This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG210 HA Configuration

Hi,

I'm running two SG210 in my company in Active/Passive mode.

We are going to set up a disaster site, and as a part of our plan, I want to know how we can manage to setup the same Sophos HA in disaster site.

Is it possible to extend our cluster from 2 to 4 devices? or there is any other solution?

All our physical and virtual servers, storage devices, network switches, etc. are in HA mode with disaster site, but the sophos cluster.

Our goal is that everything be as automatic as possible.

Regards.



This thread was automatically locked due to age.
  • I could think you may add more passive nodes, but do not know that for sure. But what is more interesting, do you have the same connections in the second location available? That should be a concern too. But maybe you already had a solution for that or don't use external connections.

    BR

    -

  • Hallo,

    As Alex implies, it's unlikely you can do this.  The only way I've heard of it being done was with the single, passive unit in the DR site where all of the subnets connected to the node were identical to those at the primary site.  I don't like that solution because it causes problems with Up2Dates and can lead to unnecessary downtime at the primary site.  I always recommend a new Active/Passive pair at the DR site.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear Alex and Bob,
    Thank you for your answers,

    I have the exact same architecture, devices, and network in both primary and disaster sites.

    I think you suggest me to follow this scenario : Primary (1 Active + 1 Passive) + DR (1 passive) devices, am I right? So about the take over, if the active device in primary site fails,  which passive device becomes primary? Is it manageable or not?

    Reagrds.

  • Helli Mahdi,

    You have two sites in HA-Setup. Do you have redundant switches on each of the sites? No? Then why double the firewalls?

    See: I would have the active node of the Sophos Firewall Hardware at the "Mainsite" and the other passvie node will be put at the "Failover-Site", that's it. Like this you have redundant nodes and failover capacity.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • Yes, I do.

    I have redundant switches on each of the sites, and two SG210 in active/passive mode in main site.

    I've figured out all HA plan, but for the firewall.

    I'm looking for an automated solution which includes exact firewall cluster in disaster site (2xSG210 in active/passive mode),

    I need firewall HA in both side.

    If not possible, I've to switch it manually.

  • Hallo Philipp,

    The only situation where I've seen this work was when both sites had only servers that were identical and the backup site was an exact duplicate of the main site within a few milliseconds.

    I'm confidant that MahdiX's idea of having one active and two passive units is NOT possible.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Dear MahdiX,

    that’s indeed a good question. Leader election can be done by multiple ways. But I didn’t find any specific information about that. Maybe you could ask a sales representative or support for that.

    Best regards 

    Alex 

    -