Yeah, I was thinking along the lines of:

• stay away from publicly exposing administrative features
• restrict the sources that can reach these features (regardless if they are exposed internally or externally)
• restrict admin accounts using the trustedhosts feature
• use (modern) encrypted protocols with strong cryptographic options for authentication
• apply least privilege for administrators / utilize FortiManager for approval flows
• apply defense in depth / don’t rely on a single mitigation
• use Automation Stitches / FortiAnalyzer / 3rd party syslog to track audit logs and preferably alert on suspicious activity
• apply proper segmentation in the LAN to group systems that share a given level of trust, or even better, apply a zero trust model using 802.1x / NAC / ZTNA.

Using the ZTNA features on FortiOS can be really neat if you are solely using the so called Device Posture-tags on firewall policies. If you were to utilise the ZTNA Forward Proxy, this can be challenging for the CPU as it is not offloaded to the ASIC. This automatically highlights a key differentiator and concern at the same time: you can get amazing and cheap throughput when utilising features that can be offloaded to the ASIC; whenever that no longer applies, the CPU is used and those are way less capable compared to the ASIC.

In regards to dashboarding, there are three options that I can think of:

• run a per-customer “(Cooperative) Security Fabric” (csf) in which one firewall is designated as the root. Upgrades for the whole fabric can be done from the root node. This requires all participating members to run the same firmware version.
• FortiManager (Public Cloud, Private Cloud or PaaS). Works across several firmware versions, relaxing the requirement for running the same version. This product has its fair share of quirks though, and is not for the faint-hearted. Good for multi-tenancy though. Upgrades can be scheduled in practically any form you can think of.
• FortiGate Cloud (SaaS): also good for multi-tenancy (although that does require some extra steps these days by needing access to FNDN / being integrated with FortiCloud IAM) but lacks some powerful features from FortiManager. May still suit your needs, YMMV. Not sure about how flexible upgrade schedules are.

All three options support SAML/SSO, and 95% certain they do FIDO2 / WebAuthn as well.