Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 784 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Identifying Active FW in Active/passive Ha setup

Andres Castellon

Hello everyone!

I am brand new to the forums and to the sophos xg product line....i am a cisco guy which seems a bit of a hindrance now that I work with sophos. I have a question if you wouldn't mind.

I have many remote locations running active-standby xg210 or xg230 pairs with single ISP. I have been tasked with placing a switch between ISP and xg pair to avoid having to swing the WAN link when/if there is failover. However, in this scenario, if the switch dies I am afraid it is going to be very difficult for the remote tech to tell which unit is primary and which is standby. Is there a way for the remote tech to tell which unit is active by looking at the front panel or interacting with the LCD screen?

Thanks for your help!



This thread was automatically locked due to age.
  • 0

    You can simply look at the Webadmin of XG - High Availability and print both Serialnumbers. It will tell you, which is active and which is passive. 

    Post both serial numbers to the technician, he should be able to identify both by the serial. 

    In V18, you can use a configuration to stay always on appliance A as active, if possible. Hence you could label the "upper" appliance to be the active appliance.  

  • 0 in reply to LuCar Toni

    Thanks for the response!

    Would the active firewall have a link light on the LAN port when it is the active or do both (A and P) keep the LAN port on at all times?

  • 0 in reply to Andres Castellon

    Both appliances are active at the same time. HA passive appliance will simple not answer to requests. Both share a virtual MAC and IP. 

    BTW: thats the reason you do not need to do "anything". If one appliance take over, it will react with the same MAC and IP as the original appliance. Hence the ISP and other clients within the network should not notice anything. 

    Only the switch will notice, the MAC switched from Port A to Port B. There are certain switches which need configuration to allow this, as they assume, this is a MAC spoofing attack or they need to reconfigure STP.