• Obtain physical access to the FortiGate and connect to it via console cable. Follow this article: Technical Tip: How to connect to the FortiGate and FortiAP console port to correctly connect to the console.
• Once connected, execute the command 'diagnose sys top'.

• Look at the output to see that the CPU is being maxed out by several httpsd.
• Use the command 'diagnose alertconsole list' to confirm the reason behind the httpsd spawn process.

• Observe that there are several login attempts from various public IPs in the output.
• To address the issue and restore access to the FortiGate, ensure that the HTTP and HTTPS services are disabled for administrator access on any external or internet-facing interfaces (such as wan1 or wan2). See System Administrator best practices.
• While on console, execute the following command to disable HTTP and HTTPS to the internet-facing interfaces:

config system interface

    edit <interface_name>      <----- Internet-facing interface.

        unselect allowaccess https http

    next 

end

• Lastly, use the command below to restart the process.

fnsysctl killall httpsd

• If the CPU usage remained high despite restarting 'httpsd' process, refer to the below article on how to disable previous administrator login records, which was found to be causing this issue as well. Troubleshooting Tip: FortiGate High CPU Usage and Web GUI Accessibility Issues due to httpsd process.

Related article: 

Technical Tip: Regularly audit and restrict open ports on FortiGate public interfaces