Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall

Discussions HA link zone?

Sophos Firewall requires membership for participation - click to join

Thread Info

State Verified Answer
Replies 4 replies
Subscribers 42 subscribers
Views 299 views
Users 2 members are here

Options

Suggested

HA link zone?

Quallensaft 7 hours ago

What's "best practice" regarding HA link network?

- at the moment my HA link network (physical port / peer2peer) is zone DMZ -> not cool because SSH access for DMZ zone must be activated or HA will not work anymore -> SSH access from DMZ zone on all HA firewalls possible?

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/HAConfiguration/HowToArticles/HAHowToActivePassive/index.html

When switching to zone "none" do I also have to configure anything regaring SSH (needed for HA sync)? HA sync need FW rules?

Added TAGs
[edited by: Raphael Alganes at 10:43 AM (GMT -8) on 8 Nov 2024]

Top Replies

LuCar Toni 6 hours ago +1

You can use your own Zone, for example, create a Zone called HA and use the same settings (HTTPS and SSH). Then move the zone of HA Link to this Zone.

Parents

0 LuCar Toni 6 hours ago

You can use your own Zone, for example, create a Zone called HA and use the same settings (HTTPS and SSH). Then move the zone of HA Link to this Zone.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Quallensaft 5 hours ago in reply to LuCar Toni

Can not update the interface zone ^^

My question was also regarding -> the user are configure the firewall like in the online help from Sophos -> SSH access to firewall on by default for DMZ zone (maybe update the manual regarding security issues?)
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
+1 LuCar Toni 5 hours ago in reply to Quallensaft

You need to break up the HA first, to do this.
But yes, you should be careful with the usage of DMZ in other zones as well, as it enables per default SSH as well.

__________________________________________________________________________________________________________________
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel
0 Bharat J 2 hours ago in reply to Quallensaft

Create custom Zone for HA setup

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Bharat J 2 hours ago in reply to Quallensaft

Create custom Zone for HA setup

"Sophos Partner: Networkkings Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data