SSL exemption can be configured in both certificate inspection and deep inspection profiles for many reasons such as:

1. The CA is untrusted (Invalid Certificate).
2. Privacy and Compliance Requirements.
3. Application Compatibility.

Sometimes it is necessary to use SSL exemption for some applications when passing through FortiGate to avoid connection issues. For example, Microsoft Teams and Outlook stated in some other KB article:

Refer to the following KB article to exempt SSL connection (changing the option of 'invalid SSL certificates' from block to allow):

To verify whether the above changes work, refer to the following event log under Log & Reports -> Security Events -> SSL:

logid=1701062004 service="SSL" action="exempt" srcintfrole="lan" dstintfrole="lan" srcintf="internal3" dstintf="VLAN-22" eventtype="ssl-exempt" profile="Clone of deep-inspection" hostname="*.microsoft.com" msg="SSL connection is exempted based on address."

Note:

The default SSL/SSH profile cannot be edited. Clone or create another new certificate inspection or deep inspection profile to implement this change if SSL exemption is required.