Today I wanted to take advantage of installing a passive instance of Sophos UTM 9.x (we use version 9.307006 at the moment)
Our installation is entirely virtual, we only have virtual hosts, ESXi 5.5 2456374, Force10 Switches and SAN gear.
First thing to do is get your UTM setup and configured the way you want it. Put a couple extra nics in there for the future, get basic firewall functionality setup and “everything” working. OR, if you’ve already got a UTM setup, start by logging into your UTM shell as root and enter the following command:
cc set ha advanced virtual_mac 0
The above MUST be done for the HA system to work in the vmWare environment.
Next, clone your existing system. I have an even/odd numbered vhost scheme going on so I changed the name of the existing UTM to UTM01 and cloned it from vHost01 to vHost02 as UTM02.
Once the clone snapshot completed, I logged into the UTM01 and went to:
Management, High Availability, and clicked the Configuration tab.
Here, select Hot Standby (active-passive)
Below in Configuration, select your NIC, I used the last one added to the system. (eth7)
Then enter the device name (csutm01) and a device node select 1 and set an encryption key.
Go ahead and apply all your settings, (click both apply buttons)
By now your clone should be done, DO NOT POWER IT ON.
Right click the VM, and disconnect all network cards except the one connected to the HA network.
Now, power up the UTM02 and open the console. Wait for the system to come to the login screen and use your root credentials to login.
Now we will reset the configuration of the UTM02 to factory. MAKE SURE you are on the CORRECT SYSTEM!!
So, login as root,
cc (enter)
RAW (enter)
system_factory_reset (enter)
The system will power off when complete. Once it has powered off, reconnect your internal interface. Power back up again and go through the basic setup settings. The only thing required is an internal network. Don’t configure anything else. (may have to add a license file)
Once the system allows you to login, go to
Management, High Availability, and clicked the Configuration tab.
Here, select Hot Standby (active-passive)
Below in Configuration, select your NIC, I used the last one added to the system. (eth7)
Then enter the device name (csutm02) and a device node select 2 and set an encryption key.
Go ahead and apply all your settings, (click both apply buttons)
The web interface will lock up indicating that you have lost connection to the secondary UTM02.
You should already be logged in to UTM01 and if you go to the High Availability menu, you should see the system UTM01 Active, or Master and the UTM02 status Syncing. It takes about 15 minutes for the system to stabilize so be patient.
There you have it. the above steps are exactly how I set up my three data centers and a development environment. If you have any troubles please feel free to send me a message