thanks for your hint.
The pingserver will always use the FGT's WAN port, following the default route, so no choice here. To clarify I've redrawn the picture.
The switch on the front and back of the dedicated line is in fact a switch module inserted into the router, 4 ports. One is used for the line, two for redundant HA connections (not drawn here), one is unused.
As you can see when the right router fails over all internet bound traffic is led across the dedicated line and routed by the left router. But the firewall on the right still is working and will not notice that it's WAN connection has switched sides.
I asked the Cisco supporter of the ISP if we could block ICMP on that blue line, by static filter or ACL. He denied this.
So a second (weird) idea I had was to put another FGT in Transparent Mode into the blue line, blocking ICMP. To achieve device failover for this also, I'd configure an extra VDOM on the main FGT, or rather on both because of HA.
But this is clumsy and need a lot of documentation.
Thus my search for something in Cicso IOS like there is in FortiOS, pulling down an interface (link) if a failover is situation detected. In IOS, it's called 'tracking', and I bet there is something like this already.
"Kernel panic: Aiee, killing interrupt handler!"