By default, the FortiGate relies on routing table lookups to determine the egress interface and source IP it uses to initiate the connection for locally generated traffic. If using SD-WAN with tunnels and rules to steer traffic to the tunnels, just the routing table may not be enough to tell the FortiGate which interface to use.  

If SD-WAN is in use, and rules should be used to steer local-out traffic, follow this article instead: Technical Tip: Use SD-WAN for local out traffic or Management traffic (DNS, NTP, sflow,netflow, LDAP... 

For that, there should be active routes available via both links. In this example, port1 is the primary link and port3 is the secondary one. 

See the static routes configured for port1 and port3:

The route configurations have been completed. The next step is to specify the services to use the secondary links. Below are the CLI commands for specifying FortiGate Cloud traffic to use port3.

config log fortiguard setting
    set interface-select-method specify
    set interface "port3"
end

Use the following command to route FortiGuard traffic through the secondary link, ensuring that locally generated FortiGuard service traffic is directed via the secondary WAN interface.

config system fortiguard

    set interface-select-method specify

    set interface "port3"

end

Note:

This is configurable only from the CLI. 

After initiating the connection towards FortiGate Cloud, it was taken via port 3. In the same way, it is possible to specify other services like FortiGuard, DNS, NTP, etc, to use port3. 

Note:

Starting FortiGate v7.0.0 and later, the option to control the local traffic is also available on the GUI. 

Navigate to the System -> Feature Visibility and enable 'Local Out Routing'.

Once done, navigate to Network -> Local Out Routing, select the feature for which the interface has to be changed.