For plain text HTTP, traffic HTTP request is not encrypted.
Therefore 'ssl-inspection profile' is not mandatory and FortiGate can identify the full request URL http://example.com/index:
For HTTPS, however, the HTTP request is encrypted and it is usually the first application data packet from the client.
If only 'certificate-inspection' is used, the FortiGate cannot see the full request URL and can only identify the domain name in the SNI field of the client hello:
As shown in the picture, 'example.com' can be identified, but not the '/index' part.
Therefore in the case, for instance, to block:
'www.example.com/index" but allow "www.example.com/xxxx' this would not be possible.
It is only possible to apply rules based on the domain name but not URI.'