FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to enable path MTU discovery on Fortigate self-originated traffic.
Scope
FortiGate
Solution
- On 5.6 and 6.0 FortiOS lines, by default, any self-originated traffic from FGT (including proxy) has the DF bit set.
So fragmentation is not allowed along the path to the server which automatically triggered path MTU discovery when the intermediate router's MTU is smaller and thus Fortigate adjusted the packet size.
- FortiOS v6.2 onwards, DF bit is not set for self-originated traffic. Path MTU discovery can be configured as below:
# config system globa set pmtu-discovery enable | disable (by default disable) end
