Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 29 subscribers
  • Views 8201 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XG Clustering & Redundancy Limitations

Rockfish

Hi all,

Regarding the clustering/HA features of XG. The best practice advice seems to be that the clustering is only supported within a rack - e.g. two XGs, with a CAT6 cable directly connecting one HA port to another. Clustering two XG firewalls across two geographic sites is - correct me if i'm wrong - not supported. Even if connected by high-bandwidth, low latency links.

Therefore to achieve redundancy, you need to run two separate firewalls, two separate sets of firewall rules, public IP addresses, etc.

This seems like quite a limitation - is cross-site clustering on the road map for a future release? How do other XG users correctly achieve redundancy with two data centers?

Thanks



This thread was automatically locked due to age.
Parents
  • +1

    The issue here with Split Brain Scenario´s (Geographic separate HA Appliances) is you miss some feature which prevents a master master situation. 

    It will work, so you can basically setup this scenario, but if this link gets cut, both appliances will go into Master (Primary) state and it will get very messy. 

    As far as i know, there are plans to implement such features for backup interfaces to prevent this. 

    Here is the Feature Request: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/34644892-high-availability-with-backup-interface

     

    Most of the setups i saw, use some kind of switching mechanism to prevent the HA Link to fail and still use Split brain or use two HA cluster. 

    Still depends on the Load, because you need to keep in mind, the appliance will sync a lot traffic in real time. 

Reply
  • +1

    The issue here with Split Brain Scenario´s (Geographic separate HA Appliances) is you miss some feature which prevents a master master situation. 

    It will work, so you can basically setup this scenario, but if this link gets cut, both appliances will go into Master (Primary) state and it will get very messy. 

    As far as i know, there are plans to implement such features for backup interfaces to prevent this. 

    Here is the Feature Request: https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/34644892-high-availability-with-backup-interface

     

    Most of the setups i saw, use some kind of switching mechanism to prevent the HA Link to fail and still use Split brain or use two HA cluster. 

    Still depends on the Load, because you need to keep in mind, the appliance will sync a lot traffic in real time. 

Children
No Data