Topology:

Refer to this document for configuring ADVPN tunnels, ADVPN and shortcut paths.

In the given topology, if route leaking is required between interfaces assigned to VRF 0 and VRF 10, use the configuration provided below.

Port 4 is assigned under VRF 10:

config system interface
    edit "port4"
        set vdom "root"
        set vrf 10
        set ip 10.30.36.1 255.255.255.240
        set allowaccess ping https ssh http telnet fgfm fabric 
        set type physical
        set snmp-index 4
    next
end

To leak the learned routes to each VRF, an inter-VDOM link is required. This example demonstrates the use of the single-vdom-npuvlink` option within the 'config system global' command to activate NPU inter-VDOM links:

config system interface.

    edit "VLINK0"
        set vdom "root"
        set vrf 10
        set ip 192.168.1.1 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 16
    next
    edit "VLINK1"
        set vdom "root"
        set vrf 0
        set ip 192.168.1.2 255.255.255.252
        set allowaccess ping
        set type vdom-link
        set snmp-index 16
    next

end

Create a policy to communicate vrf10 network to VRF 0 using a VDOM link, and also create a policy in the reverse direction.

config firewall policy
    edit 13
        set name "VFF 0 to VRF10"
        set srcintf "VLINK0"
        set dstintf "VLINK1"
        set action accept
        set srcaddr "all"
        set dstaddr "all" 
        set schedule "always"
        set service "ALL"
    next

end

     edit 14
         set name "VRF 10 to VRF 0"
         set srcintf "VLINK1"
         set dstintf "VLINK0"
         Set action accept
         set srcaddr "all"
         set dstaddr "all" 
         set schedule "always"
         set service "ALL"
     next

end

BGP configuration.

Create a prefix list to advertise and restrict the respective subnets.

config router prefix-list
    edit "EST"
        config rule
            edit 1
                set prefix 10.30.36.0 255.255.255.240
                unset ge
                unset le
            next
        end
    next
    edit "PORT5"
        config rule
            edit 1
                set prefix 10.25.150.0 255.255.255.0
                unset ge
                unset le
            next
        end

end

The route map can be used to group one or more prefix lists.

config router route-map
    edit "TEST"
        config rule
            edit 1
                set match-ip-address "EST"
            next
        end
    next
    edit "Port5"
        config rule
            edit 1
                set match-ip-address "PORT5"
            next
        end
    next
end

Configure VRF leak in BGP, specifying a source VRF, destination VRF, and the route map:

config router bgp

config vrf
    edit "10"
        config leak-target
             edit "0"
                 set route-map "TEST"
                 set interface "VLINK0"
             next
        end
    next
    edit "0"
        config leak-target
            edit "10"
                set route-map "Port5"
                set interface "VLINK1"
            next
        end
    next
end

Verify the routing table on the spoke FortiGate.

Note:

As per the current design, the route leak will only work if the route map for return traffic is also applied to the BGP configuration.

Related documents:

Route leaking between VRFs with BGP 
Technical Tip: VRFs route leaking
Technical Tip: IBGP and EBGP Support in VRF