Take, for example, a VPC/VNet1 to VPC/VNet2 traffic inspection, where VPC/VNet1 and VPC/VNet2 are attached to the same TGW.

As a packet from VPC/VNet1 arrives at the FireNet gateway via the TGW, it does a 4-tuple (source IP, destination IP, source port and destination port) hash calculation to decide if it should forward the packet to one of the associated firewall instances or forward to the HA FireNet gateway.

If the hash calculation determines the firewall instance is associated with the HA FireNet gateway, it forwards the packet to the HA FireNet gateway through its eth3 interface.

When the HA FireNet gateway receives the packet, it performs exactly the same hash calculation and decides which associated firewall instance it should forward the traffic to.

The packet flow is illustrated in the diagram below: