Got an answer from OVH that CARP is not possible for their hardware dedicated servers due to network design.
I've solved this using OVH Control Panel API - https://api.ovh.com
buy some OVH failover IP's (one or subnet block ) and assign them to "master" firewall in OVH Control Panel
create identical "IP alias(es)" for OVH failover IP's attached to WAN interfaces on both "master" and "backup" firewalls.
Yes, create identical IP Aliases - no IP conflict will ever happen.
wrote a Python script that moves above OVH failover IP's to "backup" server in case "master" firewall stops responding for let's say 10 seconds
Script can work on backup server on any other Linux/Windows server anywhere.
Works just fine - API failover IP move takes about 50-55 seconds to finish.
So, if scripts timeout for your "master" firewall is set to 10 seconds - you are looking at max 60-65 seconds outage for your services.
Boom.