This will provide centralized inspection, network management and control on the HQ:

To steer the Internet traffic from the branch office tunnel to the HQ, configure the below settings on the tunnel:

On HQ Fortigate.

Make sure HQ FortiGate can reach internet traffic from wan1:

exec ping-options interface wan1

exec ping google.com

1. Set IPsec VPN phase 2 local address to default 0.0.0.0/0. Create multiple phase2-interface to allow only for specific remote subnets, otherwise set remote to 0.0.0.0/0 too.
2. Configure firewall policy from tunnel interface to wan1, destination all, and set nat enable (specify the source IP from remote branch subnet).

Apply necessary security profiles and inspection from this firewall policy.

On Branch Fortigates.

1. IPsec VPN Phase-2 configuration should have a remote subnet of 0.0.0.0/0:

2. Configure a firewall policy for internet traffic from the Lan interface to the VPN_Tunnel interface with NAT disabled.

config firewall policy
    edit 10
        set name "Internet_Policy"
        set srcintf "Lan"
        set dstintf "VPN_Tunnel"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
end

3. Static Route Configuration.

config  router static

    edit 1

        set dst 15.1.1.1/32   <-----  HQ Wan IP.

        set gateway 25.1.1.254   <----- Branch Gateway.

        set device wan1

        set distance 1

    next

        edit 2

            set dst 0.0.0.0/0

            set device VPN_Tunnel

            set distance 5

        end