In order to isolate management traffic on the FortiGate unit and to prevent decrypted traffic from being routed to an external device, all management traffic is routed through an isolated virtual domain on the FortiGate unit. This contains only a single tunnel network device, TUN. The fgfm daemon owns a file descriptor, FD, which is linked directly to TUN. These steps are transparent to the user, and occur to segregate management traffic from all other traffic that may be passing through the FortiGate unit.
On the FortiGate unit, the fgfm daemon routes fgfm-encapsulated traffic from FortiManager through FD. These packets are received by their respective local daemons via the TUN device and respond via the TUN device. Therefore, their responses are always received by the fgfm daemon over FD and sent over the SSL connection to the FortiManager unit.