Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/21.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=HA-deployment-modes

Firewall management and deployment

You can configure HA in firewalls deployed in gateway, bridge, and discover modes.

Sophos Central management

For non-HA firewalls managed from Sophos Central, we recommend that you do as follows:

  1. Deregister them from Sophos Central.
  2. Configure HA.
  3. Register them again for Sophos Central management.

You can then move the HA pair to a different group in Sophos Central. See Manage an HA pair in Sophos Central.

Firewall deployment modes

For firewalls deployed in discover mode, you must meet some requirements.

Gateway and bridge modes

You can configure HA in firewalls deployed in gateway and bridge modes.

See the following topics:

Discover mode

You can configure active-passive HA in TAP or discover mode.

  • If one or both HA devices are in discover mode, you can't configure active-active HA.

  • You can't configure active-passive HA when the TAP interface is active. Do as follows:

    • Go to the CLI of each firewall and deactivate the TAP interface.
    • Establish HA and start the TAP interface again individually on both devices.

  • The TAP interface is active on the passive HA device.

See Deploy the firewall in discover or TAP mode.