FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 197002



This article describes the behavior of the 'honor-df' global setting:


config system global
    set honor-df enable/disable
    set hostname "FGT1"
    set timezone 04




Any supported version of FortiGate.



FortiGate is able to ignore the 'do not defragment' portion of a packet.
As this is a global setting, this will only apply to the FortiGate and not to any other devices in the chain.
So regardless of the MTU set in the interfaces, FortiGate will ignore or honor the bit before the packet is forwarded.


Note: In Fortigate, there is no option for clearing a df bit in passing traffic. Fortigate can ignore it.

Consider the following scenario:

The Windows1 Machine has a default MTU of 1500, but port3 and port2 on the FortiGate have an MTU of 1000.
When the user tries to ping the simulated Provider Internet Gateway in this example ( from the machine, the following will happen:
set honor-df disable


Although the MTU of FortiGate interface is set to 1000 and the user is trying to use an MTU of 1400 without fragmentation (-f), the packets are still allowed to flow:

set honor-df enable
If the user sets the 'honor-df global' option to enabled, FortiGate will start honoring the 'do not fragment' bit and the packets will be dropped:
In this particular case, if the user wants to make sure a packet is forward correctly without being fragmented, the user has to adjust the ping MTU to 972:
972 is the value chosen because the ICMP overhead consists of 28 bytes (972+28=1000 as the MTU is set):