Good VPN, both IPSEC and SSL (web-mode, tunnel-mode). An engineer/network administrator has tools to debug VPN issues that can occur during tunnel setup with other vendors' equipment.
SD-WAN feature at no cost. This is really great feature for remote locations (branch offices) and HQ, application steering between many ISP links becomes a simple task. Steering can be done dynamically by measuring link quality (latency, jitter, packet loss, available bandwidth).
Wi-Fi and Switch controller at no cost. FortiSwitch and FortiAP can become a kind of port extender of the firewall, all its ports can be referenced in firewall policies. When you have such management plane consolidation it gives you a simpler way to operate.
Security Fabric Framework is helping in analyzing sudden and rapid changes in whole infrastructure, and gives the ability to simplify daily operations (e.g. address objects synchronization between all firewalls in Fabric, estimating overall security rating, single-sign-on for admin access and many more)
Single Sign On support with deep LDAP integration (several variants for environments with different scales), RADIUS authentication.
Can work as transparent and explicit web-proxy, the last option supports Kerberos authentication which requires no agents installed on any windows server.
Human readable firewall policies with editable security policies and
addresses in single page. This is very useful and time saving feature.
Firmware upgrade process is very simple, even for cluster configurations it is fully automated by default.
Straightforward SNAT and DNAT; you may work in two ways: with Central NAT rules configuration and by applying translation directly inside firewall policies.
Bulk CLI commands are uploaded via gui in script file (portions of config file).
VDOMs are very useful when you need to grant admin role to clients separately. VDOMs in FortiGate can be represented in FortiAnalyzer's ADOMs (administrative domain), which can have different log storage policies, event handling and alerting configurations. You can create one VDOM working in NAT/Route mode, and another VDOM working in Transparent mode.
If you don't want to create and use second VDOM you can still transparently inspect traffic at layer 2 level while having only one VDOM in NAT/Route mode. This is achived by configuring Virtual Wire Pair ports that work like a separate bridge.
Ability to capture packets going through any interface of device (and VM too). You can set number of packets, filter out packets by IP and port number for particular troubleshooting purposes, then download a .pcap file from web gui and analyze it in your favorite programm.
Advanced routing (RIP, OSPF, BGP, PBR). It gives you a seamless and simple integration into a large network.
IPS, AV, Web Filter, AppControl profiles are working very well.
SSL Inspection and CASI (Cloud Access Security Inspection) profiles.
Rich logging options allow you troubleshoot most problems.
Straightforward HA with different redundancy schemas.