i just know the reason. but i dunno how to solve.
the Fortigate 60 firewall had connect IPSEC to another fortigate 50A.
In Fortigate 60 Console, when I tried traceroute to DNS IP, I found the traffic is route to Fortigate 50A and then access the Internet. As both firewalls are in different Zone, the service.fortigate.com cannot be resolve.
How can I set the policy to fix this case?