The firewall policy on the FortiGate will look like this:

config firewall policy
    edit 7
        set name "TEST-Flow"
        set uuid 846dd5fc-dbf4-51f0-b64e-5107efcd7ea5
        set srcintf "port4"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set profile-type group
        set profile-group "TEST-Flow"
        set logtraffic all
        set nat enable
     next
end

The configuration of the profile-group will be as follows:

config firewall profile-group
    edit "TEST-Flow"
       set ssl-ssh-profile "no-inspection"
       set av-profile "TEST-Flow"
       set webfilter-profile "TEST-Flow"
       set application-list "TEST-Flow"
       set waf-profile "default"
     next
end

When trying to add a security group to a new firewall policy, there will be an error seen, as shown below:

FortiGate (7)# set profile-group TEST-Flow

entry not found in datasource

value parse error before 'TEST-Flow'
Command fail. Return code -3

The security profile group will still be visible on the existing firewall policies, but it will not be possible to add it to a new firewall policy.

Even trying to change the profile group to an existing policy or creating a new security profile group will not allow for the request to be accomplished.

However, if removing the WAF profile from the profile-group, the group will now be available to be selected again.

The reason for this behavior is that firewall policies with inspection-mode as flow (the default one) do not support WAF, iCAP, or SSH-filter features.

If this issue is seen, it is recommended to unset the waf-profile, icap-profile and ssh-filter-profile in the profile-group first before adding it to the firewall policy.

This behavior is not seen when the firewall policy is set to proxy inspection-mode, as per lab testing.