Sophos Firewall: Deploy Sophos Firewall HA Cluster using Zero-Touch Deployment

Disclaimer: This information is provided as-is for the community's benefit. Kindly contact Sophos Professional Services if you require assistance with your specific environment.

Overview:

We can utilize the existing Zero Touch workflow to deploy a Sophos Firewall (XGS) Cluster in a HA Mode without much manual work.
In this recommended read, we’ll approach the workflow to deploy a Firewall Cluster with a rewire approach.

Keynotes:

We will utilize Zero Touch for both appliances: New Techvids Release - Sophos Firewall v20: Zero Touch Configuration.
Zero Touch allows us to configure a Firewall and make it accessible from Sophos Central via SSO.
For Zero Touch to work, you need the serial number of the XGS Firewall, and Port2 (WAN) needs to have an IP that reaches the internet (Sophos Central).

Workflow: Rewire approach

Log in to Sophos Central
1. Register Primary and AUX Serial number for Zero Touch: https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/FirewallManagement/Firewalls/FirewallAdd/FirewallZeroTouch/index.html
On-Premise cabling:
1. Deploy Primary & Aux in HA => Connect Port4 as a dedicated link on both appliances
2. Give internet connection to Primary (Connect Port2 to DHCP internet - Like Switch or Router).
3. To give an internet connection to Aux, connect Aux Port2 to Primary’s Port1
Log in to Sophos Central
1. Turn on Primary and wait for ZT to make Primary reachable.
2. SSO to Primary via Sophos Central - Enable LAN to WAN FW Rule on Primary. Check if Port1 has DHCP Server enabled for AUX.
3. Turn on Aux and wait for ZT to make AUX reachable.
4. SSO to AUX via Sophos Central - Configure Quick HA on Primary and Aux: Port4 is connected, so you can use both Webadmins to deploy HA.
On-Premise re-cabling:
1. On Aux device, connect Port2 to the rightful switch (same connectivity as Primary)
2. Change the port1 config on primary as needed

We assume you want to use Port4 as a HA Port (directly connected). You can also use other ports or multiple Ports for HA.
You do not have to use the same approach. You could also connect AUX/Primary Port2 to your existing Network—it needs to have Internet access. We use the Primary in this scenario so as not to change your infrastructure.

Workflow 2: Use existing network / switch infrastructure:

Log in to Sophos Central
1. Register Primary and AUX Serial number for Zero Touch: https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/FirewallManagement/Firewalls/FirewallAdd/FirewallZeroTouch/index.html
On-Premise cabling:
1. Deploy Primary & Aux in HA => Connect Port4 as a dedicated link on both appliances
2. Give internet connection to Primary (Connect Port2 to DHCP internet - Like Switch or Router).
3. Give internet connection to AUX (Connect Port2 to DHCP internet - Like Switch or Router).
Log in to Sophos Central
1. Turn on Primary and wait for ZT to make Primary reachable.
2. SSO to Primary via Sophos Central
3. Turn on Aux and wait for ZT to make AUX reachable.
4. SSO to AUX via Sophos Central - Configure Quick HA on Primary and Aux: Port4 is connected, so you can use both Webadmins to deploy HA.

In this approach, we do not need to change the existing configuration. It assumes you have a DHCP server with an internet connection that you will utilize for Zero-Touch.

If you have thoughts about those workflows or comments, feel free to post them or give me suggestions for improving them.

Related Information:

Sophos Techvids: Zero Touch Configuration - https://techvids.sophos.com/share/watch/TygYQm9ufcvFiJ9aAK7pit?vyetoken=$token_placeholder&autoplay=1

Zero Touch Configuration Documentation: https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/FirewallManagement/Firewalls/FirewallAdd/FirewallZeroTouch/index.html

Formatting, Grammar, Added TAGs, Title
[edited by: Raphael Alganes at 10:24 AM (GMT -8) on 28 Jan 2025]