In v7.0.1 the routing behavior is changed, all routes associated with IPSec aggregate will stay UP even if the aggregate is down. As a workaround could be used a link-monitor .

Example topology:

There is an IPSec aggregate between FortiGate-1 and FortiGate-2 with 2 IPSec members. With the current change of behavior, all routes on FortiGate-1 and FortiGate-2 associated with IPSec aggregate will stay up even if the IPSec aggregate us down. In order to make all routes associated with the IPSec aggregate inactive when it's down, a Link-monitor could be used.

Config of Phase-1 VPN_1 and VPN_2 of FortiGate-1:

config vpn ipsec phase1-interface
    edit "VPN_1"
       set interface "port1"
       set ike-version 2
       set peertype any
       set net-device disable
       set aggregate-member enable
       set proposal aes128-sha256 aes256-sha256
       set transport auto
       set remote-gw 10.5.147.48
       set psksecret ENC xxxxx
  next
  edit "VPN_2"
     set interface "port3"
     set ike-version 2
     set peertype any
     set net-device disable
     set aggregate-member enable
     set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 
     set transport auto
     set remote-gw 192.168.200.2
     set psksecret ENC xxxxx
next

end

FortiGate-1 IPSec aggregate :

config system ipsec-aggregate
    edit "aggregate"
       set member "VPN_1" "VPN_2"
       set algorithm round-robin
    next
end

On both FortiGates, it is assigned an IPv4 address of the IPSec aggregate :

FortiGate-1 aggregate interface config :

config system interface
  edit "aggregate"
   set vdom "root"
   set ip 192.168.77.1 255.255.255.255
   set allowaccess ping https ssh snmp http ftm
   set type tunnel
   set remote-ip 192.168.77.2 255.255.255.255
   set snmp-index 15
next

FortiGate-2 aggregate interface config:

config system interface
  edit "aggregate"
   set vdom "root"
   set ip 192.168.77.2 255.255.255.255
   set allowaccess ping https ssh snmp http ftm
   set type tunnel
   set remote-ip 192.168.77.1 255.255.255.255
   set snmp-index 15
next

Link-monitor configuration on FortiGate-1:

config system link-monitor
     edit "aggregate_monitor"
        set srcintf "aggregate" <----- Source interface, in this case, is the aggregate.
        set server "192.168.77.2" <----- IP address of the remote FortiGate-2.
     next
end

It is visible from the output above, that for ICMP target uses an IP address 192.168.77.2 which belongs to the IPSec aggregate tunnel of FortiGate-2. If IPSec tunnels are down (VPN_1 and VPN_2), then the link-monitoring will report the aggregate as down. As a result, all routes associated with the IPSec aggregate will be inactive.

The routing table on FortiGate-1 when the aggregate IPSec is up:

get router info routing-table all | grep aggregate
      S 1.1.1.1/32 [10/0] via aggregate tunnel 10.5.147.48, [1/0]
      S 10.99.99.1/32 [10/0] via aggregate tunnel 10.5.147.48, [1/0]
      C 192.168.77.1/32 is directly connected, aggregate
      S 192.168.77.2/32 [5/0] via aggregate tunnel 10.5.147.48, [1/0]

Diagnose output for link-monitor, when the aggregate is UP :

diagnose sys link-monitor status

Link Monitor: aggregate_monitor, Status: alive, Server num(1), cfg_version=0 HA state: local(alive), shared(alive)
Flags=0x1 init, Create time: Fri Mar 21 00:45:44 2025
Source interface: aggregate (21)
VRF: 0
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Transport-Group: 0
Class-ID: 0
Peer: 192.168.77.2(192.168.77.2)
Source IP(192.168.77.1)
Route: 192.168.77.1->192.168.77.2/32, gwy(10.5.147.48)
protocol: ping, state: alive
Latency(Min/Max/Avg): 0.427/1.382/0.691 ms
Jitter(Min/Max/Avg): 0.007/0.955/0.174 ms
Packet lost: 0.000%
MOS: 4.404
Number of out-of-sequence packets: 0
Fail Times(0/5)
Packet sent: 14089, received: 12272, Sequence(sent/rcvd/exp): 14090/14090/14091

Diagnose output for link-monitor, when the aggregate is down:

       diagnose sys link-monitor status

Link Monitor: aggregate_monitor, Status: dead, Server num(1), cfg_version=0 HA state: local(dead), shared(dead)
Flags=0x9 init log_downgateway, Create time: Fri Mar 21 00:45:44 2025
Source interface: aggregate (21)
VRF: 0
Interval: 500 ms
Service-detect: disable
Diffservcode: 000000
Class-ID: 0
Transport-Group: 0
Class-ID: 0
Peer: 192.168.77.2(192.168.77.2)
Source IP(192.168.77.1)
Route: 192.168.77.1->192.168.77.2/32, gwy(10.5.147.48)
protocol: ping, state: dead
Packet lost: 57.000%
MOS: 4.375
Number of out-of-sequence packets: 0
Recovery times(0/5) Fail Times(2/5)
Packet sent: 14780, received: 12905, Sequence(sent/rcvd/exp): 14781/14723/14724

The routing table on FortiGate-1 when the aggregate IPSec is down:

get router info routing-table all | grep aggregate
C 192.168.77.1/32 is directly connected, aggregate
S 192.168.77.2/32 [5/0] via aggregate tunnel 10.5.147.48, [1/0]

The 'connected' routes associated with the interface 'aggregate' are still active, but the routes for 1.1.1.1/32 and 10.99.99.1/32 are inactive because of the link-monitor.