Do I need to set the switches to promiscuous mode?
I don't think so, although I'm not familiar with the firewall you are using.
If you need want/need to have a separate management network, then you'll either need another network adapter, or use VLANs (in case your router/switch supports it).
However, you mentioned an Internet router. Since you are using NAT anyway (please correct me if I'm wrong), wouldn't it be an option to double NAT the traffic, i.e. something like:
Traffic to <Internet router>:443 -> NAT -> <firewall ip>:<portXY> -> NAT -> <Web Server>:443
André