Today we have a few different tags used for virtual systems.
vsx = Any device that hosts virtual systems is tagged with this
mds = This tag is used specifically for Check Point MDS, which is when you host several virtual management servers on one host.
vdom_enabled: Some fortigate specific tag
vdom_root: Some fortigate specific tag
One issue is that "vsx" tag is more of a product name for a Check Point product, but is today used by multiple vendor script for tagging a device that hosts virtual systems on it.
So for example an Check Point MDS server would have both "mds: true" and "vsx: true"
If one wanted to run only on a Check Point VSX server you would need to set both "vsx: true" and "role-firewall: true"
Maybe "vsx" should change to something more generic, and Check Point could use the "vsx" tag for tagging only VSX Gateways? What do you think?