The config you have for the WSA affects the answer (explicit, vs pac files, vs transparent via wccp, pbr or similar.)
And you don't mention URL filtering license in the FTD?
And is the FTD just for outbound traffic, or is the FTD also between clients and WSA / DNS servers (Umbrella VA)

So there are a number of "what about X?" aspects of this.

But if you think about if from a logical point of view, if you're using certain configuration in PAC files or transparent WSA, and the traffic only traverses FTD when leaving the DC and going to the internet (ie not between WSA and Clients), the process could look something like this:

1. Client does a DNS lookup for a domain, and either directly or indirectly asks Umbrella through local DNS servers or Umbrella VA.
   1. If Umbrella wants to either block the request, or you're using intelligent proxy feature in Umbrella, Umbrella will respond to the DNS query with an IP address in their own range.
   2. Otherwise it will respond with the actual IP address as registered in DNS.
2. If wsa is transparent, the client will try to connect directly to the Umbrella IP provided in the DNS response, and later this session is redirected to WSA through WCCP/PBR/etc.
3. If you're using PAC files, the client may try to proxy the request through WSA.
4. WSA does it's own DNS lookup, and depending on your policies will also resolve to an Umbrella IP if site should be blocked.
5. Depending on WSA own policies, WSA might block the request right there and then.
6. If WSA allows the request, it will go through to the internet, through FTD.
7. Now again, depending on FTD's licenses and config, it might block the connection (based on URL filtering perhaps), and/or if you've integrated the FTD with Umbrella. Or it might allow the request.
8. If neither WSA or FTD blocked the request, and you had a policy in Umbrella to block this domain, the request would reach umbrella and the client would either get a block page or be proxied, depending on your setup.

Now if you had WSA configured as an explicit proxy, initially the client would just send the request directly to WSA, and you would basically start at step #4 in the above process.

You see I'm making a few assumptions on the way, because the traffic flow will depend on your environment and config/policies/licenses in WSA, Umbrella and FTD. 

Hi, 

Thank you !

Ftd has  Threat Defence and AMP License so it includes url filtering, correct me if i'm wrong. According to your post internet traffi generated from client machine would first hit WSA (wewill configure it in Explicit mode), then it will redirect to FTD and post umbrella will scan/analyse the traffic and that will be final if nothing blocks by Wsa and FTD. 

I think i have to make same type of policies on WSA, FTD and Umbrella if i dont want unusal output.