TS FTD like TAC

 https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/R6BGArNQ/TECSEC-3004.pdf

system support trace

network design ideas

Just writing down some idea's

Dual internet connection with failover (wired and radio/4g would be best but most expensive)
Share public range with BGP if possible between HQ and a DR site.
Alternatively two public IP ranges with dyndns or script to update DNS during failover
OOB management (open gear etc)
Redundancy starting at the SAN.
Rule of thumb 2 of everything

L2 site link between HQ and DR sites for failover/vmware/backups etc
HA firewall with SSL/IPS/AV enabled

HA switch (stack or 2 smaller stacks with HSRP/VRRP)
Vlans/networks LAN,WIFI, DMZ, DB, APP, VOICE, RSPAN, OOBMGMT, BACKUPS, MONITORING, 3RDPARTY-ACCESS
Off site (cloud) backups or tape taken off site
Monitoring, graphing, alerting, PTRG, Netflow, SNMP
NTP server
TFTP server

syslog (syslog-ng)
config backup 
radius and MFA (DUO) where possible 
DNS protection opendns (Cisco umbrella / dnsfilter)

NAT all DNS requests to the umbrella VA's ? or block on firewall other DNS requests

IPS on edge firewalls

SIEM security onion (needs lots of resources)

Nessus scans on internal and external IPs.

Emails security with SPF etc.

Multiple DMZs or Private VLANS in your DMZ alternatively consider reverse proxy for extra security.