Which types of Sophos Firewall HA clusters are available?

For a high-availability solution, you can cluster your Sophos SG or XG firewall. This ensures that in the event of a hardware failure, the second firewall can take over the tasks and your network continues to work without problems.


To create a cluster between two SG, XG or XGS firewalls, you need to follow a few rules:

  • No different appliances can be clustered (e.g. XGS 136 and XGS 2100)
  • No different revision clusters can be clustered (e.g. XG 210 Rev. 2 and XG 210 Rev. 3.)
  • No w-models can be clustered (SG/XG 106w, 115w, 125w, 135w)
  • Different SFOS firewalls cannot be clustered (e.g. XGS 2300 and XG 230)

Two different versions

You can choose between two different types of clusters to connect your two Sophos firewalls:

Active / Passive Cluster

The “Active / Passive” cluster is the cheaper variant and is sufficient in most cases. The two firewalls are connected directly via an HA port and in case of a failure of the master, the second firewall takes over within a few seconds. The interruption is less than one minute.

Active / Active Cluster

The “Active / Active” cluster is the high-end version. Here, too, the two firewalls are connected via an HA port. However, traffic is routed through both firewalls. This means that load balancing takes place. This type of cluster also requires a license for the second hardware. If e.g. a FullGuard license is running on the master firewall, the slave firewall also needs a FullGuard license.

Info: If you want to make an Active-Active Cluster to improve performance, you need to know that not all functions can be distributed with an Active-Active Cluster (as with VPN, for example). So you can’t expect a 100% increase in performance. According to Sophos, the performance increase when adding an additional firewall is approximately 50%. Instead of 100% power you have about 150% power at your disposal.