You have a few options...
If you want to restrict access to internal resources to prevent certain IPs from even trying to log in, you could employ a local-in policy:
config firewall local-in-policy
edit 0
set intf wan1 //--as one example
set srcaddr blocked_range
set dstaddr protected_servers //-- or " all"
set service ALL
set schedule always
set action deny
end
This would require you to create address objects beforehand to represent at least the blocked IPs (or subnets, or countries, which may help), if not also the protected servers.
You could also apply source address restrictions to an inbound policy, but with the caveat that these packets will still be processed by the CPU up until the point where they match the deny policy. With DoS attacks, this deny often comes too late.
Regards,
Chris McMullan
Fortinet Ottawa