Fortinet Community

This article describes the behavior of setting TCP-MSS under config system interface.

Network diagram:

Network diagram

Behavior in FortiOS 6.0.x, 6.2.x, 6.4.x and 7.0.0:

The change of TCP-MSS is done only in one direction (only for return traffic).

Example 1:

# config system interface
    edit "wan1"
        set tcp-mss 1300
    next
    edit "port1"
        unset tcp-mss
    next

end

The result will be:

- Client -> Server, MSS is unchanged (typically 1460).

- Server -> Client, MSS=1300.

Example 2:

# config system interface
    edit "wan1"
        unset tcp-mss
    next
    edit "port1"
        set tcp-mss 1200
    next
end

The result will be:

- Client -> Server, MSS=1200.

- Server -> Client, MSS is unchanged (typically 1460).

Example 3:

# config system interface
    edit "wan1"
        set tcp-mss 1300
    next
    edit "port1"
        set tcp-mss 1200
    next
end

The result will be:

- Client -> Server, MSS=1200.

- Server -> Client, MSS=1300

Behavior in FortiOS from 7.0.1 and 7.2.x.

The change of TCP-MSS value is done in both directions.

Example 1:

# config system interface
    edit "wan1"
        set tcp-mss 1300
    next
    edit "port1"
        unset tcp-mss
   next

end

The result will be:

- Client -> Server, MSS=1300.

- Server -> Client, MSS=1300

Example 2:

# config system interface
    edit "wan1"
        unset tcp-mss
    next
    edit "port1"
        set tcp-mss 1200
    next
end

The result will be:

- Client -> Server, MSS=1200.

- Server -> Client, MSS=1200

Example 3:

# config system interface
    edit "wan1"
        set tcp-mss 1300
    next
    edit "port1"
        set tcp-mss 1200
    next
end

The result will be:

- Client -> Server, MSS=1200.

- Server -> Client, MSS=1200.

Related article:

Technical Tip: Setting TCP MSS value