When a self-signed certificate such as the Fortinet Factory built-in certificate is used in SSL VPN, the behavior is expected. Since the certificate is not trusted by the client endpoint, the certificate warning message appears. Unless the Root CA or Intermediate CA is installed in the Trusted Root Certificate Authorities of each SSL VPN client, the certificate error prompts.

To fix the certificate warning error:

1. It is recommended to obtain a valid SSL certificate for the VPN server signed by a trusted Certificate Authority (CA) or purchase or use a publicly signed CA certificate which needs to be imported into the FortiGate. How to procure and import a signed SSL certificate in FortiGate: Procuring and importing a signed SSL certificate.
2. Use the ACME Let’s Encrypt Certificate, which is a free and trusted SSL certificate. To generate a certificate using ACME and Let’s Encrypt: How to generate Let's Encrypt certificate in FortiGate
3. If FortiAuthenticator is available, replace the default SSL VPN certificate of FortiGate with a FortiAuthenticator-generated certificate. To prevent the clients from receiving the certificate warning, import the FortiAuthenticator local root CA certificate under Trusted Root Certificate Authorities in the client machine: How to replace the default SSL VPN certificate of a FortiGate with a FortiAuthenticator self-signed ...
4. If there are no other CA certificates available as mentioned above, download the Local Certificate used on the SSL VPN setting of the FortiGate and then import it to the Trusted Root Certification Authorities of the end device. 
   System -> Certificates -> Download Local Certificate used on SSL VPN.
5. For the unlicensed FortiClient version, it is possible to disable the certificate warning on every host directly on the FortiClient by checking the option 'Do not Warn Invalid Server Certificate' under FortiClient settings. Select 'Unlock Settings' in the left corner for the application to allow this change:
   
   

This alert may also show up when FortiGate has a valid certificate but has been replaced with a new certificate due to the certificate expiring soon. After the certificate replacement, certain FortiClient versions, including v7.2.0 -> v7.2.8 and v7.4.0-> v7.4.2, may show this error. To solve this issue, FortiClient or the operating system needs to be rebooted. Upgrading to v7.2.9 and v7.4.3 and higher is recommended to avoid this problem. 

Note:
SAML certificate errors will not be controlled by the SSL VPN certificate settings on the FortiGate. Instead, there is a different location and procedure for handling SAML certificate errors on FortiClient. The document below can be used as a reference for SAML certificate errors: Troubleshooting Tip: How to Resolve FortiClient Untrusted Certificate Errors With SAML Authenticati... 

For licensed FortiClient managed by the FortiEMS server, go to Endpoint Profiles -> System Settings -> Choose the Profile (Default or Custom), then look for Endpoint Control, set the 'Invalid Certificate Action' to 'Allow', and then select 'Save'.