Hi there,
To clarify the topology, does the L2 VPN represent the wan and therefore the two core switches are in separate locations? Users and Servers are on either side of the core switches?
If the servers are on a single vlan then the wanos lan0 can be placed in that same port group. Wanos wan0 would link via a vlan to the core switch.
Although that will work, a cleaner design would be to configure two nics to the core switch. One in the server/lan vlan and the other in a new firewall/wan vlan that the firewall is also in.
Examples of one side of the wan:
ESXi servers vlan 100 --- lan0-wanos-wan0 --- FW vlan 200
If the core switches are doing Layer3 routing for multiple vlans, then the Wanos is placed between the core switch and the firewall:
LAN vlans 0-100 --- L3-switch --- lan0-wanos-wan0 --- FW
I hope it helps, but if not, lets go back to the current topology in case I misunderstood it.