If the FortiGate receives an AUTH TLS (PBSZ and PROT) command before receiving plain text traffic from a decrypted device, by default, it will expect encrypted traffic, determine that the traffic belongs to an abnormal protocol, and bypass the traffic.
ssl-offloaded command is enabled, the AUTH TLS command is ignored, and the traffic is treated as plain text rather than encrypted data. SSL decryption and encryption are performed by an external device.
To enable SSL offloading:
config firewall profile-protocol-options edit "test" config ftp set ssl-offloaded yes end config imap set ssl-offloaded yes end config pop3 set ssl-offloaded yes end config smtp set ssl-offloaded yes end next end