Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spoojary
Staff
Staff

Created on ‎09-22-2023 12:24 AM Edited on ‎02-27-2024 06:27 AM By Moderator

Article Id 275278

Technical Tip: Dynamic MTU Configuration in SD-WAN Deployments with Cellular Connectivity

Description This article describes dynamic MTU configuration in SD-WAN deployments with cellular connectivity.
Scope FortiGate, SD-WAN.
Solution

Problem:

In SD-WAN deployments where cellular connectivity is utilized, the available MTU might sometimes be less than the standard 1500 bytes. While it is possible to manually adjust the MTU on the WAN-facing interface, relying on upstream cellular devices to detect and communicate the available MTU dynamically would be ideal. The main goal is to align FortiGate's MTU with cellular deployments dynamically.

 

Question:

Is there a method in FortiGate devices to dynamically adapt to the optimum MTU based on ICMP 'frag needed' messages from upstream devices without requiring manual configuration?

 

Solution:

  1. Manually Adjusting MTU:

    If aware of the MTU restrictions, it is possible to manually set the MTU as follows:

     

    config system interface
        edit <interface>

            set mtu-override enable
            set mtu 1300
    end

  2. Dynamic MTU Discovery:

    The global PMTU discovery setting is typically for self-originated traffic (TCP/UDP).

    config system global
        set pmtu-discovery enable

    However, as observed, FortiGate might not adjust the MTU based on this configuration alone.

  3. PMTU Option for ESP:

    Starting from version 7.0.4, FortiGate has introduced a specific setting for ESP packets regarding the IPv4 'Don't Fragment' (DF) bit. It is possible to configure this in the IPSec phase2-interface as follows:

    config vpn ipsec phase2-interface
        edit <tunnel Name>
            set ipv4-df enable

    This setting ensures that the IPv4 DF bit is set, allowing upstream devices to signal back with the appropriate MTU if required.

  4. Further Investigation:

    If the steps above do not address the issue, further investigation and testing may be required. It might be beneficial to review Fortinet's community and official documentation for updates and insights related to this topic.

Notes:

  • The setting pmtu-discovery enable primarily affects self-originated traffic (TCP/UDP). It might not dynamically adjust the MTU for all types of traffic.

  • If the solutions provided do not address the specific requirements, it is advisable to consult with Fortinet's sales or support team, as there could be new features or updates available.

  • Always make sure to test configurations in a controlled environment before deploying them in a live setup.
1639
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.