Technical Tip : How to force ADVPN shortcuts to be created on their respective VPN tunnels.

Problem :

Due to the routing decision of the Hub, the ADVPN shortcut tunnel at BR-2 was created on HUB1-VPN3 instead of HUB1-VPN1 where it was created for the BR-1.

Solution :

Configure a policy routing or SD-WAN rule in the Hub.

# config system sdwan
    config service
      edit 1
       set name "ToBranches1"
       set input-device "VPN1"
       set route-tag 1
       set src "all"
       set priority-members 3
      next
      edit 2
       set name "ToBranches2"
       set input-device "VPN2"
       set route-tag 2
       set src "all"
       set priority-members 4
      next
      edit 3
       set name "ToBranches3"
       set input-device "VPN3"
       set route-tag 3
       set src "all"
       set priority-members 5
      next
      edit 4
       set name "ToBranches4"
       set input-device "VPN4"
       set route-tag 4
       set src "all"
       set priority-members 6
      next
    end
  end

In this example, route-tagging was used on the SD-WAN rules for simplicity but it is not necessarily required. Configuring SD-WAN rules or policy routes with specific subnets will suffice as long as the respective source interface and priority members are set. 

For more information regarding BGP and SD-WAN route-tagging, check the article below.

https://community.fortinet.com/t5/FortiGate/Technical-Note-How-to-use-BGP-and-SD-WAN-for-advertising-routes/ta-p/190055

Results :