Skip to main content
Secucard
Secucard
New Member
April 1, 2025
Question

ZTNA and UDP: Nginx URL as a bypass in a secure application?

  • April 1, 2025
  • 4 replies
  • 1232 views

Hi,

 

I´m a little bit confused about the fact, that with FortiOS 7.6, there is now support for UDP, which is then bypassed by an URL on nginx.org. Is the state of the art of a secure application / appliance?

 

Sophos and Cisco already seems to have full support for UDP ZTNA. What are the plans from Fortinet?

Solving this issue with kind of BETA implementation on a third party outside proxy, is not a practiable solution.

Best

Ronny

4 replies

AEK
SuperUser
AEK
SuperUser
April 1, 2025

Hi Ronny

Could you please explain further what you mean by "bypassed by an URL on nginx.org"?

AEK
    Secucard
    SecucardAuthor
    New Member
    April 1, 2025

    Hi,

     

    ZTNA support for UDP traffic | FortiGate / FortiOS 7.6.0 | Fortinet Document Library

     

    "After authentication, security posture check, and authorization, FortiGate forms a UDP connection with the destination (quic.nginx.org), and the end-to-end UDP traffic passes through, allowing the endpoint to reach three different destinations through UDP"

    AEK
    SuperUser
    AEK
    SuperUser
    April 1, 2025

    Hi Secucard

    I didn't try UDP on ZTNA yet but after reading the doc I don't find that the UDP traffic bypasses the FortiGate ZTNA gateway (here quic.nginx.org is an example for PoC), and I understand from the doc that ZTNA handles UDP traffic approximately the same way as TCP.

    Or did I misunderstand your question?

    AEK
      Secucard
      SecucardAuthor
      New Member
      April 2, 2025

      Well, for me, it is kind of strange docs from Fortinet.

      It looks like it uses external Proxy quic.nginx.org

      Or do they just mean the implementation of the quic protocol *FROM* Nginx?

      Would be nice, if someone from Fortinet could answer this, because, on my Ticket, I did not receive an answer yet. Thanks

      AEK
      SuperUser
      AEK
      SuperUser
      April 2, 2025

      You can try https://quic.nginx.org on your browser and tcpdump (or wireshark), and you can see quic.nginx.org is redirecting to quic (UDP).

      Fortinet doc uses this example as PoC to show that UDP traffic is well handled by ZTNA just like TCP.

      AEK
      Terms & ConditionsAccessibility statement