FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bstefanovski
Staff
Staff
Article Id 344561
Description

This article describes how to see the correct size of the packets that are passing through the Firewall when they are initialized from the requester.

Scope FortiGate.
Solution

Check if  FortiGate is configured to fragment the traffic if it is needed.

 

show | grep honor

show full | grep -f honor

 

Results are similar to the following:

 

set honor-df enable/disable    <-- If this is enabled, FortiGate is not fragmenting the traffic. (If packets are arriving where the initiator is allowing the fragmentation, FortiGate can still fragment the traffic if it is needed).

 

Whether the initiator is configured to allow fragmentation or not can be seen through Wireshark.

 

Example:

 

Under Internet Protocol Version 4, Src: 10.0.0.0, Dst: 10.0.0.0.

Under the flags section as below:

 

000. .... = Flags: 0x0

0... .... = Reserved bit: Not set

.0.. .... = Don't fragment: Not set <-----

..0. .... = More fragments: Not set

 

To see the correct MTU size.

 

From CMD run the ping:

 

ping -n 1 -l 4000 xx.xx.xx.xx

destination IP is xx.xx.xx.xx, <----- 4000 is the size of the packet, use a larger packet size if it is needed.

 

To clarify what this command is doing in detail:

 

ping: This is the command that sends ICMP Echo Request packets to a specified network host.

 

-n 1: This specifies that only 1 ping request should be sent. Normally, ping sends 4 requests by default.

 

-l 4000: This sets the packet size to 4000 bytes. The default packet size is 32 bytes, so this option is used to send a larger packet to test network performance under a bigger load. The maximum packet size that can be sent using the ping command is 65,500 bytes. However, when testing jumbo frames, the effective limit for the ping command is approximately 8,972 bytes. This size accounts for the overhead in a 9,000-byte Ethernet jumbo frame, which is typically used for such testing.

 

On the FortiGate:

 

diag sniffer packet any "host xx.xx.xx.xx and icmp" 4 10 1

destination IP is xx.xx.xx.xx

 

Run a sniffer first and initiate a ping at the same time.

The correct size that is passing through the FortiGate will be seen in the output.

 

Note:

FortiGates do not record traffic logs for sessions offloaded to FortiGate NP processors.

 

How to disable NPU offloading:

 

config firewall poli

    edit ID <----- Policy ID here.

    set auto-asic-offload disable

end

 

To check the MTU size configured on the firewall:

 

show sys int portXX

sh full sys int portXX | grep mtu

diag netlink interface list portXX

 

Replace XX with the port in use.

 

For additional guidance on isolating the issue and implementing the solutions discussed above, refer to the following article:
Technical Tip: Destination unreachable (Fragmentation needed)

 

Related documents:

Technical Tip: Destination unreachable (Fragmentation needed)

Technical Tip: Finding the MTU of a FortiGate interface
Technical Tip: MTU size on a Physical interface is displayed differently to the explicit MTU in PPPo...
Technical Tip: Explaining the 'honor-df' global setting
Technical Tip: IP Packet fragmentation over IPSec tunnel interface explained

Disabling NP offloading for firewall policies