I would recommend to not use any kind of load balancer in front of the NG and to use EIP shifting instead. That will allow you to use a single IP address which will always be connected to the active CGF in the HA cluster. The EIP will automatically be shifted when the the other firewall takes over.
Using ALB does not make any sense, as this LB works on the application level. If you need an ALB, and you are only have HTTP/HTTPS traffic maybe using a Barracuda CloudGen Web Application Firewall instead of the ClougGen Firewall would make more sense.