If you use Athena NGFW devices in the active/active or active/active Layer 2 mode, and the upstream and downstream devices of the Athena NGFW devices are routers, you need to enable HA Traffic to avoid traffic inconsistency. Otherwise, do not enable this option. When enabled, Athena NGFW determines, based on the hash algorithm, whether to send the packet received from the service interface to the peer device through the synchronization interface for a security check. This ensures that all packets from the same flow undergo security checks on the same device, avoiding network unavailability and ineffectiveness of security checks due to asymmetric routing. After the security check, the peer device sends the packet back through the synchronization interface so the local device can forward the packet. This prevents network unavailability caused by dropped packets in the downstream device's routing interface due to mismatched destination MAC addresses. The configurations are shown in the following figure. 

The workflow is as follows:

1. When a PC accesses the server, the packet goes through Athena NGFW 1. Athena NGFW 1 determines, based on the hash algorithm, whether the security check should be performed. After the check is completed, Athena NGFW 1 forwards the packet to the server.

2. The packet returned by the server arrives at Athena NGFW 0.
3. Athena NGFW 0 determines, based on the hash algorithm, whether Athena NGFW 1 should perform the security check (calculation results for packets with the same IP address are the same). Athena NGFW 0 sends the packet to Athena NGFW 1 through the HA aggregation link.
4. After receiving and checking the packet, Athena NGFW 1 sends the packet back to Athena NGFW 0 through the HA aggregation link.
5. Athena NGFW 0 sends the returned packet to the PC.