one of our nodes in a HA cluster failed. The cluster is/was running on firmware 9.706-9.Found this KB Article regarding the replacement: https://support.sophos.com/support/s/article/KB-000035374?language=en_USThis describes what I need to do:5. Restoring HA after receiving an RMA'd device.
Syncing should now begin with the connected appliances.Isn't it necesarry to put the same firmware on the replaced firewall first?Besides doing a backup is there anything not described that needs to be taken care of? For example regarding licensing ...As far as I can see there will be no switch during the process. Is that right (would probably kick out a lot of remote users which I want to prevent; failover test will be done during a time when there is much less traffic).Regards,BeEf
licence is included within backup.
I install the same Firmware and make a factory-reset at the new device before rebuilding the cluster.
I connect initially eth3 only. ETH3 is preconfigured for HA…
I connect initially eth3 only. ETH3 is preconfigured for HA (at most devices)
There should be no switch-over.
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum PartnerSophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.
having the same firmware on the second appliace that you want to sync is a very good practise.
You should have a recent backup of your configuration OUTSIDE primary the firewall system just in case ... So download that to a local drive or a usb stick.
Mit freundlichem Gruß, best regards from Germany,
New Vision GmbH, GermanySophos Silver-Partner
If a post solves your question please use the 'Verify Answer' button.
Thanks. I did it exactly like described above, worked well and it even did some minor firmware update as the replaced fw was a little bit behind.
Here're the instructions I give to my clients:
1. If needed, do a quick, temporary install so that the new device can download Up2Dates. 2. Apply the Up2Dates to the same version as the current unit, do a factory reset and shutdown. 3. On the current UTM in use, on the 'Configuration' tab of 'High Availability': a. Disable and then enable Hot-Standby b. Select eth3 as the Sync NIC c. Configure it as Node_1 d. Enter an encryption key (I've never found a need to remember it) e. Select 'Enable automatic configuration of new devices' f. I prefer to use 'Preferred Master: None' and 'Backup interface: Internal' 4. Cable eth3 to eth3 on the new device. 5. Cable all of the other NICs exactly as they are on the original UTM. 6. Power up the new device and wait for the good news.
I do not recommend the use of 'Preferred primary'.
Cheers - Bob
Thanks to everybody. The replacement worked well with the instructions 5. Restoring HA after receiving an RMA'd device - surprisingly even with a different 9.7 firmware on the replacement.