In a situation where FortiGate is connected to a FortiManager, which acts as a FortiGuard server, it is necessary to block traffic sourced from FortiGate to reach the FortiGuard server.

The first solution is to put all that traffic in a Group and then create a static route for that Group to be blackholed.

config firewall address

    edit "FQDN-DIRECTREGISTRATION.FORTINET.COM"
        set uuid 5c10dfac-3360-51ef-647d-a329f4a06ba7
        set type fqdn
        set allow-routing enable
        set fqdn "DIRECTREGISTRATION.FORTINET.COM"
    next
    edit "FQDN-GLOBALDEVCOLLECT.FORTINET.NET"
        set uuid a8e1be82-3360-51ef-321f-a145ef6f7702
        set type fqdn
        set allow-routing enable
        set fqdn "GLOBALDEVCOLLECT.FORTINET.NET"
    next
    edit "FQDN-GLOBALDEVQUERY.FORTINET.NET"
        set uuid bb3f3f0a-3360-51ef-c0b5-a4d6c64bb3d9
        set type fqdn
        set allow-routing enable
        set fqdn "GLOBALDEVQUERY.FORTINET.NET"
    next
    edit "FQDN-MSGCTRL1.FORTINET.COM"
        set uuid cd1e98ba-3360-51ef-fc4e-a7f932b612f0
        set type fqdn
        set allow-routing enable
        set fqdn "MSGCTRL1.FORTINET.COM"
    next
    edit "FQDN-PRODUCTAPI.FORTINET.COM"
        set uuid dcc194f2-3360-51ef-0744-a121387d6181
        set type fqdn
        set allow-routing enable
        set fqdn "PRODUCTAPI.FORTINET.COM"
    next
    edit "FQDN-SECUREGIP.FORTINET.NET"
        set uuid f45330a8-3360-51ef-7fcc-46fe3a4a3b44
        set type fqdn
        set allow-routing enable
        set fqdn "SECUREGIP.FORTINET.NET"
    next

       edit "FQDN-GLOBALPRODUCTAPI.FORTINET.NET"
        set uuid 9e318100-e9cd-51f0-ca1f-82b5a2ee4a08
        set type fqdn
        set allow-routing enable
        set fqdn "GLOBALPRODUCTAPI.FORTINET.NET"
    next
       edit "FQDN-GLOBALUPDATE.FORTINET.NET"
        set uuid 1d969f84-e9ce-51f0-8d8f-ef6d943354c9
        set type fqdn
        set allow-routing enable
        set fqdn "GLOBALUPDATE.FORTINET.NET"
    next
end

config firewall addrgrp
    edit "GRP-FortiGuard-Public-FQDNs"
        set uuid 8abe3df4-3360-51ef-bc55-d9c73854b1e3
        set member "FQDN-DIRECTREGISTRATION.FORTINET.COM" "FQDN-GLOBALDEVCOLLECT.FORTINET.NET" "FQDN-GLOBALDEVQUERY.FORTINET.NET" "FQDN-MSGCTRL1.FORTINET.COM" "FQDN-PRODUCTAPI.FORTINET.COM" "FQDN-SECUREGIP.FORTINET.NET" "FQDN-GLOBALPRODUCTAPI.FORTINET.NET" "FQDN-GLOBALUPDATE.FORTINET.NET"
        set allow-routing enable
    next
end

config router static
    edit 99
        set blackhole enable
        set comment "Block local-out to public FortiGuard Servers"
        set dstaddr "GRP-FortiGuard-Public-FQDNs"
    next
end

The second solution is to completely block FortiGate from the cloud communication by disabling 'cloud-communication' and the 'fortitoken-cloud' under get system global.

get system global

cloud-communication : enable

fortitoken-cloud : enable

config system global
    set cloud-communication : disable
    set fortitoken-cloud : disable

      end

It is possible to check with the diagnose debug rating:

diagnose debug rating
Locale : english

Service : Web-filter
Status : Disable

Service : Antispam
Status : Disable

Service : Virus Outbreak Prevention
Status : Disable

The GUI images showed self-generating traffic before and after the solutions.