This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Redundant internet for HA firewall

John245 over 1 year ago

Designing the solution for redundant internet for a HA firewall.

The architecture I have in mind is:

Is this design complete or should I add additional items?

---

John

This thread was automatically locked due to age.

Top Replies

Vivek Jagad over 1 year ago +3 suggested

Hello John245 , Thank you for reaching out to the community, you can refer the HA architecture and design here - https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide…

+1 Vivek Jagad over 1 year ago

Hello John245 ,

Thank you for reaching out to the community, you can refer the HA architecture and design here - https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/AboutHA/HAArchitecture/index.html

And about HA requirements, prerequisites here - https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/AboutHA/index.html

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +3 Vote Down

Cancel
0 John245 over 1 year ago in reply to Vivek Jagad

Vivek Jagad Thanks, but HA is already set-up and working. The question is about the addition of redundant internet to the HA cluster. Is this the smartest way to do this and/or are addition components/cables required?

---

John
Cancel
Vote Up 0 Vote Down

Cancel
0 Vivek Jagad over 1 year ago in reply to John245

We don't recommend monitoring the WAN link in HA, because HA is designed to failover if any of the ports fluctuate in the monitoring Ports section. A failure of the ISP will result in an unnecessary failover, since traffic can be switched from one ISP to another in the same appliance under the WAN link manager.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 John245 over 1 year ago in reply to John245

Vivek Jagad I was not planning to monitor the WAN link. But set up the ISP as below. I assume this is what you intended.

---

John
Cancel
Vote Up 0 Vote Down

Cancel
+1 Vivek Jagad over 1 year ago in reply to John245

Hey John245 , In that case this looks perfect for the reference & validation here is the KBA - Configure redundant internet connection using WAN Link Manager feature - https://support.sophos.com/support/s/article/KB-000038337?language=en_US

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
0 subin sunny over 1 year ago in reply to Vivek Jagad

while setting this up one of my isp status goes red, why is that?
Cancel
Vote Up 0 Vote Down

Cancel
0 John245 over 1 year ago in reply to subin sunny

Can you provide more info?
Cancel
Vote Up 0 Vote Down

Cancel
0 subin sunny over 1 year ago in reply to John245

Hi
we have two ISP connected to a Firewall. Once we initiate HA active passive mode one of the ISP goes to down state. After disabling HA we are able to see two active ISPs
Cancel
Vote Up 0 Vote Down

Cancel