Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 7 subscribers
  • Views 8447 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Couple of questions about business continuity planning and cold standby units

Ralph Smith

I have a main office with an SG330, and several smaller offices with SG115s and SG125s.  In looking at possible backup scenarios for the devices, one option for the smaller offices would be to keep a cold standby SG125 unit with no licenses.  Then if one of the units fails at a smaller office, we would update the standby to the latest version, restore a backup config for that office and it should be good to go - correct? 

What happens with licensing on the standby unit - will it run with trial licenses for a week or so until I get the failed unit repaired or replaced, or do I need to transfer the licenses to the replacement unit?

Is this a valid approach?

At the main office, one option would be to get a second SG330 and run it as a passive hot standby.  Is there any reason, if I could find one, that I wouldn't be able to purchase a used one as the failover, or do I need to get a new one from Sophos?  We are non-profit with very little budget for buying new devices as backups.

 

At the main site, if the SG330 fails, would it work to install the downloadable version on a computer here, restore a backup of the SG330 and run that until the failed unit is replaced or repaired? Would there be any licensing issues?

 

Is it possible to install the downloadable version on a server here and use that as a passive hot standby, or does it need to be another appliance of the same model? 

Thanks for any comments. 



This thread was automatically locked due to age.
  • 0

    I have the same question too.

    Thanks,

    Josh

  • +1

    We are a small business that has 22 remote locations using SG 115w’s. What we use to do was have two units on cold standby. When a remote firewall failed we would transfer the license from the failed unit to one of the cold standby units, ship it overnight and then have the remote site ship the failed unit back to us. That allowed us to further troubleshoot the unit and if we couldn’t fix it we would send back to Sophos.

    We decided this past year to fully license the cold standby units. What we found was when a firewall failed it would take us a few hours to update and configure the firewall, sometimes missing our window to ship the unit overnight. By having the firewalls fully licensed it allowed us to keep the units powered on and updated in line with our production units. Now when we have a failed unit we can usually ship it out the door in 10 minutes.

    One of the things we talked about was calling support to see if they would issue us a one day license every other month or so, install the one-day license, update the firewall and power off. But we felt that the time and energy to do that wasn’t worth it and in the end just licensed the two firewalls. 

    As far as purchasing an old SG330 I would think all you would need to do is purchase hardware support on the unit. That's all we have on our passive firewall. The base license covers Active/Passive. You will need to purchase an additional license if you want Active/Active.  

    With HA both appliances must be the same model and revision so if you have an SG330 as your primary you must have as your secondary.

     

     

  • 0 in reply to AdminIT

    Thank you for that explanation.  I don't think we have the budget to fully license a cold standby, although I'll get a quote.  Since our remote offices are all only 10 to 45 minutes from here we have a little more flexibility, so it sounds like having a cold standby would work for us but requires transferring the licenses back and forth.  We only have 8 remote locations, so I sure hope having a failed unit isn't too frequent an occurrence.  

  • 0

    Hey Ralph.

    Let mee see if I can help you.

    "What happens with licensing on the standby unit - will it run with trial licenses for a week or so until I get the failed unit repaired or replaced, or do I need to transfer the licenses to the replacement unit?"

    If they are the same model, if I remember correctly, the license from the backup would be activated on the backup unit as you restore the backup. If they are different models the backup would restore as well, but you would need a new license before being able to fully activate the new unit.

    "At the main office, one option would be to get a second SG330 and run it as a passive hot standby.  Is there any reason, if I could find one, that I wouldn't be able to purchase a used one as the failover, or do I need to get a new one from Sophos?  We are non-profit with very little budget for buying new devices as backups."

    An active/passive cluster is always the best approach. It means zero downtime in case of a failure. I don't think Sophos have such a tight control over devices. As long as the device is of the same model, the active/passive cluster should just work. You actually pay for the subscription, so I don't think an appliance bought from a third party would be an issue, as long as it's an official hardware. Of course, you could not expect any warranty coverage, as RMA, over that device.

    "At the main site, if the SG330 fails, would it work to install the downloadable version on a computer here, restore a backup of the SG330 and run that until the failed unit is replaced or repaired? Would there be any licensing issues?"

    The backup would be restore and as long as you have the same number of network interfaces on both devices you should have no issue getting it up, but you would need a license for the Software version of UTM in order to be able to fully activate this backup device. Even a 30-day trial one would do, but you would need a license for the Software version as the SG330's license would not activate this install.

    "Is it possible to install the downloadable version on a server here and use that as a passive hot standby, or does it need to be another appliance of the same model? "

    You would actually might be able to form a cluster if the number of network interfaces matches, but ir order to have a working hot standby all devices need to be the same model, exactly because of licensing. Your standby might be able to take over, but would not be able to be activated all subscription features with SG330's license, so this is a no go anyway. 

    I hope this helps.

    Regards,

    Giovani

  • 0

    For the cold standby devices (115 and 125), you can get a 3-year Network Protection subscription for each model for under $400US total for the two.  That would allow you to keep them Up2Dated so that they're on the same version as your appliances in the field and to be able to restore a backup from a failed unit and ship it immediately.

    The licensing is not interchangeable between models or with the software version.

    Your best bet with the 330 is another 330.

    Your reseller should have answered these questions for you.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks, I'll contact the reseller for more information.

Unfiltered HTML