Under what circumstance will FortiGate abort the connection to the FortiGuard server?

The correct answer pertains to the situation where the issuer-CA (Certificate Authority) is revoked by the root-CA. In this case, when a certificate is revoked, it indicates that the certificate should no longer be trusted. This revocation can be critical in maintaining the overall integrity and security of the connections made by FortiGate to the FortiGuard server.

If the issuer CA of a certificate that FortiGate relies on for establishing a secure connection is no longer trusted due to revocation, FortiGate will abort the connection to protect the network and to prevent any potential security threats that could arise from using a compromised certificate. Trust in digital certificates is foundational for secure communications, and the revocation of a CA directly undermines that trust.

Other choices point to different scenarios. For instance, while an expired CA certificate (first choice) may raise warnings, it doesn’t necessarily result in an immediate aborting of the connection, as some level of flexibility may exist depending on configuration. Similarly, if the OCSP (Online Certificate Status Protocol) status is good, this indicates that the certificate is still valid and thus would not cause a connection to abort. Lastly, failure in local DNS resolution may disrupt the ability to reach the FortiGuard