The FortiGate Web Application Firewall (WAF) is the security feature specifically designed to protect web servers from application-layer attacks. It inspects HTTP and HTTPS traffic for threats targeting web applications, such as SQL injections, cross-site scripting (XSS), and other OWASP Top 10 vulnerabilities. By applying signatures and constraints to web traffic destined for internal servers, the WAF can identify and block malicious requests before they reach the application.

A. Denial of Service: This feature protects against traffic floods and resource exhaustion attacks, not application-layer code injection attacks like SQL injection.

C. Antivirus: This scans files for known malware signatures. It is not designed to analyze and block malicious code embedded within web application requests.

D. Application control: This feature identifies and manages the use of specific applications on the network but does not inspect the content of allowed traffic for attacks.

1. Fortinet FortiOS 7.0.0 Administration Guide

Security Profiles > Web Application Firewall

Page 1218: "The FortiGate web application firewall (WAF) feature examines HTTP and HTTPS traffic for web-based attacks

such as SQL injection and cross-site scripting."

2. Fortinet Cookbook

WAF profile for common web vulnerabilities (5.6)

Document Version 1.0: "A WAF profile can be used to protect your web servers from sophisticated attacks

such as... SQL injection

Cross-site scripting

[and] Generic attacks."

3. Fortinet Product Matrix

FortiGate-FortiWiFi 70F Series Datasheet

Page 2: The datasheet lists "Web Application Firewall" as a core security service provided by the FortiGate platform to protect against web application attacks.