My 2 cents on that:
Go for a single connection, and an intermediate switch.
The passive cluster member gets the same FAZ IP address as the active member, always.
I'd guess that a small sturdy, metal case 5- or 8-port switch won't die in the next years. Or partition an existing switch stack. The FAZ isn't redundant anyway. And doesn't need be, not as much as the FGTs.
"Kernel panic: Aiee, killing interrupt handler!"