Ok, so I don't know where the fault lies with this. In FortiClient we manually changed the Remote Gateway from the IP address to the FQDN. Nothing was working as stated above. We ran WireShark and noticed that when we were trying to connect using FortiClient it was still reaching out the IP address and not the FQDN.
So we manually created a new profile in FortiClient and set the remote gateway with the FQDN. Once we hit connect in FortiClient, WireShark showed the DNS query for the IP address using the FQDN and the certificate works since now the FQDN is being used to access the site.
So we are wondering if standard users are not allowed to change certain settings in Forticlient due to permissions but actually doesn't let the user know that the changes didn't take affect; while visually in the Forticlient app it looks to have.
Additionally we looking in the registry at HKLM\SOFTWARE\Fortinet\Forticlient\IPSEC\Tunnels\{VPN Name}\P1
and noticed for the VPN Name that was a problem we noted the following entries:
When we look at the Registry settings for the new tunnel it shows the following.
So I don't know if the Forticlient is actually using the 'RemoteGWSorted' entry in the Registry after the first connection is made and will continue using that entry no matter what. So not sure if this is a bug with the software or a permission issue, but if this is a permission issue the app should let the user know that changing the name of the Remote Gateway is not allowed and to contact IT, or make the field non-editable and force the creation of a new VPN Name if the Remote Gateway is changed.
I will leave this marked as unsolved for a little bit to give people time to read and comment.
