What are the variants for a Sophos Firewall HA cluster?

For a highly available solution, you can run your Sophos Firewall in a cluster. This ensures that in the event of a hardware failure, the second firewall can take over and your network will continue to function without problems.

Requirements

To create a cluster between two SG, XG or XGS firewalls, you need to follow a few rules:

• Different appliances cannot be clustered (e.g. XGS 136 and XGS 2100)
• Different revisions cannot be clustered (e.g. XG 210 Rev. 2 and XG 210 Rev. 3).
• No W models can be clustered (SG/XG 106w, 115w, 125w, 135w)
• No different SFOS firewall can be clustered (e.g. XGS 2300 and XG 230)

Two different variants

You can choose between two different types of clusters to connect your two Sophos Firewalls:

Active / Passive Cluster

The “Active / Passive” cluster is the cheaper variant and is also sufficient in most cases. The two firewalls are directly connected to each other via an HA port, and if the master fails, the second firewall takes over within a few seconds. The interruption is less than one minute.

Active / Active Cluster

The “Active / Active” cluster is the luxury variant. Here, too, the two firewalls are connected via an HA port. However, the traffic is routed through both firewalls. This means that load balancing takes place. With this type of cluster, a license is also required for the second hardware. If, for example, an Xstream Protection license is running on the primary firewall, the Node2 firewall also requires an Xstream Protection license.

Info: If you want to make an Active-Active Cluster to cause a performance increase, you have to know that with an Active-Active Cluster not all functions can be distributed (like e.g. with VPN). So you can’t expect a 100% increase in performance. According to Sophos, the performance increase when adding an additional firewall is approximately 50%. Instead of 100% power, you will have about 150% power available afterwards.