When trying to edit the Address group for split tunnel in a dial-up IPsec VPN tunnel, it fails with the error 'Can not change address members. Group is used by ipsec mode-cfg' as shown below:

It is not possible to edit it via the CLI either. The following error will be displayed:

Can not change address members. Group is used by ipsec mode-cfg.    

object set operator error, -23 discard the setting

Command fail. Return code 1

This is because, from version 7.4.8, if the address group is referenced in Dialup Tunnel, it cannot be edited.

As a solution, change the split tunnel address group in the Dial IPSec VPN tunnel to any other address group or select 'none', and then edit the address group and reinsert it into the Dialup IPSec VPN Tunnel.

Or disable the 'Mode Config' in IPSec Dialup VPN tunnel phase-1, and then edit the address group, and then enable mode-cfg back in the phase-1:

In this way, the address group for split tunneling in IPSec dial-up VPN tunnels can be edited without any issues.

This behavior is present in FortiOS versions 7.4.8 and 7.4.9, in the 7.6 version train, the address group can be edited without the need to remove it from the IPsec configuration. 

Note: Making the above changes will drop the IPsec Tunnel, so it is recommended to make these changes during maintenance time to avoid production issues.