This issue may happen due to FortiGate not determining that the traffic destination is the wan interface. To troubleshoot the issue the following are recommended steps:

• Make sure the proper administrative tools are enabled on the WAN interface either on the GUI under 'Network -> Interfaces' or using CLI:
  
  

config system interface
    edit "port1"
        set vdom "root"
        set ip 10.9.11.39 255.255.240.0
        set allowaccess ping https ssh http telnet
        set type physical
        set snmp-index 1
    next
end

• Another check is to verify accessing the FortiOS using the correct port:

config sys gloabal

show full | grep sport

    set admin-sport 443 

• The next step is to run  a sniffer to verify whether this traffic is stopping at the firewall WAN interface or not:

diagnose sniffer packet any "host <x.x.x.x>" 4 0 l <-- where x.x.x.x is the public IP of the admin device trying to access the FortiGate.

• After that, run the debug flow commands which will show the packets are dropped by policy 0:

diagnose debug flow filter addr x.x.x.x

diagnose debug flow filter port 443 <-- Assuming admin port is default at 443.

diagnose debug flow trace start 5

diagnose debug console timestamp enable <-- Recording events with time.

diagnose debug enable

A possible cause for this issue is a configured Virtual IP - VIP - using the WAN interface as the external IP without port forwarding. This will lead to the FortiGate not differentiating between traffic for the WAN interface and traffic with the VIP as the destination.

A possible solution in this case is to enable port forwarding/mapping on the VIP address object:

config firewall vip

    edit <vip name>

        set portforward enable

        set extport <externa port>

        set mappedport <internal port>

end

Another possible cause of admin denial is a trusted host or local-in policy configured. To check those settings, refer to the following documents:
Technical Tip: Restrict access using trusted host 
Local-in policy