Im positive you are referring to Fortigate firewalls, which are way different than CP...you have web filtering profiles, operation mode, flow/proxy inspection...in CP, you dont deal with that sort of stuff, at least not the same way. You set up all threat prevention stuff in smart dashboard, under security policy -> threat prevention. Now for regular policy, its way better in R80+ than what it used to be in R77 and before.
So, say you tie specific interface to a zone, you create layered rule, say source that zone, dst any and then under action, just create new layer. That will be you parent rule with built in explicit clean up rule at the bottom. Then you create rules as per your needs. Then, you do same for other zones you configured.
Now, you can also set up another ordered layer, say for url filtering and app control and do the same, BUT, make sure if you use more than one ordered layer that traffic is accepted on ALL ordered layers.
Message me privately, I have perfect lab thats very basic and easy to understand where I can show you all this.