Thank you, yes all of the interfaces are in the same broadcast domain, and ACI is the gateway for endpoints.. the attached diagram is for reference.

So, In Normal conditions, all 4 leaf switches will process the traffic for the primary IP, and send the traffic to the firewall on their own using MAC of the Firewall VIP, regardless of which FW is active?

(assume routing is configured on the leaf SW with the FW VIP as next hop)

For example, If there is any traffic flow from ACI to the outside network through the firewall, the following will be the possibilities : -

if the endpoint sends the traffic to Leaf1, then the traffic will flow "Leaf1 --> active firewall

if the endpoint sends the traffic to Leaf2, then the traffic will flow "Leaf2 -->active firewall

if the endpoint sends the traffic to Leaf3, then the traffic will flow "Leaf3 -->active firewall

if the endpoint sends the traffic to Leaf4, then the traffic will flow "Leaf4 -->active firewall

for the return traffic from the FW to an endpoint, always flow from the active firewall through one of the 2 leaf SWs that is directly connected to the firewall.. and then it will be routed towards the endpoint.

in my scenario,  leaf 1 or leaf 2 will always process the return traffic that is coming in with the primary IP.. and leaf 3 & 4 will not be receiving any traffic for the primary IP coming from the FW.

Please correct me if any of my understanding is wrong. Thank you.