With the current network set-up on the FG-B, I don't think this is possible.
My wild idea is to have another connection between the router (maybe lan2 interface) and FG-B (wan2?) then assign a different interconnect subnet. Then set the port forwarding at the router to lan2.
At the FG-B, I would try a lower-priority(high number) static default route to wan2 while wan1 has a higher static default route. With this set up all internet bound traffic from FG-B goes out wan1 while it still accepts and returns traffic to SSL VPNs.
This is just my theory and never tested myself. There maybe some fallouts in this theory.
But this wocky setup is unnecessary if you simply move SSL VPN to FG-A, which is the common way.
I would order additional IP from the ISP to make network more "normal". Or better, eliminate the router by moving the all routing functions into those FGTs if circuit handoff is Ethernet. Basically you have two routers at both locations splitting routing functions (including the VPN) between them.
In this particular scenario I would suggest to try the Policy Routes. This need to be tested first, no guarantee that it will work but it's worth a shot. You have to get very specific in the matching conditions and try to select and route only the SSL VPN traffic.
- Emirjon If you have found a solution, please like and accept it to make it easily accessible for others.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.