Password non-reuse requirement
PCI DSS requires that passwords are not re-used to satisfy the change requirement:
“Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.” (8.2.5)
FortiGate users don’t set their own passwords. The super_admin administrators can and so can admins with appropriate access. There is, however, no FortiGate-based mechanism to enforce non re-use of passwords.