Thanks Yurisk for the update, We are also trying to confirm whether this is recommended for FortiGate/FortiAnalyzer VMs to only have public key authentication and completely disable password authentication?. Is it something you can help? How we can recover the VM SSH access if incase we have any issue with key authentication in future?
Recover - as long as you have access to web GUI of the Fortigate you can undo this command in Console web applet.
Recommended - not that I can recall any Fortinet docs recommending to disable password access on SSH. Personally, I don't think it is a first line of defense - it prevents brute forcing the password. But if you have an admin interface opened to brute force attempts, the situation is already bad. I'd say limiting access by trusthost/Local-in policy, enabling MFA like Fortitoken for admin account(s), setting auto-alerts on admin interface successful/failed attempts, moving admin interface to a separate from regular data traffic network will do much more to securing the admin access than switching from password-based to key-based authentication. Of course YMMV, so your context matters as opposed to general recommendations.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.