Lucas, if there were any way you could share the pertinent pieces of the HQ and satellite configs, I'd be very grateful.

Regards.

There is a documentation about that : http://docs.fortinet.com/uploaded/files/1693/using-redundant-OSPF-routing-over-IPsec-VPN.pdf

I configured the same aera on all remote sites.

edit : 

for BFD : http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/routing_dynamic.023...

Adjust the BFD according your internet line (latency for exemple)

Yeah that's a little different than my setup, where one of the links is not IPsec but routed over MPLS. I'll see how much I can mold to that.

Thanks

You need to check with your MPLS provider if you wan to configure ospf with BFD. 

but I always configure IPSEC, even the traffic is on MPLS because the traffic isn't encrypted in MPLS line.. 

Very good suggestions.

Keep in mind you need understand both  the limits/objectives w/dynamic routing protocols and bfd  & the what/where they fit in.

Keep in mind BFD to  MPLS-PE might not gain you anything, due to the provider routing protocols, you can check if your MPLS provide provide lsp-pings and how they release routing information within their labels domains.