Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
srajeswaran
Staff
Staff

Created on ‎01-18-2026 02:03 PM

Article Id 426651

Technical Tip: Handling packets larger than interface MTU on FortiGate

Description This article describes how FortiGate handles packets that are larger than the configured interface MTU.
Scope FortiGate.
Solution

Consider the following topology:

 

image.png

 

The LocalFortiGate interfaces are configured with the default MTU value of 1500.

 

LocalFortiGate # diagnose netlink interface list port2

if=port2 family=00 type=1 index=4 mtu=1500 link=0 master=0
flags=up broadcast run multicast
Qdisc=pfifo_fast hw_addr=00:76:6f:6c:02:02 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=1397166 txp=25783 rxb=280765296 txb=15143493 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 @ time=1768482908
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0

 

LocalFortiGate # diagnose netlink interface list port3

if=port3 family=00 type=1 index=5 mtu=1500 link=0 master=0
flags=up broadcast run multicast
Qdisc=pfifo_fast hw_addr=00:76:6f:6c:02:03 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=183995 txp=1410145 rxb=15451922 txb=2010822979 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 @ time=1768482912
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0

 

The RemoteFortiGate has port2 configured with MTU 1300 and port3 with MTU 1500.

 

RemoteFortiGate # diagnose netlink interface list port2

if=port2 family=00 type=1 index=4 mtu=1300 link=0 master=0
flags=up broadcast run multicast
Qdisc=pfifo_fast hw_addr=00:76:6f:6c:0f:02 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=1401520 txp=23516 rxb=282031412 txb=14555099 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 @ time=1768483087
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0

 

RemoteFortiGate # diagnose netlink interface list port3

if=port3 family=00 type=1 index=5 mtu=1500 link=0 master=0
flags=up broadcast run multicast
Qdisc=pfifo_fast hw_addr=00:76:6f:6c:0f:03 broadcast_addr=ff:ff:ff:ff:ff:ff
stat: rxp=415488 txp=3159480 rxb=33994844 txb=4133641553 rxe=0 txe=0 rxd=0 txd=0 mc=0 collision=0 @ time=1768483090
re: rxl=0 rxo=0 rxc=0 rxf=0 rxfi=0 rxm=0
te: txa=0 txc=0 txfi=0 txh=0 txw=0
misc rxc=0 txc=0

 

An ICMP ping is initiated from the LocalPC towards the RemotePC with a packet length of 1350 bytes. This size exceeds the MTU of the RemoteFortiGate port2 interface (1300 bytes).

 

ping 10.123.3.193 -l 1350 -n 1

 

Since the LocalFortiGate MTU (1500) is higher than the packet length (1350), the packet is processed as expected.

 

Packet captures taken from the port2 interface on the RemoteFortiGate display how the interface with a smaller MTU processes the larger packet.

 

image.png

 

  1. Packet 1: Confirms that the larger-sized packet (1392 bytes on wire) is accepted by the RemoteFortiGate on port2, despite the interface MTU being set to 1300.

  2. Packet 2 and Packet 3: Show that the reply packet is fragmented to respect the lower MTU value.

 

A configured lower MTU on an interface does not prevent the firewall from receiving or accepting a larger packet. The interface MTU setting restricts the size of packets the firewall transmits (egress), resulting in fragmentation or a drop (if the 'Don't Fragment' flag is set) if the packet exceeds the MTU value. 
126
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.