Skip to content
Avanet

Which Sophos Firewall HA cluster types are available?

Sophos Firewall

For a highly available solution, you can run your Sophos Firewall in an HA cluster. This ensures that in the event of a hardware failure, the second firewall can take over and your network will continue to function without problems.

Requirements

To create a Sophos Firewall cluster, you need to follow a few rules:

Sophos Firewall appliances

  • The appliances must be exactly the same Sophos Firewall model, revision, and firmware version.
  • Different appliances cannot be clustered (e.g. XGS 136 and XGS 2100)
  • Different revisions cannot be clustered (e.g. XG 210 Rev. 2 and XG 210 Rev. 3).
  • W models cannot be clustered (e.g. XGS 87w, 107w, 116w, 126w, 136w).
  • Another common question is whether a hardware appliance and a virtual appliance can form a cluster. They cannot.

Two different variants

You can choose between two different types of High Availability clusters to connect your two Sophos Firewalls:

Active / Passive Cluster (Recommended)

In this cluster configuration, there is an active firewall that processes all traffic and provides the necessary security functions. The passive firewall is in standby mode, waiting for the active firewall to fail.

If the active firewall fails or malfunctions, the passive firewall automatically takes over the role of the active firewall and ensures that network traffic continues to be protected and filtered. The interruption is less than a minute and if you have a planned change like a reboot or software update, you lose 1-4 pings.

In this Sophos Firewall High Availability Cluster configuration, only the active appliance requires a license. This is one of the reasons why 100% of our customers choose this solution.

Active / Active Cluster

Again, the two firewalls are connected via an HA port. However, the traffic is routed through both firewalls. Load balancing therefore takes place. With this type of cluster, a license is also required for the second hardware. For example, if the primary firewall is running an Xstream Protection license, the Node2 firewall also needs an Xstream Protection license.

Info: If you want to build an Active-Active cluster for higher performance, keep in mind that not all functions can be distributed in an Active-Active cluster, for example VPN. You should therefore not expect a 100% performance increase. According to Sophos, adding a second firewall increases performance by approximately 50%. Instead of 100% capacity, you will have roughly 150% available afterwards.

More information

Sophos provides comprehensive information on configuring and managing Sophos Firewall high availability (HA) clusters. Here you will find an introduction to HA functionality, its benefits and the different HA modes, as well as detailed instructions on how to configure, manage and monitor HA clusters. Learn more about the prerequisites, underlying architecture, operation, and firmware upgrade in HA mode to best secure a firewall environment. Sophos Firewall High Availability documentation