I have been trying out the DNS Inspection Mode for a similar situation,
and it seems to be working pretty well. You may want to give this a try.
The only caveat is that you need to use the FortiGuard DNS servers,
which may not be as fast or reliable ...
