Would that be done by hairpin? creating a vip and policy? 

Just starting out on Fortigate so detailed steps would be much appreciated.

I did the following steps listed below as a test and it worked but with two problems. 

Problem 1. The appliance on 10.32.14.20 could no longer access the internet. 

Problem 2. We were only able to configure the vip to do the single ip for the external interface.  Could not input it as 10.88.0.0/16 to cover the entire range.

created VIP:

interface = any

external ip = 10.88.0.10

internal ip = 10.32.14.20 (ip of our appliance)

Optional filters = (not enabled)

Port forwarding = (not enabled)

created a IPv4 policy:

incoming = lan

outgoing = lan

source = all

services = all

nat = (not enabled)

ran the following commands via CLI:

# config firewall policy

# edit 2

# set match-vip enable

# end

I can't really imagine what the use case could be for an entire range to funnel down to one IP?

In any case, what Simon suggested seems like it should work in your case, which is very different than what you did.  So back that out, and try this.

Under Routing > Policy Routes, add a policy that says traffic with any source address (0.0.0.0/0) to the following destination address (10.88.0.0/16) should "Forward traffic" to the gateway address of 10.32.14.20.

Since it sounds like that host is directly connected to the firewall, it should work.  No policies would be necessary since it is lan to lan traffic and you don't actually need to NAT anything.  That assumes that the host at 10.32.14.20 is capable of replying with a source of 10.88.x.x to whatever host is sending this traffic. 

If not, I don't know what the point would be, but I guess you would need NAT and yeah I don't think that's possible...

Thanks for the help, I didn't know fortiOS would hide visibility of certain features by default.  I went to System-feature visibility- and enabled "Advance routing".

For more detail of of what we are trying to accomplish.  Our vendor needs their vpn appliance on our network so that their software works on our workstations.   

They requested:

"

Please route traffic to the appliance,  add a static route on the network with the following

 Destination / Subnet Mask / Gateway

10.88.0.0 / 255.255.0.0  / 10.32.14.20 (Static LAN address of appliance)

10.122.0.0 / 255.255.0.0 / 10.32.14.20 (Static LAN address of appliance)

"

I created and enabled a Policy Route with the following...

protocol = any

incoming interface = lan

source address ip/netmask = 0.0.0.0/0.0.0.0

destination address ip/netmask = 10.88.0.0/16

forward traffic 

gateway address = 10.32.14.20

unfortunately when I do a traceroute to 10.88.0.20 it never goes to the next hop of 10.32.14.20

Thanks again fo the assistance.

Honestly I don't know why I didn't think of that...what they asked you to do is much simpler...policy routing isn't really necessary.  A simple static route should accomplish it... 

Same idea, destination network is as specified, and the gateway would simply be the IP of their appliance with a destination interface selected of whatever interface their appliance is connected to ("lan" I guess?).  

Can you ping 10.32.14.20 directly?  If not, that might be why you're not seeing it in the traceroute.  If your FortiGate has the packet capture feature in the GUI, you can easily sniff this traffic to see if it's exiting the interface as intended.  There are also guides you can find fairly easily on debugging the packets via CLI.

Yes I can ping 10.32.14.20 directly

I removed all of previous steps..

created a static route with..

Destination = subnet 10.88.0.0/16

gateway address = 10.32.14.20

administrative distance = 10

advance options / priority = 0

Still cannot ping or traceroute to appliance

Are you able to debug or do a packet capture to see if it is an issue with the firewall or with how the appliance operates?  It sounds to me like you've done what the vendor asked you to do, so I might suggest re-engaging with them to help solve it, but I always like to have proved beyond a doubt that my stuff is working right, hence the suggestion to packet capture.