The predefined 'Medium-Level-Security' profile has no category enabled and denies signature triggers based on the configured severity.

config security waf web-attack-signature
    edit "Medium-Level-Security"
        set status enable
        set request-body-detection enable
        set response-body-detection disable
        set body-length-limit 1024
        set body-type-limit default
        set high-severity-action deny   <---
        set medium-severity-action alert
        set low-severity-action alert
        unset exception
            config signature
        end
            config category
        end
            config sub-category
        end
    next

A customized WAF profile by default enables all categories listed below, and the security scans would verify based on category instead of the severity.

category-id Category ID:

• 1 Cross Site Scripting.
• 2 SQL Injection.
• 3 Generic Attacks.
• 4 Trojans.
• 5 Information Disclosure.
• 6 Known Exploits.
• 7 Credit Card Detection.
• 8 Bad Robot.
• 9 Cross Site Scripting(Extended).
• 10 SQL Injection(Extended).
• 11 Generic Attacks(Extended).

Steps to configure:

config security waf web-attack-signature
    edit "<custom-wafprofile-name"
        set high-severity-action deny
        set medium-severity-action alert
        set low-severity-action alert

            config category
            delete 1 <----- Deletes Cross-Site Scripting category. Repeat the 'delete <id>' command to get severity-based action in effect for a certain category.

        end
    end

Based on the above configuration sample, FortiADC Virtual Server WAF profile will only deny high severity signatures and take alert action for medium and low severity.

Related document:

Configuring WAF profile