SG-330 High Availability

Hi All:

I have a SG-330 running latest firmware 9.601-5. I have a second SG-330, new in box. I am looking at implementing HA (failover, not active-active).

First, are there any downsides of doing HA? Or would I be better to leave the spare in the box (guessing not, but...).

Should I fire up the spare HA, not connected to anything first? To burn in?

To do HA, do I just connect the second box interaces into the network? (I have five interfaces connected, one of which is a trunk going to a Cisco switch doing VLANs,) Then connect the eth3 HA interface  between the boxes, and fire up the spare box? Is it that simple?

The spare box hasn't had any updates done to it - is that a part of the HA process? Or should it be updated first?

How long does the process take? Minutes? Hours?

Any best practices or rulz to follow?

Thanks !

John S.

  • Hi John,

    as you described it is simple. Connect the cables and fire up the box.

    Two things you have to care for.

    First you have to make sure HA is configured, it is under Management > High Availability > Configuration. Enable configuration of new devices.

    Second make sure the version of the new box is not too far away from the existing one.

    The updates will be automatically handled by the UTM, but if the box is on an very old release it’s better to start with a new iso.

    After powering on a sync process is starting and then you got a HA setup, active/passive or hot standby. Don’t know witch wording is preferred by Sophos.

    If something goes wrong the HA won’t be activated and you could solve the problem.

    The sync process doesn’t take hours, but a couple of minutes.

    Give it a try. And the community is a very good place for questions.

    Best regards


  • Alex's prescription is the right one.  I made the following "cheat sheet" for one of my customers:

    1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
    2. Apply the desired Up2Dates (if possible, stop at 9.601 today), do a factory reset and shutdown.
    3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
       a. Enable Hot-Standby
       b. Select eth3 as the Sync NIC
       c. Configure it as Node_1
       d. Enter an encryption key (I've never found a need to remember it)
       e. Select 'Enable automatic configuration of new devices'
       f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
    4. Cable eth3 to eth3 on the new device.
    5. Cable all of the other NICs exactly as they are on the original UTM.
    6. Power up the new device and wait for the good news. Wink

    Cheers - Bob

  • In reply to BAlfson:



    I've got the second SG-330 connected to a PC and to an unused static IP on our external network connection. When I powered up the box, it shows it's on firmware 9.308.

    After connecting to an internet connection, the dashboard shows 41 updates available. When I go to Up2Date, it says the firmware is up to date and no downloads available. I tried both manually, and automatically (letting it sit for several days). I've tried rebooting the box, no change.

    From the second SG, I can ping, etc. So appears the internet connection and DNS are both working.





    John S.

  • In reply to jskain:

    Instead of Up2Dating from that far back, John, just go to UTM Support Downloads and download the appropriate ssi (hardware) ISO and use that to re-image the device.  Remember that you don't want to have the new 330 at a newer version than your existing box, so you may need to let it download Up2Dates from 9.415.

    Cheers - Bob

  • In reply to BAlfson:

    Thanks. The current production box is on 9.601-5. I downloaded ssi-9.510-5.1 which was the previous one on the web site. I'll try that tomorrow.


    Then should I try and update or let the HA process take care of that?



    John S.

  • In reply to jskain:

    It should take care of it, John, but I would have just gotten the 9.601 ISO.

    Cheers - Bob

  • In reply to BAlfson:

    The download site has ssi-9.601-5.1, and the online box shows 9.601-5 (without the ".1"). Didn't know if that made any difference or not, or if the version just doesn't show the ".1".

  • In reply to jskain:

    You could take the 9.601-5.1 from the download site. It's the same version.