Peer Administration on a Sophos XGS HA cluster only behaves if the network layout is thought through first. Keep client traffic, the HA heartbeat and management on separate paths where you can. A dedicated HA link is the cleanest option. I would use a small heartbeat subnet, such as 172.16.100.0/30 between the primary and auxiliary. Keep the management or Peer Administration IPs out of the client DHCP pool. Put them on a management VLAN or a separate physical port if that is available. If the admin IP has to sit on the same LAN as clients, document it and reserve it in DHCP. If the primary LAN IP is 10.60.7.1/24, the auxiliary can have an admin IP such as 10.60.7.2, but that is not the clients’ gateway.
Set the Peer Administration values in the Sophos GUI after the network plan is fixed. Give the auxiliary its administrator IP on the chosen interface and set the primary’s admin IP where the primary listens. The heartbeat should have its own link or VLAN, and the cluster virtual IP should sit where client traffic is meant to land. In active-passive mode, that virtual IP is the gateway for client DHCP leases. For port 1 DHCP configuration, hand out the cluster virtual IP as the gateway, not the auxiliary admin IP. The auxiliary admin IP is for management and failover signalling, not normal client traffic. Sophos has a habit of making the obvious mistake look tidy until failover time.
Be careful with DHCP. If the LAN uses a virtual IP, put that virtual IP into the DHCP scope as the default gateway. Do not hand out a physical appliance IP as the lease gateway. If the Sophos DHCP server is running on the firewall, set the gateway to the cluster virtual IP. If an external DHCP server is doing the work, create a reservation or static route so the virtual IP still resolves during failover. Test it by forcing a failover and checking that clients keep the same gateway and traffic carries on.
Keep the interface map and firewall rules written down. Note which physical ports map to which VLANs, the admin IPs, the heartbeat subnet and the cluster virtual IPs. Build firewall rules against the virtual IPs or zone objects rather than a physical admin IP. That keeps policy steady when the active unit changes. Only open the management services you need to the admin IPs, and restrict access with management ACLs. Keep HA event logging switched on.
For maintenance, I use a short checklist. Check HA synchronisation after any change. Match firmware and hotfix levels on both units before pairing them. Run a scheduled failover test quarterly. Confirm routing and DHCP behaviour after the test. Keep the network diagram and DHCP scope list up to date. The usual failures are mismatched interfaces, forgotten DHCP gateway settings and using the auxiliary admin IP as the client gateway. When something breaks, check the heartbeat link first, then the admin IPs, then the virtual IP bindings.
Practical takeaways: use a dedicated heartbeat, keep admin IPs away from client gateways, hand out the cluster virtual IP in DHCP, write firewall rules against virtual IPs or zones, and test failover regularly. That keeps a Sophos XGS HA cluster predictable during failover and maintenance.
