This afternoon we received several reports all at once that the internet was down. Interestingly we were able to reach client locations, all SNMP monitoring looked healthy and no outages were present. We did however notice that bandwidth utilization had dropped to a trickle, so something was amiss!
Eventually we discovered in the IPS logs that most traffic was being blocked due to matching the following IPS signature:
When we disabled IPS, traffic started flowing again. We then went to System -> FortiGuard -> Update AV and IPS Definitions. After the update we reenabled IPS and traffic flowed normally again!