Fortigate best practices baseline — Plasmatic Sun

config system global
    set admin-telnet disable
end

adding extended-log for traffic logs. This will enable traffic logs for errors such as missing reverse path (RPF), which greatly helps troubleshooting without having to resort to debug commands.

In FortiOS < 7.4 it was this:

config log setting
    set log-invalid-packet enable
end

And in 7.4 and newer it was renamed to this:

config log setting
    set extended-log enable
end

V7 – Set Memory HA Failover – New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library

Add Interface Bandwidth of Wan port to Dashboard

Enable device detection on LAN interfaces

Proxy based always

Link Monitors for HA Links 

Remove Hardware Switch

DOS Policies

Enable Full Logging on every Policu

System->Settings -> Enable SNMP for Monitoring

If there is an IPSec tunnel, there should be a higher distance blackhole route for all remote prefixes. Check with TSO prior to implementing.
https://community.fortinet.com/t5/FortiGate/Technical-Note-Use-of-Black-hole-route-in-site-to-site-IPsec-VPN/ta-p/192526

Activate License and Forticloud

Webfilter

Peer-to-peer File Sharing in Bandwidth Consuming Block

Adult Mature – Monitor Abortion \ Gambling and Alchol 

Feature List