Here in this article, we will discuss some important points which needs to be considered while configuring high availability in sophos XG firewall.
First lets discuss about requirements:
Devices and Firmware:
1.Devices in HA cluster (auxiliary and primary) must be in same hardware model and revision number. For example. SG 450 rev2 can connect only to SG 450 rev2.
2.All devices must have number of same ports or interfaces. This includes when flexi port expansion modules are installed.
3.The devices must have the same firmware version installed which includes hot fixes or releases.
Note: High availability will not support on wireless models.
Networking and Access Policy:
1.The cables to all the monitored ports on both the devices must be connected.
2.The Dedicated HA link port must be a member of DMZ zone, and have unique IP address on both devices.
3.You must turn on SSH, on the DMZ zone, for both devices.
4.Ensure that the IP address of the HA link port of the primary and auxiliary devices is in the same subnet.
5.DHCP and PPPoE must be disabled before attempting HA configuration.
6.If you connect the HA devices to an Ethernet switch that uses the spanning tree protocol (STP), you may need to adjust the link activation time on the switch port connected to the XG Firewall interfaces. For example, on a Cisco Catalyst-series switch, it’s necessary to turn on spanning tree port-fast for each port connecting to XG Firewall interfaces. This means you must turn on port-fast and turn off both the spanning tree protocols (STP) and RSTP for the switch ports XG Firewall connects to.
7.The dedicated HA link must use the default link speed and MTU-MSS.
8.The HA link latency increases with distance. We also recommend that you turn off spanning tree protocol (STP) on the dedicated HA link.
1.You must configure the firewall that carries the license subscription as the primary node during the initial HA setup.
2.You must register the devices.
3.The devices must have the same subscription modules enabled.
4.In active-active mode, both devices require a license. Sandstorm does not affect the HA setup regardless of the expiry date in each device.
5.In active-passive mode, you require a license only for the primary device. License is not needed for the auxiliary device.
6.If a software or virtual device is used, you need to purchase only one base license. When that serial number is registered, SFOS manages the creation of the passive device; there’s no need to purchase a separate base firewall license for the passive device or a separate serial number.
The following configurations aren’t supported on an HA cluster:
1.DHCP and PPPoE: When interfaces are dynamically configured using DHCP or PPPoE, only HA in active-passive mode is supported. HA in active-active mode isn’t supported. Cellular WAN configuration isn’t supported in any HA mode.
2.Alias IP addresses or VLANs on dedicated HA port.
3.Overriding the MAC address on the dedicated port.
4.Dynamic IP addresses on any interface in active-active mode.
5.Session failover with dynamic interfaces in active-passive mode.
6.LACP or LLDP on the dedicated HA interface.
There will be not be any down time while configuring high availability in both active-active or active-passive modes.
|Upgrade from 17.x to 18.x||You’ll experience downtime.|
In 18.0, XG Firewall uses a different communication protocol, which results in downtime.
|Upgrade from 18.x to 18.x||No downtime.|
This applies when you download and install the firmware from Latest available firmware.
|Roll back to a compatible version||You’ll experience downtime.|
Make sure the same inactive firmware version is available on both devices under Firmware. Example: SFOS 18.0.3 MR-3
Alternatively, disable HA and then roll back each device to the version you want. The primary device sends a factory reset signal to the auxiliary device. The auxiliary device stores the peer administration IP address and the dedicated peer HA link IP address. Enable HA again, if you want to.
|Roll back to a previous version that wasn’t configured with HA||The devices revert to standalone status. Configure HA again if you want to.|
Each device holds the configuration file that corresponds to the previous firmware version. The file determines the HA configuration status. Roll back activates the configuration of the previous version.
|Downgrade to any version||You’ll experience downtime.|
Thanks for reading.
In case if you observe any flaw in this article, please update us.