Interfaces are configured as follow:

2x WSA: P1 - intern, P2 -extern, M1 - mgmt

1x SMA: M1 - mgmt

the management network (where M1 interfaces are connected to) has no internet access.

1. Can SMA appliance use SMA's M1 interface to access internet for updates and DNS or a DNS server need to be reachable from the management network?
2. Does M1 interface on WSA need to be with disabled "use M1 for management only" setting to allow SMA use WSA as a proxy for updates?
3. Does SMA need external DNS resolution or an upstream proxy (WSA) will be enough?
4. How to restrict M1 on WSA to be used for proxy services by SMA only and prevent anything else (including admins) to use M1 on WSA for proxing?
5. If M1 interface on WSA used for management only, can outgoing DNS, LDAP, AD, SNMP, NTP traffic use P1 (internal) interface and OSCP and CRL downloads using P2 (outgoing) interface?
6. Is there any examples of best practices topologies?