Single physical / bond carrying multiple VLANs or something different?

Certainly some of the Threat prevention blades have considerations for an interface being defined as external.

No, not a vlan trunk.  Single interface.  That usually happens in two cases:

1. When it's not really passing through traffic, such as it's a firewall for identity sharing, or proxy (rare now), or SMTP relay

2. In a cloud or similar environment where you don't need to route through to get traffic to pass.  An example would be Cisco ACI where you can use the fabric to bounce traffic off a single interface firewall... each access control entry can say accept, drop, or send to firewall.

On non-VSNext firewalls, you can technically get by with just two interfaces. The physical interface named Mgmt goes into the bond magg1, and the physical interface named Sync gets renamed to eth1-Sync and added to bond 1024, which is then named Sync. Sync is a bit special, but magg1 is a normal bond with a weird name.

On VSNext firewalls, VS 500 is created automatically, it's named "mgmt-switch", magg1 is assigned to it, and a warp is created leading from VS 0 to mgmt-switch. You can't add a subinterface to a warp, so you must use at least three interfaces there.

The person who wrote that perhaps intended to mean that if you have a license for each SGM with its sync IP, you would want to locally apply it to the right SGM using the 'member' command for every SGM other than the SMO - but perhaps only had 1 gateway in their lab environment to take the screenshot. Either way, no there's no special shell entered there, they just SSH'd back into the same SGM they were on already. It's not something you would ever actually need to do.

The management interface is up on every SGM, it's created as part of the setup but you can use it as the internal interface if you want to. 

I figured it was the same behavior for the SMO management interface as it is on Maestro, the management address is bound to the SMO.

Nope, in EXL all inbound packets land on SMO and then half/two-thirds of them are pivotted over to the other active cluster member(s). This is the case on all interfaces, they all work the same way. 

In Maestro the management interface is still up on all SGMs, as they will use it for outbound connections (eg, logs to the log server) but the inbound reply packets will also hit SMO before being pivotted over to the necessary SGM. 

Mmm but if I did asg stat -i tasks, would the SMO master also necessarily be the pivot?  I suspect the magg separation as for Maestro remains based on the fact that they want an interface with failover rather than load sharing.  You can imagine that without the MHO in front, they could have collapsed back to fewer interfaces, but it's based on SP code and you know... not important enough to change.

SMO is the pivot, you can see if you do 'cphaprob stat' that it'll be ACTIVE (P) while the others are ACTIVE. 

Bond mode is local to the SGM, they are not multi-chassis bonds. So bond mode and clustering are not related.