Mike,
you are right in assuming that the VM FGT is only routing.
The problem is in the design: only traffic passing through the FGT will be subject to policying and UTM measures. As in your " one-arm sniffer" mode the only visible effect is routing.
To be exact, one-arm sniffing can be used for UTM but only for monitoring. The FGT will see the traffic on one interface (' internal' ) connected to your LAN, and apply AV, IPS or whatever you specify. For this to happen, you need an active policy because UTM is only put into action in policies.
But before I begin writing nonsense I' d like to refer you to the FortiOS Handbook, chapter " One-arm sniffing" . You will find more detail on this special mode there.
Ede
"Kernel panic: Aiee, killing interrupt handler!"