FCP – FortiGate Administrator 7.4 — Question 88

A network administrator has configured an SSL/SSH inspection profile defined for full SSL inspection and set with a private CA certificate. The firewall policy that allows the traffic uses this profile for SSL inspection and performs web filtering. When visiting any HTTPS websites, the browser reports certificate warning errors.
What is the reason for the certificate warning errors?

Answer options

• A. The SSL cipher compliance option is not enabled on the SSL inspection profile. This setting is required when the SSL inspection profile is defined with a private CA certificate.
• B. The certificate used by FortiGate for SSL inspection does not contain the required certificate extensions.
• C. The browser does not recognize the certificate in use as signed by a trusted CA.
• D. With full SSL inspection it is not possible to avoid certificate warning errors at the browser level.

Correct answer: C

Explanation

The correct answer is C because when a private CA certificate is used for SSL inspection, the browser does not recognize it as being signed by a trusted Certificate Authority (CA), leading to warning messages. Option A is incorrect because the SSL cipher compliance option does not directly relate to certificate trust issues. Option B is also wrong as the issue is not about certificate extensions but rather trust recognition. Option D is misleading as it implies that all full SSL inspections cause warnings, which is not true if the CA is trusted.