SSL certificate inspection mode allows the FortiGate to inspect the Server Name Indication (SNI) and the server certificate presented during the initial TLS handshake. This enables security features like web filtering (based on domain name/category) and application control (based on the certificate's subject) without decrypting the entire encrypted payload. Because it avoids the computationally expensive decryption and re-encryption process, this mode consumes significantly less CPU and RAM compared to full SSL inspection, directly addressing the administrator's goal of minimizing system load while maintaining essential security visibility.

A. Full SSL inspection is the most resource-intensive method as it decrypts and re-encrypts all traffic, which contradicts the requirement to minimize CPU and RAM use.

B. Disabling SSL inspection entirely would prevent the FortiGate from identifying the destination domain or application within the encrypted stream, rendering web filtering and application control ineffective.

C. This option is too generic. While the goal is efficient handling, it does not specify a concrete setting or mode, unlike certificate inspection, which is a specific, low-impact configuration.

1. FortiGate Infrastructure 7.2 Study Guide

p. 218: "SSL Inspection Modes" section states

"Certificate inspection: FortiGate only inspects the server certificate to confirm its validity and the subject. It does not decrypt the traffic. This mode consumes the least amount of resources." It also clarifies that web filtering and application control can use the information from the certificate.

2. FortiOS 7.2 Administration Guide

"SSL & SSH Inspection > Inspection modes" section: "In certificate inspection mode

FortiGate only inspects the header information of the packets. This is the least resource-intensive inspection mode... Based on the information in the certificate

FortiGate can determine if the traffic should be allowed or blocked."

3. FortiGate Security 7.2 Study Guide

p. 130: "SSL Inspection Modes" section explains

"Certificate inspection only looks at the certificate of the web server... This allows FortiGate to perform web filtering based on the category of the website

but it does not allow FortiGate to inspect the actual content for threats." This highlights its capability for web filtering with low overhead.