Unfortunately we have just static routing. We do not own AS neither public IP subnet.

Unfortunately we have just static routing. We do not own AS neither public IP subnet.

I am afraid never tested myself with static routing never rely on it.

If this is critical infrastructure and you looking more stability solution, then Layer 2 Switch can give more flexibility to fix many of your scenarios.

If not there is alternative option of EEM and IP sla - i wont go that route to think of failover, they are not suggested.

If i were you spend couple of hundred bugs and convence management add Layer 2 switch.

but I hope that ISP can make 2 ports on their device as switchports and that switch will be their device. Why both nodes need to have IP? they have failover link on separate interface. I hope that FTD3105 HA has its own scripts or mechanism how to move Active IP from primary node to secondary when primary fails or when I initiate upgrade procedure. As standby IP address is not mandatory for interface configuration, so I assume that public IP 1.2.3.4 assigned to interface move somehow between nodes on failure or upgrade.

the FW HA failover case is 
1- primary FW down 
2- the IN or OUT interface is down or link is disconnect or any L1 or L2 issue, 
this why we need monitor these interface in HA, the monitor need IP to exchange hello as heartbeat 
so both FW IN and OUT interface need to have IP otherwise the monitor is stuck in waiting or down 

can ISP run a bridge and you dont need SW? usually some engineer if they dont have SW and have router they can do bridge and hence no need SW but this depend on ISP side are they agree or not with config two interface as bridge  

MHM

point 1 is what I'm looking for. For point 2, it's possible, but there is LACP from each node to VPC on Nexus for LAN, so in case internal switch fails, there is still second switch which handles LACP.

I hope ISP can run bridge or switchports there and create SVI with their gateway IP on top of that bridge/switchports.

For sure attaching screenshots how it looks now. primary peer vpn-01 is active, vpn-02 as standby on first screenshot. I just need to ensure that IP address on Ethernet1/1 (i.e. 1.2.3.6/30) will be made active and traffic will pass through vpn-02 when I initiate upgrade or vpn-01 fails or if I manually switch active/standby nodes. On third screenshot is visible as there is no standby IP as subnet from ISP is so small that there is just their GW 1.2.3.5 and ours 1.2.3.6. So I really do not want to solve situation when ISP port fail, but only when my active node fails. Will FTD HA during node failure or manual active/standby switchover notify GW to update ARP with new MAC address or MAC addresses are shared in HA Active/Standby mode?

if you talk about point 1 
I run lab for you show you that it not mandatory for OUT to have IP except case that you monitoring interface for failover
I do failover active in secondary and you can see the ping is not effect 
the ping between R7 and R8 is run over VPN (as I see in your share photo you use both FW as VPN endpoint)

I also share the show failover to see the monitoring status of IN and OUT 
IN is monitored 
OUT is  waiting 

thanks a lot for demo. I have found also the sentences in documentation I needed to know

When you configure your interfaces, you can specify an active IP address and a standby IP address on the same network. Generally, when a failover occurs, the new active unit takes over the active IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

 So now is only question, when there is no ARP sent, if ISP router/switch is able to quickly move IP/MAC record from one port to another based on outgoing traffic in case of active node failure. I'm still waiting for ISP to discuss as they want to proceed our request through sales (of course, they want to get paid just for changing config on their side).

Active use for example 100.0.0.1 

Standby use 100.0.0.2 

ISP use static route toward only active IP 100.0.0.1 

If standby failover to be active and hence use IP 100.0.0.1 the  ISP dont see anychange.

Note:- there is GARP only to make SW change port toward new active FW

One more point' what about SW' how you want to solve this' it mandatory to connect three L3 device (ISP and two FW) to SW if all have same subnet.

MHM