Shutdown one unit in HA setup

no, you can't.

it is not possible to have different hardware within a cluster. (usually)

You should install the SG450, import the configuration, install a new license.

... check all, powerdown the SG3xx and patch all cables to SG450.

... check system is running correctly

... install and join the other cluster node.

If you are unable to get a downtime ... ask your sophos-partner for support.

Possible the vendor make it possible to use different Hardware within a cluster.

But you need a really good reason.  (unable to work at night or sunday isn't one)

Just an update that we successfully moved UTM2 to the new DC and brought it online. It did indeed make itself a MASTER and all connectivity worked as hoped. It handled the MAC address changes with no need to disable / enable interfaces.

We are now back running on UTM1 in the old DC and will move it up to join its HA partner in a couple of weeks. UTM1 shows the SLAVE node as DEAD currently.

UTM2 just shows MASTER and nothing else.

We have had to add some firewall rules and users since splitting the UTMs, so we want UTM1 to be the MASTER and UTM2 to sync the changes to it. I'm trying to decide, when we do join them back together in the new DC, whether to just shutdown UTM2, connect up UTM1 including HA, power up, the bring UTM2 up. Bob - I think you suggested doing a Factory Reset of UTM2 then just join it back to UTM1 and UTM2 should rebuild and Sync as a SLAVE. Is that correct? I assume I would tick the "Enable automatic configuration of new devices" setting on the HA page on UTM1?

Also, out of interest how will UTM2 get named back to being UTM2? Apologies but I've not been through the process of setting up an HA with a device that is factory reset.

Thanks.

Colin, these are the instructions I supply to my clients when adding a unit in High Availability:

1. If needed, do a quick, temporary install so that the new device can download Up2Dates.
2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown.
3. On the current UTM in use, on the 'Configuration' tab of 'High Availability':
   a. Enable Hot-Standby
   b. Select eth3 as the Sync NIC
   c. Configure it as Node_1
   d. Enter an encryption key (I've never found a need to remember it)
   e. Select 'Enable automatic configuration of new devices'
   f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal'
4. Cable eth3 to eth3 on the new device.
5. Cable all of the other NICs exactly as they are on the original UTM.
6. Power up the new device and wait for the good news. [;)]

It sounds like you may not need to do 3.

Cheers - Bob

Perfect Bob. Thank you.

Do you think it is worth me setting the UTM1 HA Operation mode to "Off" at the moment. a) to stop it looking for UTM2 and generating notifications, and b) Just to remove the DEAD Slave UTM from the HA Status (UTM2)? I would put it back to Hot Standby as per your instructions when we are ready to bring in UTM2 following its factory reset.

Yes, Colin - good insight!

Cheers - Bob

Hi Bob,

I like your last step. "6. Power up the new device and wait for the good news"

After the devices has joined the HA configuration as a Slave is ther any work that then needs to be done?

Following the Factory Reset does the device lose its name? Does a license have to be added for the Slave device? Anything else?

If so are there any instruction on how to do this?

Thanks

The steps I gave above are all that's needed, Colin.  When you cause the Factory Reset and then reconnect the Slave after re-enabling High Availability on the Master, the Master gives everything to the Slave including a name and a copy of the license.  It's really all that simple!

Cheers - Bob

Hi Bob. Just an update that we successfully moved the datacentres at the weekend. I followed the steps and factory reset UTM2 while UTM1 was running as MASTER. For some reason it had trouble getting UTM2 to join the HA when it was powered up. In the end we logged onto UTM2 and manually set the HA. UTM1 then found it and sync'd over to it. Now all running back as an HA Active \ Passive pair. Happy days!

Thanks for all your help and advice.

Regards,

Colin