The active/passive pair can be connected directly together or through a dedicated switch. The active/passive pair requires two private IP addresses and a private reserved subnet for proper configuration. These private IP addresses are reserved for the HA function's internal use and are used for HA heartbeat information and data synchronization. No user devices are allowed on this private subnet.

IWSVA uses a cluster IP address for the active/passive pair, which is used for managing the HA cluster. This cluster management IP address floats between the two HA units and is always associated with the active member of the HA pair.

The active node scans HTTP, HTTPS, and FTP traffic. The passive node works as stand-by device which does not scan traffic in normal conditions. The passive node can become the active node if an abnormal condition occurs in the active node, such as:

IWSVA triggers a failover when the active unit goes down, whether it is caused by a heartbeat down, application down, or system down condition. When a failed unit is brought back online, a user-defined policy determines which unit becomes the newly elected active unit. Administrators can configure the election policy to allow the passive unit to remain as the active unit (normal mode), or configure the election policy with node weighting to always allow a specific HA member to regain control as the active unit.