FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lbruno
Staff
Staff
Article Id 197002

Description

 

This article describes the behavior of the 'honor-df' global setting:

 

config system global
    set honor-df enable/disable 
<- Enabled by default.
    set hostname "FGT1"
    set timezone 04
end

 

Scope

 

Any supported version of FortiGate.


Solution

 

FortiGate can ignore the 'do not defragment' portion of a packet.
As this is a global setting, this will only apply to the FortiGate and not to any other devices in the chain.
So regardless of the MTU set in the interfaces, FortiGate will ignore or honor the bit before the packet is forwarded.

 

Note: In Fortigate, there is no option for clearing a df bit in passing traffic. Fortigate can ignore it.


Consider the following scenario:



The Windows1 Machine has a default MTU of 1500, but port3 and port2 on the FortiGate have an MTU of 1000.
When the user tries to ping the simulated Provider Internet Gateway in this example (172.16.0.254) from the machine, the following will happen:
 
set honor-df disable
 
Stephen_G_1-1690186160538.png

 

Although the MTU of the FortiGate interface is set to 1000 and the user is trying to use an MTU of 1400 without fragmentation (-f), the packets are still allowed to flow:
 
 

set honor-df enable
 
If the user sets the 'honor-df global' option to enabled, FortiGate will start honoring the 'do not fragment' bit and the packets will be dropped:
 
 
In this particular case, if the user wants to make sure a packet is forwarded correctly without being fragmented, the user has to adjust the ping MTU to 972:
  
 
972 is the value chosen because the ICMP overhead consists of 28 bytes (972+28=1000 as the MTU is set):