WAF - how to prevent the internet from learning your website's OS?

We have two WAF deployments protected by two different XG firewalls. Both are protecting web servers identically. Both web servers are IIS. When I query shodan.com for both IPs, it shows the following:

www server 1

Apache httpd
HTTP/1.1 403 Forbidden


www server 2
Microsoft IIS httpd8.5
HTTP/1.1 200 OK


I would like the results to always be what is reported for server 1. Is this information discoverable because of the architectures of the
website. Or is there something additional I need to change at the WAF?