Sophos XG High Availability Setup Guide

Active-Passive High Availability (HA) is a critical feature that ensures the continuous availability of network services and minimizes downtime in the event of a hardware or software failure. By setting up Active-Passive HA on a Sophos XG Firewall, you create a redundant and resilient network security infrastructure that automatically fails over to a standby unit when the primary unit experiences issues.

This comprehensive tutorial will guide you through the process of configuring Active-Passive HA on a Sophos XG Firewall. By following these steps, you can establish a highly available and fault-tolerant network environment, ensuring uninterrupted network connectivity and protection.

Step 1: Prepare the HA Environment

Before configuring Active-Passive HA, ensure the following prerequisites:

1. Obtain two Sophos XG Firewall appliances with the same hardware specifications.
2. Physically connect the two firewalls to the network with interfaces assigned to the same zones (e.g., LAN, WAN).
3. Set unique static IP addresses for the LAN interfaces of both firewalls. The primary unit will have the active IP, and the secondary unit will have the passive IP.

Step 2: Access the Management Interface

Begin by accessing the Sophos XG Firewall’s web-based management interface on the primary unit:

1. Open a web browser on a computer connected to the same network as the primary Sophos XG Firewall.
2. Enter the IP address assigned to the LAN interface of the primary firewall in the browser’s address bar and press “Enter.”
3. Enter the administrative username and password to log in to the management interface.

Step 3: Configure the Primary Firewall

Configure the primary Sophos XG Firewall as follows:

1. In the management interface, navigate to “System” in the top menu.
2. Select “High Availability” from the drop-down menu and click on “Configuration.”
3. Click “Add” to add a new HA configuration.
4. Enter a name for the HA configuration (e.g., Primary-HA).
5. Choose “Active” for the HA Role.
6. Enter the passive IP address of the secondary firewall in the “Peer IP Address” field.
7. Click “Save” to create the HA configuration.

Step 4: Configure the Secondary Firewall

Configure the secondary Sophos XG Firewall as follows:

1. In the management interface, navigate to “System” in the top menu.
2. Select “High Availability” from the drop-down menu and click on “Configuration.”
3. Click “Add” to add a new HA configuration.
4. Enter a name for the HA configuration (e.g., Secondary-HA).
5. Choose “Passive” for the HA Role.
6. Enter the active IP address of the primary firewall in the “Peer IP Address” field.
7. Click “Save” to create the HA configuration.

Step 5: Enable High Availability

Enable High Availability on both firewalls:

1. On the primary firewall, go to “System” > “High Availability” > “Settings.”
2. Check the box to “Enable High Availability” and select the HA configuration (e.g., Primary-HA) created earlier.
3. Click “Save” to enable High Availability on the primary firewall.
4. On the secondary firewall, go to “System” > “High Availability” > “Settings.”
5. Check the box to “Enable High Availability” and select the HA configuration (e.g., Secondary-HA) created earlier.
6. Click “Save” to enable High Availability on the secondary firewall.

Step 6: Verify High Availability Status

Ensure that the High Availability status is active on the primary firewall:

1. On the primary firewall, go to “System” > “High Availability” > “Status.”
2. Verify that the status shows “Active” for the primary firewall and “Passive” for the secondary firewall.
3. Check the “Last Heartbeat” timestamp to confirm that both firewalls are communicating with each other.
4. If the status is not active, review the configurations and network connectivity between the firewalls.

Step 7: Test High Availability Failover

To test the High Availability failover, simulate a failure on the primary firewall:

1. Disconnect the WAN (internet) interface of the primary firewall or power off the primary firewall.
2. Observe the High Availability status on the secondary firewall. It should change from “Passive” to “Active” as the secondary firewall takes over the active role.
3. Verify that network services and connectivity are maintained during the failover.
4. Once the primary firewall is back online, reconnect the WAN interface or power it on. The primary firewall should automatically synchronize with the secondary firewall and resume the active role.

Conclusion:

Setting up Active-Passive High Availability (HA) on a Sophos XG Firewall provides a robust and redundant network security solution, ensuring continuous availability and minimizing downtime. By following this comprehensive tutorial, you have successfully configured Active-Passive HA, enabling automatic failover between the primary and secondary firewalls. With Active-Passive HA in place, your organization can confidently rely on a resilient and highly available network environment, maintaining optimal protection and connectivity.