Technical Tip: IP Fragmentation Protection
| Description | This article describes how IP Fragmentation Protection is applied in the configuration and log details generated in the security log. |
| Scope | FortiADC, FortiADC-VM. |
| Solution | IP fragmentation allows packet splitting for transmission but can be exploited in DDoS attacks to overwhelm virtual servers in the FortiADC perspective.
By default, FortiADC has IP fragmentation protection enabled globally(in all VDOM) protecting all virtual servers. It can't be disabled in the configuration. The protection works even if there is no DoS profile applied in the virtual server settings.
There are instances where legitimate vulnerability assessment tools simulate such IP fragmentation attacks and trigger the protection.
Sample DoS security log:
The Virtual Server Name is 'Global' in the DoS security log.
Fine-tune options available Max Memory Size Limit, Min Memory Size Limit, and Timeout. Whitelist and exception are not supported in the current release.
Related document: |
