- Two running instances of Sophos UTM with the following basic characteristics:
- Basic Sophos configuration such as the initial settings created by the setup wizard.
- Both Sophos instances must be at the same software version.
- Shell access enabled for root (under Management > System Settings)
- A minimum of three network interfaces:
- External (WAN)
- Internal (Production)
- Heartbeat (Replication)
- A management server behind the Sophos UTM appliances for testing purposes.
- Basic knowledge of the ProfitBricks DCD to perform the following tasks:
- Deploy virtual machines from a user uploaded ISO.
- Reserve and assign static Public IP addresses.
The infrastructure for this tutorial will be hosted at ProfitBricks. Here are the sample configurations that will be used for this scenario and a screen shot of the topology. Sophos UTM #1 – Availability Zone: 1 – eth0: 158.222.X.X/24 (ProfitBricks Reserved IP) – eth1: 192.168.2.1/24 – eth2: Not Configured
Sophos UTM #2 – Availability Zone: 2 – eth0: 158.222.X.X/24 (ProfitBricks Reserved IP) – eth1: 192.168.2.2/24 – eth2: Not Configured
Management Server – eth0: 192.168.2.10
Note: Due to the network virtualization layer implemented by ProfitBricks, the external (WAN) Sophos network interfaces is required to have a contiguous IP space to ensure they are on the same broadcast domain (layer 2) in order for the public IP to be usable by either node in the cluster.
Disable the virtual MAC address usage
The next step is to disable the virtual MAC address usage on both Sophos nodes. This is required due the network security features implemented by ProfitBricks which do not allow MAC spoofing.
Launch the ProfitBricks remote console for Sophos UTM #1 and log in as root. At the command prompt, execute the following command (case-sensitive):
/usr/local/bin/confd-client.plx set ha advanced virtual_mac 0
This will return “1” as shown below.
Repeat this step for Sophos UTM #2 to also disable the virtual MAC address.
Set up the high availability configurations
Launch the Sophos UTM # 1 Webadmin console. Go to the High Availability section under the Management left navigation menu.
In the High Availability configuration page, click on the Configuration tab and apply the parameters listed below which are also shown in the screenshot: – Operation mode: Automatic configuration – Sync NIC: eth2
Launch the Sophos UTM # 2 Webadmin console. Go to the High Availability section under Management in the left navigation menu and apply the same configurations.
At this stage, an initial sync will occur between the Sophos nodes. It may be a good idea to set up a continuous ping to both of the management interfaces (if ping was allowed) from the management server behind the Sophos machines. Once one stops responding, this is an indication that things are working as expected.
Also, if notifications are configured, an email will be sent when the cluster is ready. This email notification will also specify which node is Master/Slave.
Note: You may be temporarily disconnected from your current Webadmin session.
Check the cluster’s status
Log into the Sophos Webadmin (IP of Master node). Go back to the High Availability section under Management in the left navigation menu to see the status of the cluster. You can also open the HA Live Log to inspect for any issues.
Check the cluster’s configuration
Click on the configuration tab to inspect the additional configuration parameters that are now available. You will see the operation mode has changed to Hot Standby (active-passive).
Wait for the synchronization to finish
Go back to the status tab. The two nodes will display a “READY” state in the status tab once they finish synchronizing. At this point the Active-Passive cluster will be fully functional and the HA pair can be managed through the single management interface. All changes will be automatically replicated.
Perform a failover test
The next step is to perform a failover test to verify that everything is working correctly.
Set up test connections from both directions: – Egress – Set up a continuous ping and/or any other continuous connection (e.g. stream a video clip, upload a file, etc.) from the management server behind the Sophos cluster to an Internet endpoint. – Ingress – Set up a continuous ping and/or any other continuous connection (e.g. remote desktop via NAT rule) from an external system to the public IP of the Sophos cluster.
Log into the Sophos WebAdmin (IP of Master node). Go to the High Availability Status tab and start the failover procedure by rebooting the Master node as depicted below:
Below are the results from my test: 1. Egress – Only one packet was dropped by the internal management interface. 2. Egress – Logged in to a website that requires login and was able to continue to browse after a refresh. 3. Ingress – Only one packet was dropped by the external (WAN) interface. 4. Ingress – Established an RDP session to management server behind the Sophos cluster. No issues experienced.
- Make sure to review the HA Live Log from the High Availability Status tab for troubleshooting purposes.
- Make sure to speak to your Sophos Sales representative regarding licensing. My understanding is that there is no extra cost for the second node of a Hot-Standby HA pair.