Description
This article describes the behavior of the 'honor-df' global setting:
config system global
set honor-df enable/disable <- Enabled by default.
set hostname "FGT1"
set timezone 04
end
Scope
Any supported version of FortiGate.
Solution
FortiGate can ignore the 'do not defragment' portion of a packet.
As this is a global setting, this will only apply to the FortiGate and not to any other devices in the chain.
So regardless of the MTU set in the interfaces, FortiGate will ignore or honor the bit before the packet is forwarded.
Note: In Fortigate, there is no option for clearing a df bit in passing traffic. Fortigate can ignore it.
Consider the following scenario:
The Windows1 Machine has a default MTU of 1500, but port3 and port2 on the FortiGate have an MTU of 1000.
When the user tries to ping the simulated Provider Internet Gateway in this example (172.16.0.254) from the machine, the following will happen:
set honor-df disable
Although the MTU of the FortiGate interface is set to 1000 and the user is trying to use an MTU of 1400 without fragmentation (-f), the packets are still allowed to flow:
set honor-df enable
If the user sets the 'honor-df global' option to enabled, FortiGate will start honoring the 'do not fragment' bit and the packets will be dropped:
In this particular case, if the user wants to make sure a packet is forwarded correctly without being fragmented, the user has to adjust the ping MTU to 972:
972 is the value chosen because the ICMP overhead consists of 28 bytes (972+28=1000 as the MTU is set):
