The correct answers are C and D .

The study guide states: “SSL certificate inspection relies on extracting the FQDN of the URL from either: TLS extension server name indication (SNI), SSL certificate common name (CN).” It also says: “When using SSL certificate inspection, FortiGate is not decrypting the traffic. It is only inspecting the server digital certificates and the SNI field, which are interchanged before the encryption.”

This proves the second part of the answer:

under SSL certificate inspection , FortiGate does not decrypt the traffic

therefore, if the traffic is allowed , it still passes without decryption

That makes D correct.

For the SNI mismatch behavior, the FortiOS administration guide describes the default Server certificate SNI check behavior as:

“Enable: If it is mismatched use the CN in the server certificate for URL”

So if the SNI does not match the CN or any SAN, FortiGate falls back to using the CN from the Subject field for URL handling under the default setting. That makes C correct.

Why the other options are wrong:

A is wrong because with the default SNI-check behavior, when the SNI mismatches the certificate identity, FortiGate does not continue using the mismatched SNI . Instead, it uses the CN in the server certificate for the URL .

B is not the best answer in this single pair selection . While certificate inspection does not decrypt traffic, the key default behavior the documents explicitly highlight for this mismatch case is:

use the CN when SNI mismatches , and

certificate inspection does not decrypt allowed HTTPS traffic .

So the verified answers are: C, D .