Alright, I'll try to make this make sense on the first shot. We have a remote site with a FortiGate 201E (6.0.2.. will refer to as Branch) that has a IPSEC tunnel back to our FortiGate 1500Ds (5.4.1.. will refer to as HQ). The HQ then has multiple interfaces for various things (internal traffic, dmz, etc, etc) one of those interfaces is a physical connection to an ASA owned by another business, we'll call that Partner.
One the Branch I have a single rule from each internal interface to the IPSEC tunnel that is all:all:always:allow. I then have various routes for subnets Branch needs to access through HQ and Partner. All of my filtering/policy is being done at HQ (probably not the best for bandwidth usage, but easiest to maintain). From the Branch location we are able to access everything needed on the HQ internal networks and the Partner networks EXCEPT for multiple http(s) sites at Partner. In HQ I use the same PAT rule for all client devices (HQ-Internal and Branch-Internal) to access all Partner services and I have identical rules allowing HQ internal devices > Partner sites as I do for Branch internal devices > Partner sites.
I've used diag debug flow to verify that traffic is entering and exiting on the correct interfaces at both Branch and HQ. Not sure what else to look at.