Reconfigure HA devices in active-passive mode after an RMA
You can replace high availability (HA) devices and reconfigure HA in active-passive mode after an RMA. The steps here only apply to HA active-passive mode and not to HA active-active mode.
Warning
An outage occurs when you reimage and replace HA devices and reconfigure HA. Plan your downtime accordingly.
Requirements
The requirements are as follows:
- Check if the model and revision of the replacement device are correct.
-
Check the firmware version and build of the working firewall and the replacement firewall. To do this, do as follows:
- Sign in to the CLI console. See Accessing Command Line Console.
- Type
4
to selectDevice Console
. -
Run
system diagnostics show version-info
and check the firmware version and build of both firewalls.Example:
-
Download the latest firmware. See Download firmware.
Tip
We recommend using the latest firmware. If you prefer to stay on your current firmware and it isn't available for download, contact Sophos Support to request the firmware version and build. See Sophos Support.
-
Check which firewall is the initial primary device. To do this, do as follows:
Configuration
After an RMA, you can replace the auxiliary or the primary device and reconfigure HA.
You want to replace the auxiliary device with the replacement device and reconfigure HA in active-passive mode.
-
Scenario
- Firewall 1 is the primary device running as a standalone HA.
- Firewall 2 is the faulty auxiliary device.
- Firewall 3 is the replacement device.
Configure firewall 3
On firewall 3, do as follows:
- Reimage firewall 3 to the same firmware version and build as firewall 1. See Reimage Sophos Firewall. You can skip this step if the firmware version and build are the same on both firewalls.
- Sign in to firewall 3 , connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
- Claim firewall 3 from Sophos Central and transfer the license from firewall 2 to firewall 3. See Transfer licenses in HA devices.
- Disconnect the cables from firewall 2 and connect them to firewall 3.
Configure firewall 1
On firewall 1, do as follows:
- Go to System services > High availability and click Disable HA.
-
Check that the
msync
service shows asUNTOUCHED
orSTOPPED
. To do this, do as follows:
Configure firewall 1 and firewall 3 in HA active-passive mode. Make sure that firewall 1 is configured as the primary device and firewall 3 is configured as the auxiliary device. See Configure active-passive HA.
You want to replace the primary device with the replacement device and reconfigure HA in active-passive mode.
-
Scenario
- Firewall 1 is the faulty primary device.
- Firewall 2 is the auxiliary device running as a standalone HA.
- Firewall 3 is the replacement device.
Configuration
To replace the primary device with the replacement device and reconfigure HA in active-passive mode, do as follows:
- If firewall 2 is registered to Sophos Central, go to Sophos Central and click Deregister.
- Sign in to your Sophos Central account. Go to My Products > Firewall Management and click Firewalls. Make sure that firewall 2 doesn't exist.
- On firewall 2, go to Backup & firmware, download the configuration backup, and save it to your computer. See Backup and restore.
- Reimage firewall 3 to the same firmware and build version as firewall 2. See Reimage Sophos Firewall. You can skip this step if the firmware version and build are the same on both firewalls.
- Sign in to firewall 3, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
- Claim firewall 3 from Sophos Central and transfer the license from firewall 1 to firewall 3. See Transfer licenses in HA devices.
- Restore the configuration backup to firewall 3. See Backup and restore.
- Disconnect the cables from firewall 1 and connect them to firewall 3.
- Redirect the traffic from firewall 2 to firewall 3.
- Reset firewall 2 to factory default settings. See Reset to factory settings.
- Sign in to firewall 2, connect a cable to the WAN interface, and configure the WAN interface to allow internet access. Don't configure any LAN or DMZ interfaces.
- Claim firewall 2 from Sophos Central if you haven't claimed it yet. See Set up your Sophos Firewall and claim it in Sophos Central.
- Configure firewall 2 and firewall 3 in HA active-passive mode. Make sure that firewall 3 is configured as the primary device and firewall 2 is configured as the auxiliary device. See Configure active-passive HA.
More resources