Topology:

 
In the above example, there are two VPCs: Customer VPC and Security VPC.

The user VPC hosts the workloads and applications, in which there are two subnets. One for the Application where the application workloads are deployed and the other for GWLB where the Gateway Load Balancer endpoint (GWLBe) is deployed to redirect the traffic to GWLB.

The security VPC deploys the FortiGate.

The red arrows show the inbound traffic flow:

1. The traffic reaches the Internet Gateway of the user VPC.
2. The internet Gateway is associated with an Ingress route table, where there is a route for the application subnet via the GWLBe. So the traffic flows from IGW to GWLBe.
3. Then the traffic goes through GWLB in security VPC, where the traffic is encapsulated with GENEVE and sent to the FortiGate.
4. FortiGate inspects the traffic and forwards the traffic to the application instances.

The blue arrows show the outbound traffic flow:

1. The application subnet is associated with the App route table, where there is a default route through GWLBe. So, the traffic initiated from applications flows to the GWLBe.
2. From GWLBe, the traffic will be forwarded to the FortiGate in security VPC via the GWLB.
3. FortiGate inspects the traffic and sends it to the Internet Gateway of the user VPC.
4. Traffic flows out of the Internet Gateway to the public Internet.
   
   

Note: It is necessary to set the static routes for all these redirecting traffic flows after the deployment.

Related article:

Technical Tip: Traffic Flow Sequence at the FortiGate with General CPU