Deploy Sophos UTM in High Availability Mode

Table of Contents


  • Two running instances of Sophos UTM with the following basic characteristics:
    • Basic Sophos configuration such as the initial settings created by the setup wizard.
    • Both Sophos instances must be at the same software version.
    • Shell access enabled for root (under Management > System Settings)
    • A minimum of three network interfaces:
      • External (WAN)
      • Internal (Production)
      • Heartbeat (Replication)
    • A management server behind the Sophos UTM appliances for testing purposes.
  • Basic knowledge of the ProfitBricks DCD to perform the following tasks:
    • Deploy virtual machines from a user uploaded ISO.
    • Reserve and assign static Public IP addresses.

Sample configurations

The infrastructure for this tutorial will be hosted at ProfitBricks. Here are the sample configurations that will be used for this scenario and a screen shot of the topology. Sophos UTM #1 - Availability Zone: 1 - eth0: 158.222.X.X/24 (ProfitBricks Reserved IP) - eth1: - eth2: Not Configured

Sophos UTM #2 - Availability Zone: 2 - eth0: 158.222.X.X/24 (ProfitBricks Reserved IP) - eth1: - eth2: Not Configured

Management Server - eth0:

Sample Sophos configurations

Note: Due to the network virtualization layer implemented by ProfitBricks, the external (WAN) Sophos network interfaces is required to have a contiguous IP space to ensure they are on the same broadcast domain (layer 2) in order for the public IP to be usable by either node in the cluster.

Disable the virtual MAC address usage

The next step is to disable the virtual MAC address usage on both Sophos nodes. This is required due the network security features implemented by ProfitBricks which do not allow MAC spoofing.

Launch the ProfitBricks remote console for Sophos UTM #1 and log in as root. At the command prompt, execute the following command (case-sensitive):

/usr/local/bin/confd-client.plx set ha advanced virtual_mac 0

This will return "1" as shown below.

Turning off MAC spoofing in Sophos

Repeat this step for Sophos UTM #2 to also disable the virtual MAC address.

Set up the high availability configurations

Launch the Sophos UTM # 1 Webadmin console. Go to the High Availability section under the Management left navigation menu.

In the High Availability configuration page, click on the Configuration tab and apply the parameters listed below which are also shown in the screenshot: - Operation mode: Automatic configuration - Sync NIC: eth2

High availability configuration in Sophos

Launch the Sophos UTM # 2 Webadmin console. Go to the High Availability section under Management in the left navigation menu and apply the same configurations.

Initial sync

At this stage, an initial sync will occur between the Sophos nodes. It may be a good idea to set up a continuous ping to both of the management interfaces (if ping was allowed) from the management server behind the Sophos machines. Once one stops responding, this is an indication that things are working as expected.

Also, if notifications are configured, an email will be sent when the cluster is ready. This email notification will also specify which node is Master/Slave.

Note: You may be temporarily disconnected from your current Webadmin session.

Check the cluster's status

Log into the Sophos Webadmin (IP of Master node). Go back to the High Availability section under Management in the left navigation menu to see the status of the cluster. You can also open the HA Live Log to inspect for any issues.

Checking the status of a Sophos high availability cluster

Check the cluster's configuration

Click on the configuration tab to inspect the additional configuration parameters that are now available. You will see the operation mode has changed to Hot Standby (active-passive).

Checking the configuration of a Sophos high availability cluster

Wait for the synchronization to finish

Go back to the status tab. The two nodes will display a "READY" state in the status tab once they finish synchronizing. At this point the Active-Passive cluster will be fully functional and the HA pair can be managed through the single management interface. All changes will be automatically replicated.

Perform a failover test

The next step is to perform a failover test to verify that everything is working correctly.

Set up test connections from both directions: - Egress - Set up a continuous ping and/or any other continuous connection (e.g. stream a video clip, upload a file, etc.) from the management server behind the Sophos cluster to an Internet endpoint. - Ingress - Set up a continuous ping and/or any other continuous connection (e.g. remote desktop via NAT rule) from an external system to the public IP of the Sophos cluster.

Log into the Sophos WebAdmin (IP of Master node). Go to the High Availability Status tab and start the failover procedure by rebooting the Master node as depicted below:

Reboot the Sophos cluster

Below are the results from my test: 1. Egress - Only one packet was dropped by the internal management interface. 2. Egress - Logged in to a website that requires login and was able to continue to browse after a refresh. 3. Ingress - Only one packet was dropped by the external (WAN) interface. 4. Ingress - Established an RDP session to management server behind the Sophos cluster. No issues experienced.

Other considerations

  • Make sure to review the HA Live Log from the High Availability Status tab for troubleshooting purposes.

  • Make sure to speak to your Sophos Sales representative regarding licensing. My understanding is that there is no extra cost for the second node of a Hot-Standby HA pair.

  • Hi everyone,

    i do not really understand what happens if the MASTER is going down and i have, let's say a webserver behind it. Can i reach the webserver with the same IP adress if the SLAVE is going to do the work? If yes, why do i need a second ip adress for the SLAVE?

    And do i have to configure the External (WAN) interface for the SLAVE manually or is the SLAVE automatically getting the information from the MASTER?

  • Hi,

    In the configuration described in this tutorial, the SLAVE would take over any operations being handled by the MASTER (Sophos automatically synchronizes all configuration). So, if you have a webserver on IP 01 being served by the MASTER, and something triggers a failover to the SLAVE, the SLAVE would takeover (same IP 01) and any other operations being handled by the MASTER.

    The reason you need at least two Public IPs is to enable the ProfitBricks "VLAN" on both (MASTER & SLAVE) WAN interfaces. That's why you would need two IPs with the same first 3 octets. After the cluster is enabled, those two IPs can be shared among the cluster (they can move from one VM to the other). Also, my understanding is that Sophos recommends having one IP for the Firewall/VPN/Portal portions of the appliance and a separate IP (or IPs) for other services such as web publishing. I believe the reason for this is to prevent some port overlaps. For example: the Sophos User Portal runs on port 443. This could have a conflict with other HTTPS sites you publish.

    Lastly, the SLAVE has to have some basic configuration in order to establish the cluster. At that point, the MASTER would then synchronize all configuration to the SLAVE and act as one.

    Hope this helps.


Log In, Add a Comment