While your first line of defense is to scan for known attacks, zero-day attacks are, by definition, unknown.
To defend against zero-day buffer overflow, buffer underflow, shell code, and similar injection attacks that you have not yet identified and created a signature for, input validation can help. You can configure FortiWeb to sanitize inputs at the web application level. (For attacks that operate at the HTTP protocol level, or attacks that are not types of application or document injection attacks, see HTTP/HTTPS protocol constraints and Access control.)