Introduce and guide High Availability (HA) configuration with Active-Passive mode on Sophos XG firewall device

Purpose of the article

• This article will introduce what High Availability is and how to configure this feature on Sophos XG firewall device with mode Active-Active.

What is the High Availability (HA) feature?

• High Availability (HA) is a clustering technology which is used to maintain uninterrupted service in the event of power, hardware or software failure. Sophos Firewall devices can be configured in Active-Active or Active-Passive HA modes. The Devices (The Primary and Auxiliary Device) are physically connected over a dedicated HA link port.

• In Active-Active mode, both the Primary Device and Auxiliary Device process traffic while the primary unit is in charge of balancing the traffic. The load balancing is decided by the Primary Device. The Auxiliary Device can only take over if the primary unit experiences a power/hardware/software failure.

• In Active-Passive mode, only the Primary Device processes traffic while the Auxiliary Device remains in stand-by mode, ready to take over if the Primary Device experiences a power/hardware/software failure.

Prerequisites

• Both devices in the HA cluster (i.e. Primary Device and Auxiliary Device) must be the same model and revision.
• Both devices must be registered.
• Both devices must have same number of interfaces.
• Both devices must have the same firmware version installed. This includes maintenance releases and hot-fixes as well as firmware build. You can verify the firmware version using the following console command: system diagnostics show version-info

• Active-Active: Two separate licenses are required; one for the Primary Device and other for the Auxiliary Device. Both devices must have the same subscription modules enabled.
• Active-Passive: One license is required for the Primary Device. No license is needed for the Auxiliary Device.
• The same subscription modules must be enabled on both the devices.
• Cables to all the monitored ports on both devices must be connected. Connect the dedicated HA link port of both devices with either a crossover or straight through cable, indirectly through a dedicated Ethernet network (Example: A dedicated VLAN over an Ethernet network) or use a layer 2 switch but only dedicated HA link pair ports should be connected to that switch to avoid HA heartbeat information to propagate to the switch’s broadcasting domain.
• Specify the same port as the HA link port on both devices. (Example: If you choose Port C, it must be HA link port on both devices).
• On both devices, the Dedicated HA link port must be a member of the same zone with the type DMZ, and must have a unique IP Address.
• The HA link port’s IP addresses of both peers must belong to the same subnet. The peers use this link to communicate cluster information and synchronize with each other.
• Device Access over SSH on the DMZ Zone must be enabled for both devices; refer to Step 1 below.
• DHCP and PPPoE interface configuration and Cellular WAN configuration must be disabled before attempting HA Active-Active configuration. See HA Behaviour below for details.
• Wireless XG (w) models do not support HA.

Instructions for configuring High Availability with Active-Active mode

We have the following network diagram:

• In this diagram, dedicated HA link ports (Port 3 of 2 devices) are directly connected via crossover cables or straight cables.
• The first step is to enable SSH for the DMZ zone on both devices.
• To turn on, click Administrator> Device Access.
• Under Admin Services click on the SSH box in the DMZ line to pop up and then click Apply.

Configure information on Auxiliary devices

• In the auxiliary device, log on to the administrative interface and click System Services> High Availability and enter the following parameters. If these details are not configured on the Auxiliary Device, then the Primary Device will not be able to connect to the Auxiliary Device.

• HA Configuration Mode: Active-Active
  
• Initial HA Device State: Auxilliary
  
• Passphrase: Create a passphrase
  
• Dedicated HA Link Port: PortC. This must be the same port on both sides.
• Click Save.

Configure information on Primary devices

• Navigate to System Services > HA and configure HA parameters as shown below:
• HA Configuration Mode: Active-Passive
  
• Initial HA Device State: Primary
  
• Passphrase: Enter the same passphrase as the auxiliary device.
  
• Dedicated HA Link Port: Port3 (must be the same port as the auxiliary device).
  
• Peer HA Link IPv4: This must be the same IP as the network set on PortC.
  
• Peer Administration Port: Select the administration port for the auxiliary or peer device. 
  
• Peer Administration IP: This IP address must be on a different network than the Peer HA Link IPv4 of this device. The Admin Console of the Auxiliary Device can be accessed at this address. Any user accessing the Admin Console of Auxiliary Device will be logged in with the HA Profile and have read-only rights.
  
• Select ports to be monitored: Select the ports to be monitored for HA status.

• Click Enable HA to complete the settings.
• Note: The device on which HA is configured becomes the Primary Device and the other device becomes the Auxiliary Device. Once HA is established between the primary and auxiliary device, all configurations of the Primary Device are synchronized with the Auxiliary Device and no additional configurations are required.
  

Verify HA

• To check the status of HA, go to the Control Center and locate the HA Details. It displays the configured HA mode.

• HA status can also be verified from the CLI console by following the steps below:
• Log in to the CLI Console of the Primary Device using administrator credentials.
  
• Select option 4. Device Console from the Main Menu.
  
• Execute the following command at the console prompt:
  system ha show details