changes to the auxiliary device.

Warning

You can't stop QuickHA discovery after the device has discovered the peer and is establishing HA.

In interactive mode, you specify all the settings, such as the monitored port and peer administration settings.

Device access

Turn on SSH for DMZ on both devices.

  1. Go to Administration > Device access.
  2. Under SSH, select DMZ.
  3. Under Ping/Ping6, select DMZ.
  4. Click Apply.

Configure HA on the auxiliary device

  1. Sign in to the auxiliary device, and go to System services > High availability.
  2. Set Initial device role to Auxiliary.
  3. Set HA configuration mode to Interactive mode.
  4. Under Cluster ID, enter a number that identifies this HA cluster.
  5. Copy the passphrase to a text editor. You must enter it on the primary device later on.
  6. Under Dedicated HA link, select the DMZ interface you preferred, for example, Port2.
  7. Click Save.

The following message appears:

Auxiliary device configuration has been applied successfully. You can now enable HA from primary device.

Configure HA on the primary device

  1. Sign in to the primary device and go to System services > High availability.
  2. Set Initial device role to Primary (active-passive).
  3. Set HA configuration mode to Interactive mode.
  4. Paste the passphrase you copied from the auxiliary device.
  5. Under Dedicated HA link, select Port2.
  6. Under Dedicated peer HA link IP address, enter the auxiliary device's IP address you planned, for example, 10.10.10.10.
  7. Under Select ports to be monitored, select the ports you plan to monitor for this device, for example, 192.168.10.1.
  8. Under Peer administration settings, specify the auxiliary device settings as follows:

    1. Interface: Port1
    2. IPv4 address: 172.16.16.17
  9. For virtual appliances, select Use host or hypervisor-assigned MAC address.

  10. Under Preferred primary device, select Node1.
  11. Click Initiate HA.

The following message appears: HA has been enabled successfully.

The primary device shows the following HA status:

Status on the primary device in interactive mode for active-passive HA.

Refresh the devices

  1. Refresh the auxiliary device's web admin console after a few minutes and sign in.

    Status on the auxiliary device for active-passive HA after a refresh.

  2. Refresh the primary device's web admin console.

    Status on the auxiliary device for active-passive HA after a refresh.

More resources