[cciesec2006]

"When the connection is incoming (from the internet) it will hit the router outside the firewall (L3 switch). The router will then (if my understanding is correct) send an arp request for the NAT IP address. Now, if both Nokia gateways have a proxy arp address in both of them will reply (yes?) and the router will take the first (yes?). So the traffic could go through the secondary firewall and then on return it will back through the primary as the VRRP inside address will the next hop for the router further down. Hopefully, I’m explainging this okay! "

Only the nokia that is acting as the "master" will reply to that ARP. The
secondary will do NOTHING. That's the nature of VRRP. that's why when
you use Proxy-arp, you use the VRRP mac address, NOT the physical
ip address of the firewall

In theory, you could have traffics directly route to the secondary firewall
and then it goes back out on the Primary firewall and it can work too.
It works because of the synchronization between the two firewalls. That
being said, it does NOT work well if the firewall is under heavy load.