Re: Viewing incoming IP addresses
I too agree in NEVER opening up RDP to the outside world. If you cannot help it, then I would suggest locking it down by 'source' IP. Also ensure you have an IPS profile assigned to the policy. In the IPS Profile, you can set the action for certain signature(s) to "quarantine" which will quarantine the offending IP address for a period of time that you select.
As for seeing the IP addresses that are hitting the Firewall or a VIP, I would suggest to take a look at either FortiAnalyzer, FortiCloud (there are two flavors, free which stores logs for 7 days, and a paid that will store for 1 year), or Syslog (e.g. Kiwi Syslog, Sylog-NG, etc).
In addition to this, ensure that the Windows RDP server and the Fortigate are using the same time source (e.g. NTP) which the Fortigate CAN give to the rest of the internal network(s) under the 'Settings' tabs. This will ensure that when you look at the logs in Windows (e.g. login failure) that you can cross reference it on the FortiAnalyzer/FortiCloud/Syslog. You also need to make sure your logging is set to 'All Sessions" not just "Security Events". The former gives you ALL connections while the latter will ONLY log traffic that has been blocked. Assuming you are allowing RDP traffic as you stated, unless you have 'All Sessions' you would NEVER see the IP addresses.
Hope this helps.