Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Registration and licenses

HA devices on hardware, virtual, and software platforms must meet the registration and licensing requirements.

  • Requirements before HA


    • Registration
    • Licensing for active-passive HA
    • Licensing for active-active HA

Note

To configure HA, you must register both devices.

Hardware and virtual appliances

See the requirements for hardware and virtual appliances.

Note

The Base Firewall license is required for high availability.

Hardware appliances carry this license by default.

For virtual appliances, you must purchase the license.

Register devices and synchronize licenses

Run the setup assistant individually on each device to register the devices and synchronize the required licenses using the license keys.

You're taken to Sophos Central to complete the process. See Register a new firewall with Sophos.

Note

Registration and license synchronization don't automatically enable you to manage the firewalls through Sophos Central. You must register the devices with Sophos Central for Firewall Management. See Manage an HA pair in Sophos Central.

Licenses for hardware appliances

Licensing requirements differ for active-passive and active-active HA modes.

Active-passive HA

Active-passive
Which device

Only the primary device requires licenses.

It's the device you select under Initial device role as Primary (active-passive).

The auxiliary device has a copy of the subscriptions, so it can process traffic after failover.

Return Merchandise Authorization (RMA) The primary device must have Enhanced Plus Support, which offers advance hardware replacement during the RMA process for both devices. See Advance hardware replacement.
Synchronizing licenses with Sophos Central Synchronize the primary device licenses with Sophos Central.
License expires or license synchronization fails

If the Initial primary, which is the device holding the license, can't synchronize the licenses with the licensing server at least once in 90 days, the protection offered by the expired or unsynchronized licenses stops.

The Base Firewall and Enhanced Support licenses remain active.

For services offered by each license subscription, see Impact of expired license.

Active-active HA

Active-active
Which device Both primary and auxiliary devices require licenses.
Return Merchandise Authorization (RMA)

To receive advance hardware replacement during the RMA process, choose one of the following options on both devices:

  • Enhanced Support
  • Enhanced Plus Support

See Advance hardware replacement.

Identical licenses Both devices must have the same license types.
Expiration dates The license expiration dates can differ.
Synchronizing licenses with Sophos Central Individually synchronize each device's licenses with Sophos Central.
One or both devices' licenses expire or license synchronization fails

Load-balancing stops at the end of three days.

If the devices can't synchronize their licenses with the licensing server at least once in 90 days, the protection offered by the expired or unsynchronized licenses stops.

The Base Firewall and Enhanced Support licenses remain active.

For services offered by each license subscription, see Impact of expired license.

Register devices and synchronize licenses

  • In active-passive HA, you can automatically create the auxiliary device with a serial number after you've configured HA on the primary. When you run the setup assistant for the auxiliary device, you're asked to click Connect as HA spare. See Connect new virtual auxiliary in active-passive HA.

    You can also establish HA between existing virtual firewall devices. The Connect as HA spare option isn't available for these.

  • In active-active HA, you can't use the Connect as HA spare option. You must configure HA on each device. See Configure active-active HA.

Note

Registration and license synchronization don't automatically enable you to manage the firewalls through Sophos Central. You must register the devices with Sophos Central for Firewall Management. See Manage an HA pair in Sophos Central.

Licenses for virtual appliances

Active-passive

Active-passive
Which device

Only the primary device requires licenses, including the Base Firewall license.

It's the device you select under Initial device role as Primary (active-passive).

Synchronizing licenses with Sophos Central Synchronize the primary device licenses with Sophos Central.
If the Base Firewall license expires HA is disabled. The other licenses become inactive.
License synchronization

If the initial primary, which is the device holding the licenses, can't synchronize the licenses with the licensing server at least once in 90 days, the Base Firewall license is deactivated, and HA is disabled.

Protection offered by the expired or unsynchronized licenses stops.

Active-active

Active-active
Base Firewall license Both primary and auxiliary devices require individual Base Firewall licenses.
Other licenses If you purchase the other licenses, both devices must have these.
Expiration dates The license expiration dates can differ.
Synchronizing licenses with Sophos Central Individually synchronize each device's licenses with Sophos Central.
If the Base Firewall license expires HA is disabled. The other licenses become inactive.
License synchronization fails

Load-balancing stops at the end of three days.

If the devices can't synchronize their licenses with the licensing server at least once in 90 days, the protection offered by the unsynchronized licenses stops.

This also deactivates the Base Firewall license.

For services offered by each license subscription, see Impact of expired license.

More resources