HA Setup

Question

I am trying to setup HA active/passive using this document - https://community.sophos.com/kb/en-us/123174 but after setting it up under HA details it now shows - 
 
 Primary serial number standalone 
 Peer serial number: Faulty 
 
 Some questions about the document - 
 
 1) it shows the same IPs on both firewalls for all interfaces other than the dedicated HA port. How should this be setup ie. the standby device has 172.16.16.2 as the default on the LAN and I had to configure a public IP on the WAN to register the device (no registration = no HA). 
 Should I have wiped these IPs before setting up HA so in effect the only IP configured on the secondary device was on the HA port 
 2) the Peer administration IP - the primary has a LAN IP of 172.16.7.1 and I wanted to use the LAN interface as the peer administration port so I entered 172.16.7.2. Should I have configured this before setting up HA or does this get pushed to the standby device. 
 3) I cannot now disable HA so it is stuck where it is enabled but not working. 
 Think I am just not clear on what should be configured on the standby device in terms of interface IPs before trying to setup HA ? 
 Any help much appreciated. 
 Thanks

BeEf · Accepted Answer

Hi Jon, 
 the setup is quite tricky - it sometimes behaved strange on our site es well and not everything was explainable. You have to read everything thoroughly. 
 We did not see the issue with the firewall blocking when disabling HA. Maybe this has something to do with your underlying network. Instead of touching every rule a reboot also might have helped. 
 All monitored ports + HA ports have to be online before establishing HA. 
 As far as I remeber it worked like this: 
 - We registred both Firewalls individually (at least it is possible to setup HA on two firewalls that have previously configured). 
 - For the internal interface the firewall had different IPs. Regarding 2) - this need to be established before as the standby device does not know that it will get x.y.z.2. 
 - The first one was completely configured regarding all the monitored ports (LAN/WAN/DMZ) and the HA Port. The second was configured regarding HA Port + management port (LAN). All monitored interfaces were up, the HA port was connected directly. All switchports were configured with the correct VLANs. 
 - When establishing the HA the config is mirrored to the second firewall. They still have different management IPs but the firewall is reachable by the cluster IP (LAN / WAN /DMZ). We also used LAN for the management IP and the IP of the primary Firewall is the "official" IP. The IP of the secondary firewall ist still reachable.