1. While there is an option to implement automated tuning, it is up to you if you want to use it. I prefer to run tuning manually by switching to our secondary manager while tuning our primary manager, then tuning the secondary once the primary is back up.
3. We have found tftp to be too slow, following advice from mcafee, we used scp server to upload the image and ran the upgrade from the sensor command line via ssh. Follow the steps in this article, replacing tftp with scp, CLI Guide contains details on this also. https://kc.mcafee.com/agent/index?page=content&id=KB59403
I'll have a look at our setup for DMZ policy & 'detect mode' settings tomorrow.