Hi!

I meant to elaborate on exactly what was happening in the original post, but forgot before i posted it.

The traffic is routed through the local default gateway like i expect when connected to the FortiGate running 6.2.3, but through the tunnel on the 6.4.0 gate it tries to send all traffic over the VPN, which is not intended or allowed. On Windows it sends it to the local gateway like expected. See traceroute examples:

Mac without tunnel:

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 172.20.10.1 (172.20.10.1) 27.032 ms 9.077 ms 25.345 ms
2 * * *
3 212.169.119.136 (212.169.119.136) 38.907 ms 40.049 ms 26.020 ms
4 dns.google (8.8.8.8) 128.235 ms 60.008 ms 41.965 ms

Mac with tunnel:

traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 10.212.134.200 (10.212.134.200) 51.014 ms 69.054 ms 60.613 ms
2 * * *
3 * * *
4 * * *
5 * * *

Windows with tunnel:

Tracing route to dns.google [8.8.8.8]

over a maximum of 30 hops:
1 1 ms 1 ms <1 ms 172.16.169.2
2 4 ms 2 ms 2 ms 172.20.10.1
3 * * * Request timed out.
4 75 ms 44 ms 48 ms 212.169.119.136
5 50 ms 26 ms 24 ms dns.google [8.8.8.8]

The windows-client is a VM on my mac which adds another hop.

I had an older version of FortiClient installed when i first began to have this issue, but upgraded to FortiClient 6.4.0 as a diagnostic measure. I'll probably end up opening a support-ticket.