In FortiOS 7.6, the predefined deep-inspection and custom-deep-inspection SSL inspection profiles intentionally exclude certain web categories (such as Finance and Banking and Health and Wellness) and well-known domains (for example, Apple, Google, Adobe). This behavior is documented and intentional.

The two correct reasons are:

B. The legal regulation aims to prioritize user privacy and protect sensitive information for these websites.

Correct

Categories like Finance and Banking and Health and Wellness commonly handle highly sensitive personal data.

Many privacy and compliance regulations (for example, GDPR, PCI-DSS, HIPAA-like requirements) discourage or restrict SSL interception for such traffic.

To reduce legal and compliance risks, FortiOS exempts these categories from deep SSL inspection by default.

This is explicitly stated in FortiOS SSL/SSH Inspection documentation.

C. These websites are in an allowlist of reputable domain names maintained by FortiGuard.

Correct

FortiGuard maintains a reputable/trusted domain list for well-known services and platforms.

These domains are excluded from deep inspection by default to:

Prevent application breakage

Avoid certificate pinning and compatibility issues

Maintain user experience

This is why domains such as Apple, Google, Adobe, and app stores appear under SSL inspection exemptions.

Why the other options are incorrect

A. Resource utilization optimization

Incorrect.

While reduced inspection can save resources, this is not the primary documented reason for exempting these categories.

D. FortiGate temporary certificate denies access to HSTS websites

Incorrect.

Although HSTS and certificate pinning can cause issues with SSL inspection, this option describes a side effect, not the reason for exemption.

The exemption exists to avoid such problems, not because the certificate denies access.