To create a URL filter via CLI for Facebook.

Forti # config webfilter urlfilter
Forti (urlfilter) edit 1
Forti (1) set name "webfilter"
Forti (1) # config entries
Forti (entries) edit 1
Forti (1) set url "*facebook.com"
Forti (1) set type wildcard
Forti (1) set action block
Forti (1) next
Forti (entries) end
Forti (1) next

Now, it is possible to call that URL filter a web filter profile.

Forti # config webfilter profile
Forti (profile) edit "webprofile"
Forti (webprofile) # config web
Forti (web) set urlfilter-table <-----urlfilter-table Enter an integer value from <0> to <4294967295>.
1 webfilter <----- URL table which was created earlier.
Forti (web) set urlfilter-table 1
Forti (web) end
Forti (webprofile) config ftgd-wf <----- FortiGuard web filter settings.
Forti (ftgd-wf) end
Forti (webprofile) next
Forti (profile) end

To apply the Web Filter profile to a firewall policy:

config firewall policy

(policy) # edit 1

(1) #set webfilter-profile "webfilter"

(1) # end

To check if the configuration was applied:

config firewall policy

(policy) # edit 1

(1) # show

config firewall policy
    edit 1
        set name "WF"
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set logtraffic all
        set webfilter-profile "webfilter"
        set profile-protocol-options "protocol"
        set ssl-ssh-profile "protocols"
        set nat enable
    next
end

Note: From 7.6.3 version, there is an option to control whether webfilter.urlfilter simple-type entries match subdomains.

config webfilter urlfilter
    edit <id>
        set include-subdomains {enable/disable}
    next
end

Related articles:

Technical Tip: Web filter profiles in NGFW policy mode 

Technical Tip: FortiGate configure web filter content filtering