In a DoS (Denial of Service) / DDoS (Distributed Denial of Service) attack, the attacker / bad actor overwhelms the network resources thereby preventing legitimate users from accessing network resources such as servers, databases, applications, services, etc.

Symptoms of DoS / DDoS attack on FortiGate could be but are not limited to high CPU/Memory/bandwidth utilization, higher session count than usual, unable to access FortiGate via GUI/SSH/console, SSH/GUI session getting hung, incomplete output after running a command as FortiGate is too busy to handle legitimate traffic, performance issues, etc.

In such scenarios, an HA Failover will not help as well as the sessions are synchronized among devices within an HA Cluster.

To identify the source of the DoS / DDoS attack, the following steps could be helpful:

• Collect the session table output (diagnose sys session list) and identify the traffic pattern. It could be that there are too many DNS sessions or open TCP sessions from a particular source IP. If the IP address is identified, create a DoS policy on Fortigate and define the thresholds to limit the traffic.
  As a good practice, it is always recommended to have DoS policies in place with thresholds defined to avoid such attack scenarios:Technical Tip: How to configure IPv4 DOS policy
• Clearing the existing sessions or shutting down the interface on which high bandwidth utilization will help in regaining access to FortiGate but will not help in identifying the source of DoS / DDoS attacks: Troubleshooting Tip: FortiGate session table information
• Enable anomaly logging under DoS policies to monitor and observe traffic patterns. Keeping a regular check on normal traffic patterns will help in identifying unusual patterns in a network environment:Technical Tip: Alert logging for DOS Anomalies
• Monitor and adjust the thresholds under DoS policies based on the network traffic pattern: DoS policy
• Quarantine malicious IPs to halt DoS / DDoS attacks: Technical Tip: How to configure DoS protection’s quarantine/elapse/reset time
• For NP6 FortiGates, it is recommended to configure Host Protection Engine (HPE)  which acts as the first filter against DDoS attacks before being blocked by DoS policy. This would help to reduce the CPU usage, as NP6 does not offload DDoS protection (Only NP7 offloads DoS protection).
• For NP7 FortiGates, the HPE (Host Protection Engine) is also available. Both this feature and the DoS policy support being accelerated, so this is generally the best way to block a DoS attack.
  To enable acceleration for the DoS policy, follow the steps in DoS policy hardware acceleration | FortiGate / FortiOS 7.6.2 | Fortinet Document Library.
  To enable the HPE (Host Protection Engine), follow the steps in NP7 Host Protection Engine (HPE) | FortiGate / FortiOS 7.6.3 | Fortinet Document Library.
• If the GUI and CLI is not accessible or very slow due to the DoS attack, it may be possible to regain access by dedicating a CPU core for management. The processes who handle the Web GUI and SSH will run on this dedicated core, so should not be affected if the CPU is overloaded with traffic. See this article for the steps to enable this:
  Dedicated management CPU | FortiGate / FortiOS 7.2.1 | Fortinet Document Library.

If these measures are taken, it will enhance FortiGate's resilience against DoS / DDoS attacks.

Related article:
Technical Tip: How to configure IPv4 DOS policy