Description
This article describes the implementation of ZSTD encoding and the possible workarounds for enabling access to these sites.
Scope
FortiOS.
Solution
ZSTD is a compression mechanism, lossless and faster than others extensively used so far.
It is also known as Zstandard (RFC 8878), published in 2021, and is increasingly used to deliver real-time compression content.
The challenge that this encoding poses is that the inspection done on the firewall requires an additional decoder and processing power.
At the moment, this decoder is implemented in FortiOS for other uses, but not for inspection. This means that the inspection profiles applied to a policy that is supposed to allow sites with zstd-encoded content will fail. As a result, the browser will display an error instead of the website's content compressed with ZSTD.
FortiOS ZSTD support is currently under development (tracked internally under NFR 1004320).
What can be done / workarounds until this is officially supported:
- Create a separate policy that allows access to these sites without applying inspection (Application Control, deep-inspection, etc).
- Set the scanning to be performed as plain text, instead of being blocked (see Technical Tip: Usage of 'unknown-content-encoding' option for allowing file downloads in proxy mode). Make sure this profile is the one used in the firewall policy:
- Chrome browser can be configured to disable ZSTD (requesting the pages without this encryption). This is only applicable to web-based access, and will not work for the applications.
