Configuration strategy:

Zones:

• Untrust (for Internet links).
• VPN (possibly use but only for third party - not VPN to other internal sites).
• Trust (all interfaces that don't fit the others).
• Guest (for guest networks that break out locally to the Internet and do not access any other site and are not accessible from any other site).

Tags:

• global-block
• inbound
• global-allow (e.g. ping).
• rest-of-rules, use “Group by” tag. Within a group, use normal 'tag' to describe destination.
• For guest, explicily allow allowed traffic then block all from guest zone.
• For each “zone” that isn't a zone (e.g. mgmt, printers, wifi, servers, dmz) create an address group that contains all the subnets.).

Two zone protection profiles - one for external interfaces and one for all others.

Create address group of firewall interface IP addresses to make a simple rule that allows the firewal interfaces to ping/traceroute/icmp anywhere.

Enable interface management profile with ping, ssh, https, user-id and snmp on loopback or firewall's interface to mgmt network. Use this for SNMP polling, User-ID redistribution (and use service route to use this to get User-ID from other firewalls) and managing the 'active' firewall. Enable ping, https, ssh and snmp on actually managment interfaces. Use this for backup access/troubleshooting. Consider doing RADIUS/LDAP/TACACS queries from loopback via service route. Would have to use a local account to get access to passive.