Hi @Martijn
Apologies for the late reply.
From the given SK article, I believe it's a default behaviour for the standby firewall to hide behind the VIP when connections are initiated from the member itself.
Also, as given in the provided SK article, it's been suggested not to add 443 as it might negatively impact the VPN tunnel initiation.
With that said, I assume that standby Firewall be able to reach the Internet/CP portal for AV updates via active firewall which is holding the VIP.
Is my understanding correct..?
Note: I've placed a NO-NAT rule from the firewall to the destination which didn't resolve this issue.