I'm new to fortinet hardware and am currently having fun and games with a fortigate 401F running v7.4.8
We have two internet connections, a static connection with a /29 subnet of public IP's and a broadband connection. Most traffic is routed out of the broadband and we plan to pin only a few systems to the static connection.
For our static WAN,
.89 is the gateway
.90 is the firewall
.91-.94 we will use for services
The .90 is set as the address on the WAN and the 91-94 are added as secondary addresses.

I'm trying to set up a DMZ with one system in it at the moment. The DMZ network is running on a separate switch plugged directly into the firewall with the gateway on the firewall.

I've set policy routes for the internal traffic followed by a policy route for the external traffic plus an outbound rule using an ip pool with the address I want the server pinned on (.93)
If I run a "what's my IP" from the server it reports the .93 address and if I run curl commands or an apt update, it can pull information from the internet through the correct public IP as seen in the logs

What I can't get working is the incoming NAT from .93 into the server!

Everything I've read so far tells me that all I need to do is setup a VIP (1 to 1 or port to port - tried both) with the public IP and internal IP then setup a firewall rule with the Static WAN as the incoming interface, the DMZ interface as the outgoing and the virtual IP as the destination.
It's not working! I've got a web service on the DMZ system that I can access from all parts of the internal network but can't access from outside. The internal rules are getting triggered when I access the web service but I'm seeing nothing triggering on the outside to inside rule!
I've tried setting an inbound policy rule too but that breaks the working outbound connection

I'm probably missing something obvious here but I don't know what the hell it is!! If anyone can steer me in the right direction, it would be a great help before I take a hammer to the firewall!!