ZyXEL Communications ZyWall USG 2000 User Manual page 695

If ZyWALL A becomes available again, ZyWALL A preempts ZyWALL B and
becomes the master again (the network returns to the state shown in
on page 694).
Synchronization
During synchronization, the master ZyWALL sends the following information to the
backup ZyWALL.
• Startup configuration file (startup-config.conf)
• AV signatures
• IDP and application patrol signatures
• System protect signatures
• Certificates (My Certificates, and Trusted Certificates)
Synchronization does not change the device HA settings in the backup ZyWALL.
Synchronization affects the entire device configuration. You can only configure one
set of settings for synchronization, regardless of how many VRRP groups you
might configure. The ZyWALL uses Secure FTP (on a port number you can change)
to synchronize, but it is still recommended that the backup ZyWALL synchronize
with a master ZyWALL on a secure network.
The backup ZyWALL gets the configuration from the master ZyWALL. The backup
ZyWALL cannot become the master or be managed while it applies the new
configuration. This usually takes two or three minutes or longer depending on the
configuration complexity.
The following restrictions apply with active-passive mode.
• The master ZyWALL must have no inactive monitored interfaces.
• The backup ZyWALL cannot be the master. This refers to the actual role at the
time of synchronization, not the role setting in the configuration screen.
The following synchronization restrictions apply with legacy mode.
• The master ZyWALL must have at least one active VRRP group and no standby
VRRP groups.
• The backup ZyWALL cannot be the master in any active VRRP group. This refers
to the actual role at the time of synchronization, not the role setting in the VRRP
group.
The backup applies the entire configuration if it is different from the backup's
current configuration.
ZyWALL USG 2000 User's Guide
Chapter 39 Device HA
Figure 460
695