Description

This article describes the implementation of ZSTD encoding and the possible workarounds for enabling access to these sites.

Scope

FortiOS.

Solution

ZSTD is a compression mechanism, lossless and faster than others extensively used so far.

It is also known as Zstandard (RFC 8878), published in 2021, and is increasingly used to deliver real-time compression content.

ZSTD is fully supported in flow- and proxy-based inspection modes starting on FortiOS v7.2.9, v7.4.5, and v7.6.0.

Older FortiOS versions are not able to inspect ZSTD-encoded content. This means that the inspection profiles applied to a policy that is supposed to allow sites with zstd-encoded content will fail. As a result, the browser will display an error instead of the website's content compressed with ZSTD.

What can be done/workarounds for older FortiOS versions:

• Create a separate policy that allows access to these sites without applying inspection (Application Control, deep-inspection, etc).
• Set the scanning to be performed as plain text, instead of being blocked (see Technical Tip: Usage of 'unknown-content-encoding' option for allowing file downloads in proxy mode). Make sure this profile is the one used in the firewall policy:
  
  

• Chrome browser can be configured to disable ZSTD (requesting the pages without this encoding). This is only applicable to web-based access, and will not work for the applications.
  https://chromeenterprise.google/policies/#ZstdContentEncodingEnabled 
  The value needs to be set via Enterprise Policy according to Google documentation, for example via Registry:

After setting the policy, Chrome needs to be fully restarted.
As of the latest Chrome 131 version, it is not possible to use flags to disable the encoding. If the setting was set previously, one of the alternative methods above needs to be used.

Related article:
Technical Tip: Using a no default profile-protocol-options inside a firewall policy