By default, Web Application Firewall is not available in Security Profiles. It needs to be enabled in Policy & Objects -> Security Profiles -> Tools -> Feature Visibility. Under Security Profiles, check the Web Application Firewall box.

In FortiManager, when navigating to Policy & Objects -> Security Profiles -> Web Application Firewall -> Default, there are no options to configure a custom signature with a specific URL:

To configure a custom signature in FortiManager, navigate to Policy & Objects -> Advanced -> CLI Configurations. In the search bar, search for WAF and expand. Under profile, select Create New and fill in the name:

Scroll downwards to 'custom-signature' and select Create New. In 'pattern' is where the custom URL can be defined:

After the custom signature is configured, save the configuration by selecting OK, then OK.

In Policy & Objects -> Security Profiles, the configured 'test1' can be seen:

However, the 'test1' WAF profile cannot be able to be pushed yet to the FortiGate. The profile will need to be used by any policies in the policy packages to ensure it can be pushed to the FortiGate.