Security Fabric - Audit, ssl.root interface

Not sure which subforum this fits best in, I apologize if it needs to be moved.

Just upgraded an FG100D pair from 5.2.9 through 5.4.4 to 5.6.2.  Now I'm trying to clean up the audit stuff. 

Which security zone does the ssl.root interface belong in?  It doesn't logically seem like it should be considered WAN, maybe DMZ?  If I set it to LAN or DMZ the audit complains that it doesn't have botnet detection enabled.  It seems impossible to enable botnet detection on ssl.root regardless.

Thanks!