I have two locations connected by dark fiber. At each site is a router with BGP to an ISP, the routers use iBGP between them, one is the default GW with HSRP. At each site is a 3120 with an FTD instance.  Today I connected one between the inside interface of the standby router, and the public side of the network (edge).  The primary Default GW router is not connected to any IPS. We use a WSA Proxy for web 443.  I ran into an issue with some sites that require SSO were unreachable when the FTD was connected to the standby router.   Technically, it should have been unaffected since the traffic coming from the WSA would be sent to the primary router, through to the internet with the connected ISP, according to trace routes. Nothing was logged as being blocked by the FTD. 

We are replacing our 7125 Firepowers with FTD. Our current setup is an inline in front of, and behind the ASA for a public side and internal side IPS.  What I am looking to do is IPS between the router and all out Public facing equipment, but it appears to have caused an issue getting to some sites.  My only thought is possibly asynchronous routing between the two routers and the FTD. If a route points to the ISP on one router traffic goes through the FTD to that router, and if the return traffic happens to prefer the other ISP, then it will come in the other routers, not going through the FTD.  Eventually there will be a second FTD on that router, but still they don't talk to each other, so if traffic hits one way on one, then comes in on the other, would that be the cause of some sites not working? 

I'm thinking I would be better off staying with the current setup of in front of just the firewall since its a failover pair and traffic comes in and out of just one firewall, so no asynchronous can happen.