Refer to the exhibit. An administrator is troubleshooting why SSL inspection is not working for web traffic. The policy shown is the only policy matching the traffic. What is the most likely reason SSL inspection is failing?
Deep inspection requires proxy-based inspection mode.
Why this answer
Option A is correct because the policy is missing the 'set inspection-mode proxy' command. FortiGate requires proxy-based inspection mode to perform SSL/TLS interception; flow-based inspection cannot decrypt or re-encrypt HTTPS traffic. Without this command, the policy defaults to flow-based mode, causing SSL inspection to fail even if the ssl-ssh-profile is set to deep-inspection.
Exam trap
The trap here is that candidates assume setting the ssl-ssh-profile to 'deep-inspection' alone is sufficient, overlooking the mandatory 'set inspection-mode proxy' command required for SSL decryption to function.
How to eliminate wrong answers
Option B is wrong because the ssl-ssh-profile set to 'deep-inspection' is actually correct for SSL inspection; the issue is the inspection mode, not the profile. Option C is wrong because the source interface is 'wan1' and the traffic is coming from 'internal' — this mismatch would cause the policy not to match at all, not just SSL inspection to fail. Option D is wrong because the policy has 'set action deny' which would block all traffic, not specifically cause SSL inspection to fail; the exhibit shows the policy is matching traffic, so action must be accept.