For a highly available solution, you can run your Sophos Firewall in an HA cluster. This ensures that in the event of a hardware failure, the second firewall can take over and your network will continue to function without problems.
To create a Sophos Firewall cluster, you need to follow a few rules:
Sophos Firewall appliances
- They would have to be exactly the same Sophos Firewall appliances (model, revision, firmware)
- Different appliances cannot be clustered (e.g. XGS 136 and XGS 2100)
- Different revisions cannot be clustered (e.g. XG 210 Rev. 2 and XG 210 Rev. 3.).
- W models cannot be clustered such as (XGS 87w, 107w, 116w, 126w, 136w).
- A question often asked is also whether a hardware appliance and a virtual appliance work as a cluster. No.
Two different variants
You can choose between two different types of High Availability clusters to connect your two Sophos Firewalls:
Active / Passive Cluster (Recommended)
In this cluster configuration, there is an active firewall that processes all traffic and provides the necessary security functions. The passive firewall is in standby mode, waiting for the active firewall to fail.
If the active firewall fails or malfunctions, the passive firewall automatically takes over the role of the active firewall and ensures that network traffic continues to be protected and filtered. The interruption is less than a minute and if you have a planned change like a reboot or software update, you lose 1-4 pings.
In this Sophos Firewall High Availability Cluster configuration, only the active appliance requires a license. This is one of the reasons why 100% of our customers choose this solution.
Active / Active Cluster
Again, the two firewalls are connected via an HA port. However, the traffic is routed through both firewalls. Load balancing therefore takes place. With this type of cluster, a license is also required for the second hardware. For example, if the primary firewall is running an Xstream Protection license, the Node2 firewall also needs an Xstream Protection license.
Info: If you want to make an Active-Active Cluster to cause a performance increase, you have to know that with an Active-Active Cluster not all functions can be distributed (like e.g. with VPN). So you can’t expect a 100% increase in performance. According to Sophos, the performance increase when adding an additional firewall is approximately 50%. Instead of 100 % power, you will have approx. 150 % power available afterwards.
Sophos provides comprehensive information on configuring and managing Sophos Firewall high availability (HA) clusters. Here you will find an introduction to HA functionality, its benefits and the different HA modes, as well as detailed instructions on how to configure, manage and monitor HA clusters. Learn more about the prerequisites, underlying architecture, operation, and firmware upgrade in HA mode to best secure a firewall environment. Sophos Firewall High Availability documentation