I think FortiManager is sorted, but FortiGuard is not, but since FortiGuard needs to route out to the internet, there may well be a missing rule in the core somewhere, but all looking good now (apart from CLI pinging / traceroute etc.)
I found details of a very useful command, which may help others in the future get system source-ip status
Yes, you can set the source IP address for the FortiGate's outgoing traffic to a routable address. To do this, you will need to configure Source NAT (SNAT) on the FortiGate. SNAT allows you to change the source IP address of packets leaving the FortiGate to a specific IP address or IP range.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.