Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Secucard
New Contributor III

Created on ‎03-31-2025 11:35 PM

ZTNA and UDP: Nginx URL as a bypass in a secure application?

Hi,

 

I´m a little bit confused about the fact, that with FortiOS 7.6, there is now support for UDP, which is then bypassed by an URL on nginx.org. Is the state of the art of a secure application / appliance?

 

Sophos and Cisco already seems to have full support for UDP ZTNA. What are the plans from Fortinet?

Solving this issue with kind of BETA implementation on a third party outside proxy, is not a practiable solution.

Best

Ronny

Labels:
143
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎04-01-2025 07:12 AM

Hi Ronny

Could you please explain further what you mean by "bypassed by an URL on nginx.org"?

AEK
AEK
119
Secucard
New Contributor III

Created on ‎04-01-2025 07:44 AM

Hi,

 

ZTNA support for UDP traffic | FortiGate / FortiOS 7.6.0 | Fortinet Document Library

 

"After authentication, security posture check, and authorization, FortiGate forms a UDP connection with the destination (quic.nginx.org), and the end-to-end UDP traffic passes through, allowing the endpoint to reach three different destinations through UDP"

113
0 Kudos
AEK
SuperUser
SuperUser

Created on ‎04-01-2025 11:27 AM

Hi Secucard

I didn't try UDP on ZTNA yet but after reading the doc I don't find that the UDP traffic bypasses the FortiGate ZTNA gateway (here quic.nginx.org is an example for PoC), and I understand from the doc that ZTNA handles UDP traffic approximately the same way as TCP.

Or did I misunderstand your question?

AEK
AEK
95
Secucard
New Contributor III

Created on ‎04-01-2025 11:54 PM

Well, for me, it is kind of strange docs from Fortinet.

It looks like it uses external Proxy quic.nginx.org

Or do they just mean the implementation of the quic protocol *FROM* Nginx?

Would be nice, if someone from Fortinet could answer this, because, on my Ticket, I did not receive an answer yet. Thanks

62
0 Kudos
AEK
SuperUser
SuperUser
In response to Secucard

Created on ‎04-02-2025 02:58 AM

You can try https://quic.nginx.org on your browser and tcpdump (or wireshark), and you can see quic.nginx.org is redirecting to quic (UDP).

Fortinet doc uses this example as PoC to show that UDP traffic is well handled by ZTNA just like TCP.

AEK
AEK
45
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.