Reimage and reconfigure HA devices in active-passive mode
You can reimage high availability (HA) devices and reconfigure HA in active-passive mode. The steps here only apply to HA active-passive mode and not to HA active-active mode.
Warning
An outage occurs when you reimage and replace HA devices and reconfigure HA. Plan your downtime accordingly.
-
Scenario
- Firewall 1 is the current primary device and the initial primary device with a purchased license subscription.
- Firewall 2 is the current auxiliary device.
Requirements
The requirements are as follows:
-
Check the firmware version and build of both firewalls. To do this, do as follows:
- Sign in to the CLI console. See Accessing Command Line Console.
- Type
4
to selectDevice Console
. -
Run
system diagnostics show version-info
and check the firmware version and build of both firewalls.Example:
-
Download the latest firmware. See Download firmware.
Tip
We recommend using the latest firmware. If you prefer to stay on your current firmware and it isn't available for download, contact Sophos Support to request the firmware version and build. See Sophos Support.
-
Check which firewall is the initial primary device. To do this, do as follows:
Configuration
You can reimage the auxiliary, primary, or both devices, then reconfigure HA.
You want to reimage the auxiliary device and reconfigure HA in active-passive mode.
Configure firewall 1
On firewall 1, do as follows:
- If firewall 1 is registered to Sophos Central, go to Sophos Central and click Deregister.
- Sign in to your Sophos Central account. Go to My Products > Firewall Management and click Firewalls. Make sure that firewall 1 doesn't exist.
- Go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup and restore.
-
Go to System services > High availability and click Disable HA. If firewall 2 is connected to firewall 1, firewall 2 reboots with factory default settings, except for the admin password and peer administration IP address.
Note
Don't turn off HA via firewall 2.
-
Check that the
msync
service shows asUNTOUCHED
orSTOPPED
. To do this, do as follows:
Configure firewall 2
On firewall 2, do as follows:
- Reimage firewall 2 to the same firmware version and build as firewall 1. See Reimage Sophos Firewall.
- Sign in to firewall 2, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
- Claim firewall 2 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
Configure the firewalls in HA active-passive mode. Make sure that firewall 1 is configured as the primary device and firewall 2 is configured as the auxiliary device. See Configure active-passive HA.
You want to reimage the primary device and reconfigure HA in active-passive mode.
Configure firewall 1
On firewall 1, do as follows:
- If firewall 1 is registered to Sophos Central, go to Sophos Central and click Deregister.
- Sign in to your Sophos Central account. Go to My Products > Firewall Management and click Firewalls. Make sure that firewall 1 doesn't exist.
- Go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup and restore.
- Go to System services > High availability and click Switch to passive device. Firewall 2 becomes the primary device.
- Reimage firewall 1 to the same firmware version and build as firewall 2. See Reimage Sophos Firewall.
- Sign in to firewall 1, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
- Claim firewall 1 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
- Disconnect all cables from firewall 1, except the cable connected to your computer.
- Restore the configuration backup to firewall 1. See Backup and restore.
- Reconnect the cables to firewall 1 and redirect the traffic from firewall 2 to firewall 1.
Configure firewall 2
On firewall 2, do as follows:
- Reset firewall 2 to factory default settings. See Reset to factory settings.
- Sign in to firewall 2, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
- Claim firewall 2 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
Configure the firewalls in HA active-passive mode. Make sure that firewall 1 is configured as the primary device and firewall 2 is configured as the auxiliary device. See Configure active-passive HA.
You want to reimage and upgrade both HA devices to the latest firmware and reconfigure HA in active-passive mode.
Configure firewall 1
On firewall 1, do as follows:
- If firewall 1 is registered to Sophos Central, go to Sophos Central and click Deregister.
- Sign in to your Sophos Central account. Go to My Products > Firewall Management and click Firewalls. Make sure that firewall 1 doesn't exist.
- On firewall 1, go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup and restore.
- Go to System services > High availability and click Switch to passive device. Firewall 2 becomes the primary device.
- Reimage firewall 1 to the latest firmware. See Reimage Sophos Firewall.
- Sign in to firewall 1, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
- Claim firewall 1 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
- Disconnect all cables from firewall 1, except the cable connected to your computer.
- Restore the configuration backup to firewall 1. See Backup and restore.
- Reconnect the cables to firewall 1 and redirect the traffic from firewall 2 to firewall 1.
Configure firewall 2
- Reimage firewall 2 to the same firmware version and build as firewall 1.
- Sign in to firewall 2, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interface.
- Claim firewall 2 from Sophos Central if you haven't claimed it yet.
Configure the firewalls in HA active-passive mode. Make sure that firewall 1 is configured as the primary device and firewall 2 is configured as the auxiliary device. See Configure active-passive HA.
More resources