This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Azure HA

Hello!

Can anyone confirm that I understand this correctly: There is no way to get Active-Passive or Active-Active HA working in Azure with 2 XG instances as Azure does not support MAC spoofing.

Manually configure HA in Azure - Sophos Firewall -> since here only one Firewall gets created

Additional configuration for virtual hosts - Sophos Firewall -> and this one mentions allowing MAC spoofing for hypervisors in order to get HA working

So, does this mean I should just use a single XG instance instead of two in Azure?

This thread was automatically locked due to age.

Top Replies

Vivek Jagad 11 months ago +2 verified

Hello Tobias Steiger , Thank you for reaching out to the community, did you refer this - Configure HA in Azure using a template and Implement a full HA (inbound/outbound) on Azure .

Parents

+1 Vivek Jagad 11 months ago

Hello Tobias Steiger ,

Thank you for reaching out to the community, did you refer this - Configure HA in Azure using a template and Implement a full HA (inbound/outbound) on Azure.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +2 Vote Down

Cancel

Reply

+1 Vivek Jagad 11 months ago

Hello Tobias Steiger ,

Thank you for reaching out to the community, did you refer this - Configure HA in Azure using a template and Implement a full HA (inbound/outbound) on Azure.

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Log a Support Case | Sophos Service Guide
Best Practices – Support Case

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +2 Vote Down

Cancel

Children

0 Tobias Steiger 11 months ago in reply to Vivek Jagad

Hello Vivek

Thank you for your respond!

Yes, I read through these guides and I currently use Auzure Availability Sets to achieve HA for my instances - but the problem I face is config sync and IPsec tunnels.

Firstly, config sync would be nice (like active-passive) so my clients would not always need to export / import firewall configs if they change something. Also, im currently using 2 XGs behind an Azure Loadbalancer. Whenver I only use 1 firewall (and stop the other) IPsec works really fine even behind the LB. However, if both firewalls are live, IPsec stops working and my site-to-site VPNs go down.

So, achieving active-passive would be really nice but i guess this is not possible in Azure (as stated in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122520/sophos-firewall-implement-a-full-ha-inbound-outbound-on-azure)
Cancel
Vote Up 0 Vote Down

Cancel
0 LuCar Toni 11 months ago in reply to Tobias Steiger

Azure uses SD-Network technologies to connect devices. The rules "of the old world" like ARP and other stuff does not apply there anymore. If you change for example the default gateway to another device, the device is fully offline. Therefore, you will not get the link between both appliances, and you will not get the ARP change to virtual running.

You could disable ARP Spoofing on SFOS in the WebUI, which uses the physical MACs, but even then, you have a "vIP", which will be used. Azure does not allow a IP Move from A to B.

__________________________________________________________________________________________________________________
Cancel
Vote Up +2 Vote Down

Cancel