If you have to have remote access and can’t use IPsec or SSL VPN then you should only allow HTTPS and SSH and use secure access methods such as trusted hosts and Two-factor authentication.
Configuring Trusted Hosts
Setting trusted hosts for administrators limits what computers an administrator can log in the FortiGate unit from. When you identify a trusted host, the FortiGate unit will only accept the administrator’s login from the configured IP address or subnet. Any attempt to log in with the same credentials from any other IP address or any other subnet will be dropped. To ensure the administrator has access from different locations, you can enter up to ten IP addresses or subnets. Ideally, this should be kept to a minimum. For higher security, use an IP address with a net mask of 255.255.255.255, and enter an IP address (non-zero) in each of the three default trusted host fields.
Trusted hosts are configured when adding a new administrator by going to System > Admin > Administrators in the web-based manager and selecting Restrict this Admin Login from Trusted Hosts Only, or config system admin in the CLI.
The trusted hosts apply to the web-based manager, ping, snmp and the CLI when accessed through SSH. CLI access through the console port is not affected.
Also ensure all entries contain actual IP addresses, not the default 0.0.0.0.
Configuring Two-factor Authentication
FortiOS 5.0 provides support for FortiToken and FortiToken Mobile. FortiToken Mobile is a Fortinet application that enables you to generate One Time Passwords (OTPs) on a mobile device for FortiGate two-factor authentication. The user’s mobile device and the FortiGate unit must be connected to the Internet to activate FortiToken mobile. Once activated, users can generate OTPs on their mobile device without having network access. FortiToken Mobile is available for iOS and Android devices from their respective Application stores. No cellular network is required for activation.
Two free trial tokens are included with every registered FortiGate unit. Additional tokens can be purchased from your reseller or from Fortinet.
To assign a token to an administrator go to System > Admin > Administrators and either add a new or select an existing administrator to assign the token to. Configure the administrator as required, you need to enter your email address and phone number in order to receive the activation code for the FortiToken mobile. Select Enable Two-factor Authentication. Select the token to associate with the administrator. Select OK to assign the token to the administrator.
To configure your FortiGate unit to send email or SMS messages go to System > Config > Advanced > Email Service or System > Config > Advanced > SMS Service.