Despite the possibility to control FortiGate routing only to a specific destination, such as for Microsoft update purposes, it is possible to use ISDB to facilitate the job rather than to define every IP individually.  

However, it is important to be aware that not all IP addresses are possible to be listed in the FortiGuard ISDB (Internet Service Database).    

Reason:

The Microsoft Update service is hosted on CDN, which includes dynamically assigned IP addresses. The IP addresses change constantly and there is no publication of the IP addresses, meanwhile, ISDB is a static IP-based database service, which cannot handle dynamic IP addresses or FQDN directly.

It is suggested to use FQDN Address as a complimentary method to retrieve the latest IP addresses resolved from specific domains in the local environment.

To maintain connection to Microsoft, see this update page regularly.

How to add a complimentary config for this case:

1. Create FQDN object - allow 'static route configuration'.

2. Create FQDN object - allow 'static route configuration'.

3. Add this FQDN object or this address group to static route - 3.a) or 3.b).
   1. This only works if there is only an FQDN object.

2. This only works with an address group.

Note 1: A valid firewall policy is required to handle the traffic correctly (not covered in this article).

Note 2: Starting in FortiOS 7.6.4, FQDN address groups can be added via the ISDB menu within the firewall policy configuration in the GUI. This functionality improves handling of dynamic or absent IP entries in the ISDB database. For further details, refer to GUI support for FQDN address groups within the ISDB 7.6.4 | Fortinet Document Library.

Related article:

Technical Tip: Custom Internet Service Database (ISDB) entry creation on a FortiGate - Fortinet Comm...