https://docs.fortinet.com/document/fortigate/7.4.3/administration-guide/771644/dos-policy

So to create a monitor mode profile, would it only be necessary to enable "monitor" or also logging? I'm confused.

I want to create a profile that doesn't take any action, just monitor.

Hi @unknown1020 ,

I believe if you choose Monitor it will not take any action on the traffic, it will only log this traffic for audit purposes. Basically it allows the anomalous traffic, and records a log message if logging is enabled.

Thank you.

One question, I only have one service published on my firewall regarding the "SIP" service. I do not have HTTP HTTPS published services on the firewall. Are these DDos policies only created in the firewall for those publications HTTP HTTPS?

DoS policies examine the network traffic arriving at a FortiGate interface for anomalous patterns, which usually indicates an attack. On the other side "SIP" service  you refer i believe is for traffic going through the firewall. 

I have a SIP (Wan to Lan) service publication.

I have seen KB https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Denial-of-Service-DoS-protection... where incoming interface select the WAN.

For this reason, I ask if these DDOS policies are related to WAN TO LAN publications? directly to the http and https service.

In my case I only have the SIP service (wan to lan) therefore can I also create those ddos monitor policies?

Yes you are protecting the HTTP/HTTPS service on the interface 'wan2' in your case, if that is the only interface expecting traffic. 
That policy will only log traffic if logging is enabled. 

I only have the SIP (WAN TO LAN) service publication, so it is viable to create the Ddos policy, correct? For my SIP publication