Solved: FMC path to the internet

5010 · ‎04-20-2026

I'm designing a standard FMC + FTD HA topology and trying to determine the best way to give the FMC internet access for Smart Licensing, AMP cloud, and VDB updates.

If I route the FMC's outbound traffic through the FTD data plane, it creates a "chicken-and-egg" scenario: the FMC cannot reach the internet to license itself or get updates until the FTD is fully deployed and passing traffic.

Is the standard real-world practice to just push a basic "bootstrap" config to the FTDs first so the FMC can get online? Or do most enterprise environments put the FMC on a completely separate firewall/ISP connection so it doesn't rely on the very FTDs it is managing?

Thanks for the input!

beepmeep · ‎04-20-2026

The FMC has an evaluation period of 90 days before it stops being able to deploy changes.

That should leave you enough time to get everything configured. I have never seen a deployment using another device for internet access than the device the FMC is managing.

Just make sure that the FMC can reach the FTD management IP without going through the firewall.

View solution in original post

ahollifield · ‎04-20-2026

How about SCC/cdFMC instead?

beepmeep · ‎04-20-2026

The FMC has an evaluation period of 90 days before it stops being able to deploy changes.

That should leave you enough time to get everything configured. I have never seen a deployment using another device for internet access than the device the FMC is managing.

Just make sure that the FMC can reach the FTD management IP without going through the firewall.