You configure the HA cluster just as you configure a single Screen. Policy Rules for passive HA Screens are configured when they connect to the primary HA Screen. You should write a rule for connecting to the unique address of each host in the HA service group.
Updates to the Primary HA Screen are automatically relayed to all the other HA Screens. This synchronization takes place during activation. When a configuration is activated, the primary HA Screen transfers the configuration, including certificates, local keys, addresses, policy rules, and the like, to all other Secondary HA Screens.
When an HA host is in the passive mode, it is impossible to connect to that host directly, except with remote administration to the HA interface. This also applies to connections from one HA host to another on the HA interface.
You can allow other services (other than the standard HA service or remote administration and heartbeat). These services will only be allowed between the HA hosts. Add them to the HA service group by selecting Service in the Type choice list on the Edit Policy page, and add the services you want to include.
Adding these services to the HA service group permits you to circumvent the passive HA mode and allows the traffic through the SunScreen filters even when the host is in the passive mode.