Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Subscribers 30 subscribers
  • Views 534 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Options for moving XG firewall in HA mode between physical locations

Chris Mayer

Howdy!

My company is moving our XG firewalls from one data center to another. The move requires configuration changes of various sorts (e.g., WAN port IP address). The firewalls are currently running in HA Active-Passive mode. I'll call the active device at the old data center "Device A" and the standby device "Device B" to avoid future confusion. I'd like to move the secondary device (Device B) to the new data center, configure it appropriately and test it. Once I'm happy that it's configured correctly, I would then move the other device (Device A) from the old data center to the new one and install it there.

Without breaking HA prior to moving Device B, will Device A come up as the secondary at the new data center and receive the updated configs from Device B? To avoid issues with having two firewalls possibly active at the same time, I won't connect device B to the WAN or LAN until I'm sure of B's status.

Or, should I break HA prior to moving Device B, configure B appropriately at its new home, then re-establish HA with B as the active box and A as the secondary/passive? I figure this would be the safer route, but it'd be nice not to have to fiddle with HA unless I have to. Again, to avoid issues with having two firewalls possibly active at the same time, I won't connect B to the WAN or LAN until HA is re-established.

Thanks for your thoughts and ideas.

Sincerely,

Chris M.



This thread was automatically locked due to age.
  • 0

    Best bet is to move the units together, plug it up at the new data center.  Before you move over to the new data center, though, you should be able to test new IP address using your laptop or a generic router to verify traffic is up.  Then make the shift, update the WAN interface configuration after moving the equipment into the new datacenter.

    The issue with trying to move Device B to the new DC location whether in HA mode or removed, is lack of a license to apply since Device A will still be the active licensed appliance.  I think this might be feasible if you had Active/Active configured.  A lift and shift may be your best option here, just do some initial testing with the assigned IPv4 block you got from the new datacenter before the move.

  • 0

    You will have to break HA. Then contact your Sophos partner to get an evaluation license for the second device. Then you are yble to test the setup at the new location. After the move, just switch roles and turn on HA again.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to jprusch

    Actually in SFOS you can start your own Trial everytime you want. So no need to contact somebody. Simply go to administration - licensing and start a new 30 day trial. 

    __________________________________________________________________________________________________________________

  • 0

    Thanks to people who have replied so far. I have a few comments and updates that may be of interest.

    • Unfortunately, I can't move the firewalls together because the amount of down time would be excessive. Hence the desire to move one box at a time.
    • I was aware that the box from which HA is launched needs to have a license. Although we're running in Active-Passive mode, both boxes are licensed. Why? We originally wanted to run in Active-Active mode which requires to licenses. Sadly, we experienced weird LAN behavior while running A-A, so we devolved to A-P.
    • My plan was to break HA and then re-establish it at the new location. The comments thus far reinforce that.
  • 0 in reply to Chris Mayer

    If you have a license for the 2nd box, go for it. The eval option will work, too. Didn't occur to me to try that, but as suggested by jprusch and Luca, that course will work. Device A will become Auxiliary in the new QuickHA / HA configuration at the new site.

  • 0 in reply to LuCar Toni

    Lucar Toni,

    my experience with this "you can start a trial anywhere, anytime": if you have registered a firewall device once, you won't be able to use a trial license on it anymore. Never again.

    Hence my suggestion for the already registered slave device.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?