Hi,
I think you’ll find all tips on this link :
In summary :
Change the default SSL VPN port 10443/443 to anything else
Do not use local users for authentication, and if using - keep passwords elsewhere or/and enable MFA
Enable Multi-Factor Authentication for VPN users
Limit access to VPN SSL portal to specific IP addresses
Move VPN SSL listening interface to a Loopback interface
(Less preferred than above) Limit access to SSL VPN portal in Local-in Policy
Limit access to portal by GeoIP location
Block access to/from Tor Exit Nodes and Relays to anything
Install trusted CA-issued certificate, but don’t issue Let’s Encrypt certificates directly on the Fortigate
Configure email alert on each successful VPN SSL connection
Prevent re-using the same user account to connect in parallel
In security rules, allow access only to specific destinations and services, not all
If not using VPN SSL, disable it, or assign to a dummy interface
Create a no-access portal and set it as default in the VPN settings
Block offending IP after n failed attempts
Disable weak and outdated TLS protocols for SSL VPN
Consider switching from VPN SSL to VPN IPSec for clients
Consider moving VPN SSL into its own VDOM