Ignore AUTH TLS command for DLP
If the FortiGate receives an AUTH TLS (PBSZ and PROT) command before receiving plain text traffic from a decrypted device, by default, it will expect encrypted traffic, determine that the traffic belongs to an abnormal protocol, and by-pass the traffic.
ssl-offloaded command is enabled, the AUTH TLS command is ignored, and the traffic is treated as plain text rather than encrypted data.
To ignore received AUTH TLS commands:
config firewall profile-protocol-options edit "test" config ftp set ssl-offloaded yes end config imap set ssl-offloaded yes end config pop3 set ssl-offloaded yes end config smtp set ssl-offloaded yes end next end