This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos HA over Two Datacenter

Hi I'm thinking for a Colocation for our Company with SAN Replication over dark fiber (L2). So my question is if it's possible to have a Sophos HA (Active / Passive) over two Datacenter so that if the Datacenter 1 is down the Sophos on Datacenter 2 switches to Master and I can run all VMs on Datacenter 2 and also all remote Offices connect automatic to this Firewall.

One of the WAN is located on the Datacenter 2 and the other in Datacenter 1. The Network would be completely transparent (Layer2 connection between both Datacenter).

The only problem I see is that also the heartbeat of the Sophos FW has to go over the dark fiber and if the connection between the Datacenter is down, both firewall are in master mode and can accept VPN, SMTP…

Thanks



This thread was automatically locked due to age.
  • Hi Tobias,

    Could the Sophos be a single Virtual appliance that fails over with the rest of the VM's?

    We have a customer with sites a few km apart linked by fibre with a Sophos UTM9 appliance each in a HA configuration. There are redundant L2 paths between the two sites, but there is no qorum/witness in Sophos HA so there is always the danger of split brain. It is rarely a problem, although I don't know the particulars of your configuration. If Sophos is doing SMTP filtering then I guess some email could be lost when they come back together and fight over which one is master.

    Are you running BGP over your WAN links?

    James

  • I'm afraid this won't work because of the two different internet connections. Usually in HA, you'll have to connect both UTM's on every interface in use to the same device, so for WAN that means that both UTM's would need to be connected to the same physical WAN connection on the same interface. This might however be doable as long as you can connect WAN for DC1 to the UTM located in DC2 by means of the dark fiber. At the same time you could then also connect DC2's WAN connection to both UTM's and have load-balancing and/or failover internet access.

    If the connection between DC's fail, then indeed both UTM's will become master, but once connection is restored, the UTM with highest uptime will become the new master and UTM with lowest uptime will become the new slave. Be aware however that any changes made to the configuration in this timeframe might "rollback" those changes when the "other" UTM should become master.

    While both WAN connections will likely also have different public IP-addresses (unless you're using BGP to route your public subnet) you might have a challenge for interconnection to the remote offices depending on how these are connected.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • dunno about the dark fibre because I'm not really a network admin so I don't know if this is relevant but you will need jumbo packets enabled on your networks for UTM HA to work across sites

  • Is the Jumbo Frames requirement documented somewhere? I've not had any issues with HA connectivity through switches etc that don't have Jumbo Frames enabled.

    Have you determined what frame size is required?

    James

     

  • I don't think so.  Not 100% certain why we do this because I didn't set it all up.

    We have 2 datacenters, one in one city and the other in another city.  We have Hypervisor environment split across both data centers.  We have 2 UTM HA arrays both managed by a single SUM but we have to keep both HA nodes (master and slave) for each HA array in the same city datacenter becaus ewe don't enable jumbo frames across the network links.  

  • Should have added that we move the UTM nodes from city to city in their pairs when we need to