In this use case, both of the
HA firewalls must respond to an ARP request for the destination
NAT address. Traffic can arrive at either firewall from either WAN
router in the untrust zone. Destination NAT translates the public-facing,
shared IP address to the private IP address of the server. The configuration
requires one destination NAT rule bound to both Device IDs so that
both firewalls can respond to ARP requests.