topic Re: FMC path to the internet in Network Security

FMC path to the internet

5010 — Mon, 20 Apr 2026 13:27:01 GMT

I'm designing a standard FMC + FTD HA topology and trying to determine the best way to give the FMC internet access for Smart Licensing, AMP cloud, and VDB updates.

If I route the FMC's outbound traffic through the FTD data plane, it creates a "chicken-and-egg" scenario: the FMC cannot reach the internet to license itself or get updates until the FTD is fully deployed and passing traffic.

Is the standard real-world practice to just push a basic "bootstrap" config to the FTDs first so the FMC can get online? Or do most enterprise environments put the FMC on a completely separate firewall/ISP connection so it doesn't rely on the very FTDs it is managing?

Thanks for the input!

Re: FMC path to the internet

ahollifield — Mon, 20 Apr 2026 18:56:06 GMT

How about SCC/cdFMC instead?

Re: FMC path to the internet

beepmeep — Mon, 20 Apr 2026 20:11:01 GMT

The FMC has an evaluation period of 90 days before it stops being able to deploy changes.

That should leave you enough time to get everything configured. I have never seen a deployment using another device for internet access than the device the FMC is managing.

Just make sure that the FMC can reach the FTD management IP without going through the firewall.