I am new to FortiGate and struggling to understand the SSL/SSH Profile functionality.
If I understand correctly, the SSL Certificate Inspection (Not fully proxy) has the ability to block invalid and/or expired certificated. However, based on my testing, this only functions correctly if the matching policy has an associated IPS policy (protect client in my case).
I cannot find any documentation that explains why this is the case, but have tested multiple times and regardless of the configuration, the SSL profile will never enforce block actions unless an IPS profile is present.
Version: FortiGate-VM64 v7.2.0,build1157,220331 (GA.F)