Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jangelis
Staff
Staff

Created on ‎08-21-2022 10:35 AM Edited on ‎02-02-2024 04:11 AM By Moderator

Article Id 221376

Technical Tip: Behavior of TCP-MSS setting under system interface

Description

This article describes the behavior of setting TCP-MSS under the config system interface.

 

Network diagram:

 

Network diagramNetwork diagram

 

- MTU: stands for ‘Maximum Transmission Unit’ and is the maximum size of an IP packet that can be handled by the layer-3 device.

 

  • TCP-MSS: stands for ‘Maximum Segment Size’ and is the maximum size of the payload field inside a single IP packet.

If the communication network has a lower MTU value, but the client endpoint is not aware of it, it will send its MSS value of 1460 bytes to the server.

 

The server will therefore think that the client can receive 1500 bytes (1460 MSS+20 IP header+20 TCP header=1500 bytes) and will send a packet with a size of 1500 bytes. If the MTU is lower somewhere in the path, then the packet can be fragmented.

If the DF (do not fragment) bit is set then the packet can be dropped, which can cause delays or slowness in the network.
Scope FortiGate.
Solution

Behavior in FortiOS 6.0.x, 6.2.x, 6.4.x and 7.0.0:

The change of TCP-MSS is done only in one direction (only for return traffic).

 

Example 1:

 

config system interface
    edit "wan1"
        set tcp-mss 1300
    next
    edit "port1"
        unset tcp-mss
    next

end

 

The result will be:

 

  • Client -> Server, MSS is unchanged (typically 1460).
  • Server -> Client, MSS=1300.

 

Example 2:

 

config system interface
    edit "wan1"
        unset tcp-mss
    next
    edit "port1"
        set tcp-mss 1200
    next
end

 

The result will be:

 

  • Client -> Server, MSS=1200.
  • Server -> Client, MSS is unchanged (typically 1460).

 

Example 3:

 

config system interface
    edit "wan1"
        set tcp-mss 1300
    next
    edit "port1"
        set tcp-mss 1200
    next
end

 

The result will be:

 

  • Client -> Server, MSS=1200.
  • Server -> Client, MSS=1300.

 

Behavior in FortiOS from 7.0.1 and 7.2.x:

The change of TCP-MSS value is done in both directions.

 

Example 1:

 

config system interface
    edit "wan1"
        set tcp-mss 1300
    next
    edit "port1"
        unset tcp-mss
   next

end

 

The result will be:

 

  • Client -> Server, MSS=1300.
  • Server -> Client, MSS=1300.

 

Example 2:

 

config system interface
    edit "wan1"
        unset tcp-mss
    next
    edit "port1"
        set tcp-mss 1200
    next
end

 

The result will be:

 

  • Client -> Server, MSS=1200.
  • Server -> Client, MSS=1200.

 

Example 3:

 

config system interface
    edit "wan1"
        set tcp-mss 1300
    next
    edit "port1"
        set tcp-mss 1200
    next
end

 

The result will be:

 

  • Client -> Server, MSS=1200.
  • Server -> Client, MSS=1200.

 

Note:

If the firewall receives a packet with a segment size that is lower than the one configured on the interface, it will not modify the TCP MSS field. For example, if the interface is configured to set MSS of 1200 and the packet arrives with MSS 1100, the value will not be modified and the packet will be forwarded with MSS 1100.

 

Related article:

Technical Tip: Setting TCP MSS value.

20882
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.