We have an ESXi Server that directly connects to a Sophos Firewall, which is in the process of being changed to a HA setup by adding a second FW. In testing we have found with the Sophos HA mode the secondary device ports don't fully go down when its in passive mode. Sophos keep the ports up but block traffic on the secondary device and use virtual mac addresses.

We have dual NICs on the server that are in a team but the ESXi server sees the ports as up and sends some traffic to the passive FW and some traffic to the Active FW.

So with the Link Detection, monitoring the Link Status is useless because Sophos don't down the ports so ESXi thinks the FW ports are up. "Beacon Only" mode seems to work really well however its not recommended but for my use case I'm wondering if using beacon only would be ok?

I'm trying to avoid using a switch in between the ESXi host and the FW cluster, trying to find the correct settings on the ESXi side to send traffic to the active FW only. I have tried combinations of all settings, using standby etc but the only way to get it really stable is to use Beacon Only for the Link Detection but I worry it will cause problems later.