LAN Link aggregation or LAN Failover

Hello JohnHilton,

Thank you for reaching out to the community, please refer the follow doc/kba below for configuring the Link aggregation on SFOS [Sophos XG] 
https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Network/Interfaces/NetworkLinkAggregationGroupAdd/index.html

Thanks for the reply, thank you for this. 

I wanted to add this to our currently active "lan" port (port1) and inactive unbound port5.

The documentation states:

"Only unbound static physical interfaces can be members of the LAG"

i assume because our port1 (lan) is currently active, i can't configure this to a lag without "downtime".

Kind regards 

Yup, you'll need a down time.
==========================
Once configured you can verify with the following device console commands: 
> show network lag-interface
> show network lag-interface < lag-interface> runconfig

Thanks again.

When it says "unbound" does it mean removed from the "lan" zone or just disconnected? do i need to add a static IP address to each of the member ports + the lag group (3 static IPs in total) or just a single static IP on the LAG i've created?

Sorry for all the questions, i'll be doing this via the GUI.

Kind regards

Unbound Example can be seen below:

That's great thanks, i'll book some downtime in and give it a go and report back.

cheers

one more thing, if i unbind my LAN port, i won't be able to connect to the gui...... could i do this off site via central?

if you have another interface configured on the LAN zone and under the device access if you have allowed HTTPS access on LAN than you'll be able to access the appliance. But if non of the interface is active then you will not be able to. So better configure a temporary interface and connect a direct laptop/machine... 

understood, but could i do this via central off site via WAN if i have enabled firewall management. I'll of course configure an additional port for LAN access outside of the LAG scope "just incase"

Yup, if sophos Central service is enabled for firewall management and as far as WAN connection is active. you are good to go and access the appliance via Sophos Central firewall management. 

excellent thanks again. i'll report back tomorrow. Planning on doing this at home tonight out of hours.

This seems* to be ok after creating the new AGG group on ports 1 & 5. I did this remotely from Sophos Central via the firewall manager.

Before i did this i connect to the site using Sophos connect and did a few things before hand (like doing a back up).

I've rebooted the XG and reconnected via Central. I can ping internal (LAN) pcs via the new AGG interface so i assuming all is fine?

*That being said. I don't seem to be able to VPN back into the site via Sophos connect, and all the sophos access points are showing as "inactive". I hoping this is a central bug? :s

I'll be on site early tomorrow just in case. Anything that could have caused this?

I connect to the firewall via central, unbound the single LAN port (port1) and noted it's settings. Created a new AGG interface with Port 1 & 5 (both unbound) and entered the address details noted above. 

EDIT: looking at the VPN logs on the xg. i'm getting rejected because of wrong credentials. go figure ? 

Regards

This seems* to be ok after creating the new AGG group on ports 1 & 5. I did this remotely from Sophos Central via the firewall manager.

Before i did this i connect to the site using Sophos connect and did a few things before hand (like doing a back up).

I've rebooted the XG and reconnected via Central. I can ping internal (LAN) pcs via the new AGG interface so i assuming all is fine?

*That being said. I don't seem to be able to VPN back into the site via Sophos connect, and all the sophos access points are showing as "inactive". I hoping this is a central bug? :s

I'll be on site early tomorrow just in case. Anything that could have caused this?

I connect to the firewall via central, unbound the single LAN port (port1) and noted it's settings. Created a new AGG interface with Port 1 & 5 (both unbound) and entered the address details noted above. 

EDIT: looking at the VPN logs on the xg. i'm getting rejected because of wrong credentials. go figure ? 

Regards

Seems that there's a bug... if i set the lagg to "auto negotiate" the speed, i can't communicate to the LAN, if i set it manually to 1000 everything is fine.

I can see all the Access points and vpn back into the site. i can now access all lan resources.

.......that was a long night....... still better now than during production.

Hey JohnHilton,

Yup, that's true this has been reported bug: NC-92783.
Work around is: change the speed settings to manually. 
This will be fixed in the next release of the firmware i.e. SFOS 19.0.1 MR1

All sorted now, up and running with a LAN LAG link. Thanks for all your input.

Cheers

Cheers JohnHilton