Understanding Cluster Mode
The Administrator of the TOE can set up the Cluster Mode for High Availability (HA) by connecting dedicated HA control port of node0 and node1 as described in the article - https://kb.juniper.net/KB34608
The factory-default configuration does not include HA configuration. To enable HA, if the physical interfaces used by HA have some configurations, these configurations need to be removed. The two hosts constituting a chassis cluster must have identical configuration except for one being configured to node 0 and the other to node 1.
The TOE has a dedicated fxp0 interface for the HA management of the TOE. The interface for HA control link must be between the dedicated control port on each device. The fabric interface may be defined by the Administrator. After the cluster has been defined and set up by the Administrator, the two devices constituting a chassis cluster have identical cluster-id but difference node ID as one host most be node 0 and the other one node 1 with slot numbering offset of 3 for SRX5400, offset of 6 for SRX5600 devices and 12 for SRX5800 devices.
The node 1 renumbers its interfaces by adding the total number of system FPCs to the original FPC number of the interface. The fabric interface remains Administrator-defined.
With L2 HA link encryption tunnel, any Security Sensitive Parameters (Critical Security Parameters) exchanged over the control link between the two chassis in cluster mode is protected using IPsec. Using IPsec for internal communication between nodes, the configuration information and IKE HA messages that passes through the chassis cluster link from the primary node to the secondary node is protected from active and passive eavesdropping. Without the internal IPsec key, an attacker cannot gain privilege access or observe traffic.