Skip to content

Network firewall upgrade to Sophos Firewall Redundant

information tech IT project management FRD AD AADC implementation E2E pm agile

Network FW upgrade to Sophos redundant Firewall

Network firewall high availability implementation/ redundant Sophos firewall implementation. This ensures continuous protection of the system/infrastructure and minimizes potential downtime.

Sophos Firewall redundant project will implement a physical on-premise firewall with high availability and will perform the migration/cut-over from the old firewall to the new one. The project achievment is to reduce the risk that in the event of a firewall hardware failure/downtime, the network will go down for days until it is replaced and reconfigured. High availability with a firewall due to a hardware failure has no negative impact, and the second hardware online secures the entire network. Thus, Internet connection, site connection, connection to Azure Cloud, and SD-WAN connections are guaranteed. Our colleagues will see the error as Sophos Central will send alerts immediately. Our colleagues will start troubleshooting, even ordering new devices.

As a high-availability solution, traffic is load-balanced between the two hardware. This minimizes the risk of a firewall hardware failure as a single point of failure leading to network and enterprise downtime. It also ensures network connectivity and ongoing service during maintenance windows (such as patching and updating).

Sophos Firewall redundant project implementation approach:

For large business providers, where continuous service must be ensured 24/7, our approach is to connect the firewall in a separate VLAN, even with a temporary Internet connection:

  • In general, we recommend that both the devices get racked and connected to the network and that the network switch be configured so that they do not yet communicate with the network (for example, the allocated VLAN is an unused VLAN on Sophos ports). 
  • In this case, we will temporarily configure one of the Sophos ports with a network IP address that will not be used, but it will help us reach the device and perform administrative tasks.
  • On the Sophos device, we will make all the necessary settings.
  • If possible, we usually request a virtual machine that is in the same temporary VLAN as the LAN port of the Sophos firewall so we can perform the basic tests
  • If possible, we test the Internet functionality of the Sophos firewall and Site-to-Site VPN connections in a predefined time (internet connections are migrated from the old firewall to the Sophos firewall one by one). We can perform additional tests from the virtual machine while the old firewall is live in the network.
  • Based on the test results, we plan the UAT (on a weekend day) and pilot when the main firewall will be taken out of the network and Sophos will go live. User Acceptance Testing (UAT) will decide how to pilot and go live.

There are many cases in which it is possible to make the old and new firewalls work together so that the transition does not interrupt service. Therefore, it is necessary to have a preliminary conversation to learn the topology (how network devices are connected) and plan the project in a way that best suits the business needs.

Sophos Firewall redundant project in-scope activities:

We will perform the requirements analysis during the contract phase to accurately select the proper Sophos hardware, the required license, and the simplified migration plan.

  • On-site inspection (if necessary)
  • Create complete documentation
  • Set firewall rules (current firewall rule exported or configured from scratch)
  • Detailed migration planning
  • Installation in a rack and connection to the network switches
  • Perform configurations
  • Prepare firewall settings
  • Set up Internet, email, and spam filtering
  • Basic and detailed testing – depending on the settings we make and how the pilot is designed
  • Finalize pilot plan aligned with settings
  • Pilot execution and in-depth testing and assess the results
  • Fine-tuning – adjust settings based on pilot results
  • Transition according to plan
  • Make fine-tuning
  • Implement support and monitoring

Sophos Firewall redundant project Hardware and software requirements: 

Required physical equipment

  • 2 x Sophos UTM: the exact model will be agreed upon during the requirements analysis phase, which mainly depends on the number of users, internet connections, and bandwidth.

Required software

  • Sophos Full Guard License (finalization also in the requirements analysis phase)

Sophos Firewall redundant project pre-requirements:

  • Redundant network LAN connection for two separate devices – Provide link aggregation
  • Providing redundant internet connections / multiple internet connections and their connection and contact information
  • Free rack space and free ports in switch, link aggregation setup
  • If you don’t operate the network devices: Set up switch port (teaming/link aggregation setup, tagged and untagged VLAN setup)
  • Providing resources for testing and tracking changes during migration according to ITIL processes