Sophos Connect to passive firewall when two firewall are in active/passive HA
From Notes_Wiki
Home > Enterprise security devices or applications > Sophos Firewall or IPS > Sophos Connect to passive firewall when two firewall are in active/passive HA
When two firewalls are in active/passive HA, if we connect to LAN/WAN IPs over https or ssh, we get connected only to active firewall. If we want to check something specific about passive firewall then we can ssh to passive firewall from active firewall. Thus, first we need to SSH to active firewall. From there we can SSH to passive firewall using the HA link between the two firewalls. To do this use:
- Connect to firewall via web UI (Typically https://<ip-or-fqdn>:4444/
- Go to network -> interfaces and note the port no. of HA port (eg Port9).
- Also note the IP address of firewall (Eg 169.254.192.2)
- Go to System services -> high availability and look for value under "Dedicated peer HA link IPv4 address"
- SSH to the firewall IP then choose option 5 "Device management" and then option 3 "Advanced shell"
- Optionally check IPs of active firewall interfaces via:
- ip addr show
- and look for ip against HA port (Eg Port9@mv-pcimux0)
- (Optionally) Check netstat connections from HA IP subnet to get the HA link IP address of passive firewall. Example command:
- netstat -alnp | grep 169.254.192
- In the output secondary (auxillary) firewall IP might be listed. (eg 169.254.192.1). Try ping to that IP
- Note that this IP is same as what we note under "Dedicated peer HA link IPv4 address". Hence the command-line steps for finding passive peer IP are optional.
- Finally connect to auxiliary (Passive) firewall from primary firewall SSH session using
- ssh <ssh-username>@<peer-ha-link-io>
Home > Enterprise security devices or applications > Sophos Firewall or IPS > Sophos Connect to passive firewall when two firewall are in active/passive HA
