This article describes that the WAF profile is not working with the virtual server and allows traffic passing without checking if the traffic hit the WAF signature.
Scope
FortiGate.
Solution
The virtual server type must be HTTP or HTTPS. The WAF profile will not work with virtual server type IP, TCP, and SSL.
If the virtual server type is not HTTP or HTTPS, the WAD debug will show nothing related to the traffic when traffic hits the FortiGate.
config firewall VIP edit <virtual server name> set type server-load-balance set extip <external IP> set extintf <interface> set server-type <----- Must be HTTP or HTTPS. set export <port> config realservers edit 1 set IP <real server IP> set port <port> next end next end