Starting from v7.2.1 GA, a feature has been added to FortiGate (when web proxy is configured) which implicitly enforces deep inspection when HTTP CONNECT request or TLS SNI partially matches to a policy.

When the HTTP CONNECT request or TLS SNI of an HTTPS session partially matches a policy with deep inspection enabled, it indicates deep inspection is needed to match the encrypted HTTP request against the policy.

In this use case, the feature is expected to implicitly enforce deep inspection of the policy to the HTTPS traffic so that it simplifies the policy definition for these cases by avoiding one more policy to handle HTTP CONNECT request or TLS SNI.

As a result, when handling HTTP-CONNECT or HTTPS-TLS SNI, in the presence of only hostname, FortiGate does partially policy match, if the partially proxy-address matches successfully, and the current policy indicates deep inspection without ssl-exempt, the feature will pause on current policy, and enforce deep ssl inspection to get full proxy-address info to rematch/verify this policy.

To understand the behavior better, see below example:

There is a FortiGate with explicit proxy enabled and a proxy address with type category (external-address) referenced in a policy (name: full-inspection)with a ssl-ssh-profile, which has deep SSL inspection enabled. Policy 'full-inspection' is located at the top of another policy (name: no-inspection) which doesn't have any SSL inspection profile assigned to it.

config firewall proxy-address 

    edit "external-address"

        set type category
        set host "all" <----- Host part, if matched in CONNECT state, is a potential match with policy 3 (full-inspection).
        set category 196

   next

end

config firewall proxy-policy

    edit 3
        set name "full-inspection"
         set proxy explicit-web
        set dstintf "VL10"
        set srcaddr "all"
         set dstaddr "external-address" <-----
        set service "webproxy"
        set action accept
        set schedule "always"
        set logtraffic all
        set groups "FSSO_Domain_Users"       
        set utm-status enable
        set ssl-ssh-profile "DEEP_SSL_INSPECTION" <---------
        set av-profile "_AV"
        set webfilter-profile "webfilter"
        set ips-sensor "_IPS"
        set application-list "g-default"  
   next

edit 4
        set name "no-inspection"
        set proxy explicit-web
        set dstintf "VL10"
       set srcaddr "all"
        set dstaddr "Grp-no-inspect-URLs"
       set service "webproxy"
       set action accept
       set schedule "always"
        set groups "FSSO_Domain_Users"
    next

end

To do policy matching, FortiGate goes through policies based on the order that is configured. When policy 3 (full-inspection) is evaluated, the request is in CONNECT state, the URL matches the host part of proxy-adress, and FortiGate assumes it could be a potential match. So it does a deep-inspection for HTTPS traffic, and resumes the policy match after the deep-scanning of HTTPS.

This means even traffic that matches policy 4 (no-inspection) will still go through deep SSL inspection.

Starting from v7.2.9, there is an option to enable/disable application-level policy match for deep inspection for legacy config based on old policy match logic (by default it is enabled):

config web-proxy global
    set policy-category-deep-inspect enable/disable [default:enable]
end

If this behavior is not requested, it is possible to change the order of the policy (for instance in the above example make sure policy 4 is above policy 3) or disable 'policy-category-deep-inspect'.