The high availability functionality of Sophos UTM covers four basic settings:
- Automatic configuration
- Hot Standby (Active-Passive)
- Cluster (Active-Active)
Automatic configuration: Sophos UTM features a plug-and-play configuration option for Sophos UTM appliances that allows the setup of a hot standby system/cluster without requiring reconfiguration or manual installation of devices to be added to the cluster. Simply connect the dedicated HA interfaces (eth3) of your Sophos UTM appliances with one another, select Automatic configuration for all devices, and you are done.
Note – Automatic configuration is only enabled by default on appliances with a fixed eth3 port. On appliances which only offer modular (removable) FlexiPort modules this feature is disabled by default but can be enabled on any preferred port (Sync NIC) as described further below.
Note – For Automatic configuration to work, all Sophos UTM appliances must be of the same model. For example, you can only use two Sophos UTM 320 appliances to set up a HA system; one Sophos UTM 220 unit on the one hand and one Sophos UTM 320 unit on the other hand cannot be combined.
If you connect two Sophos UTM appliances through this dedicated interface, all devices will recognize each other and configure themselves automatically as an HA system—the device with the longer uptime becoming master. If the unlikely case should occur that the uptime is identical, the decision which device is becoming master will be made based on the MAC address.
Using Sophos UTM Software, the Automatic Configuration option is to be used on dedicated slave systems to automatically join a master or already configured hot standby system/cluster. For that reason, Automatic Configuration can be considered a transition mode rather than a high availability operation mode in its own right. For the high availability operation mode will change to Hot Standby or Cluster as soon as a device with Automatic Configuration selected joins a hot standby system or cluster, respectively. The prerequisite, however, for this feature to work is that the option Enable Automatic Configuration of New Devices is enabled on the master system. This function will make sure that those devices will automatically be added to the hot standby system/cluster whose high availability operation mode is set to Automatic Configuration.
Hot Standby (active-passive): Sophos UTM features a hot standby high availability concept consisting of two nodes, which is the minimum required to provide redundancy. One of the major improvements introduced in Sophos UTM Software 9 is that the latency for a takeover could be reduced to less than two seconds. In addition to firewall connection synchronization, the gateway also provides IPsec tunnel synchronization. This means that road warriors as well as remote VPN gateways do not need to re-establish IPsec tunnels after the takeover. Also, objects residing in the quarantine are also synchronized and are still available after a takeover.
Cluster (active-active): (Not available with BasicGuard subscription.) To cope with the rising demand of processing large volumes of Internet traffic in real time, Sophos UTM features a clustering functionality that can be employed to distribute processing-intensive tasks such as content filtering, virus scanning, intrusion prevention, or decryption equally among multiple cluster nodes. Without the need of a dedicated hardware-based load balancer, the overall performance of the gateway can be increased considerably.
Note – When configuring a cluster, make sure you have configured the master node first before connecting the remaining units to the switch.
Select a high availability operation mode.
By default, high availability is turned off. The following modes are available:
- Automatic Configuration
- Hot Standby (active-passive)
- Cluster (active-active)
Note – If you want to change the high availability operation mode, you must always set the mode back to Off before you can change it to either Automatic Configuration, Hot Standby, or Cluster.
Note – If the license/subscription has expired or is non-existent, the operation mode changing is limited to Off and the current operation mode.
Depending on your selection, one or more options will be displayed.
Make the following settings:
Sync NIC: Select the network interface card through which master and slave systems will communicate. If link aggregation is active you can select here a link aggregation interface, too.
Note – It is recommended to separate the HA synchronization from the other network traffic. For example VLAN.
Note – Only those interfaces are displayed that have not been configured yet. It is possible to change the synchronization interface in a running configuration. Note that afterwards all nodes are going to reboot.
The following options can only be configured if you either select Hot Standby or Cluster as operation mode:
Device name: Enter a descriptive name for this device.
Device node ID: Select the node ID Identity of the device. In a case of a failure of the primary system, the node with the highest ID will become master.
Encryption key: The passphrase with which the communication between master and slave is encrypted (enter the passphrase twice for verification). Maximum key length is 16 characters.
The high-availability failover is now active on the device.
The gateway in hot standby mode will be updated at regular intervals over the data transfer connection. Should the active primary system encounter an error, the secondary will immediately and automatically change to normal mode and take over the primary system’s functions.
More information (especially use cases) can be found in the HA/Cluster Guide, which is available at the Sophos Knowledge Base.
This section allows you to make some advanced settings.
Enable automatic configuration of new devices: If you have configured a hot standby system/cluster manually, this option will make sure that those devices will automatically be added to the hot standby system/cluster whose high-availability operation mode is set to Automatic configuration. However, this option is of no effect on slave systems, so you can leave it enabled, which is the default setting.
Keep node(s) reserved during Up2Date: If selected, during an update to a new system version, half of the HA/Cluster nodes will keep the current system version. When the new version is stable, you can update the remaining nodes on the Management > High Availability > Status page. In case the new version leads to a failure of all updated nodes, the remaining nodes will build a new HA/Cluster with the old version. You can then install the old version on the failed nodes or wait for the next update.
If Keep Node(s) Reserved During Up2Date is enabled, reserved nodes will not be synchronized anymore after an update, because synchronization is restricted to nodes having the same system version. Instead, the state of the reserved nodes will be preserved. So, if for whatever reason you decide to reactivate the reserved nodes, configuration changes or reporting data coming up in the time span between update start and reactivation will be lost.
Preferred master: Here you can define a designated master node by selecting a node from the drop-down list. In case of a failover, the selected node will not stay in Slave mode after the link recovers but instead will switch back to Master mode.
Backup interface: To prevent that both master and slave become master at the same time (master-master situations), for example, because of a failure of the HA synchronization interface or an unplugged network cable, a backup heartbeat interface can be selected. This additional heartbeat interface can be any of the configured and active Ethernet interfaces (not Ethernet Bridge or Ethernet VLAN). If a backup interface is selected, an additional heartbeat signal is sent via this interface in one direction from the master to the slave to make sure that the master-slave configuration stays intact. If the master-slave connection is disabled and the backup interface becomes involved, the administrator will receive a notification informing that one of the cluster nodes is dead. However, this option is of no effect on slave systems, so you can leave it unconfigured.
Note – In case of a failure of the HA synchronization interface, no configuration is synchronized anymore. The backup interface only prevents master-master situations.