FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 301801


This article describes the implementation of ZSTD encoding and the possible workarounds for enabling access to these sites.








ZSTD is a compression mechanism, lossless and faster than others extensively used so far.

It is also known as Zstandard (RFC 8878), published in 2021, and is increasingly used to deliver real-time compression content.


The challenge that this encoding poses is that the inspection done on the firewall requires an additional decoder and processing power.

At the moment, this decoder is implemented in FortiOS for other uses, but not for inspection. This means that the inspection profiles applied to a policy that is supposed to allow sites with zstd-encoded content will fail. As a result, the browser will display an error instead of the website's content compressed with ZSTD.


FortiOS ZSTD support is currently under development (tracked internally under NFR 1004320).


What can be done / workarounds until this is officially supported:



  • Chrome browser can be configured to disable ZSTD (requesting the pages without this encoding). This is only applicable to web-based access, and will not work for the applications.



Related article:
Technical Tip: Using a no default profile-protocol-options inside a firewall policy