The correct answer is A .
The debug flow shows:
traffic is going to TCP port 211
FortiGate logs run helper-ftp(dir=original)
The study guide explains exactly what that message means:
“In this example, the run helper-ftp message indicates that the FTP session helper is being used.”
Under normal proxy-based inspection, protocol handling is controlled by Protocol Options . The FortiOS administration guide states:
“Protocol port mapping only works with proxy-based inspection.” and “The ports can be modified to inspect any port with flowing traffic.”
So if the policy is configured for proxy-based inspection but the debug still shows the FTP session helper on port 211, the most likely explanation is that the FTP protocol mapping in Protocol Options is broad enough to match unexpectedly, such as being mapped to Any . That would cause FortiGate to identify the traffic as FTP and invoke the helper.
Why the other options are wrong:
B is wrong because SSL deep inspection is unrelated to this debug. The traffic shown is plain TCP/211 , and the key message is about the FTP helper , not SSL decryption.
C is wrong because if FTP had not been mapped to port 211, FortiGate would be less likely to treat this traffic as FTP. The observed run helper-ftp indicates FTP handling is being triggered.
D is wrong because low-memory conserve behavior would typically cause inspection bypass or blocking behavior, not specifically the run helper-ftp message. The study guide’s helper example ties this message to session-helper use, not memory shortage.
So the verified answer is: A .
