Technical Tip: Packet fragmentation for chassis ba...

FortiGate

FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

Article Id 403812

Description

This article details the process of fragmented packets on chassis-based FortiGate.

Scope

Chassis-based FortiGate-6000F, 7000E, and 7000F Series.

Solution

Default Configuration:

config load-balance setting

config workers

edit 3

edit 4

end

The first part of the packet is sent to the correct worker, but all subsequent fragments are broadcast.

Enable DP fragment session:

config load-balance setting

set dp-fragment-session enable

config workers

edit 3

edit 4

end

The behavior remains the same: the first part of the packet is sent to the correct worker, but fragments are broadcast.

ISF sw distribution method change:

config load-balance setting

set dp-fragment-session enable

set sw-load-distribution-method src-dst-ip

config workers

edit 3

edit 4

end

The first part of the packet is sent to the correct worker, and all fragments are also sent to the correct worker.

Related document:

Load balancing TCP and UDP sessions with fragmented packets

158

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Technical Tip: Packet fragmentation for chassis based FortiGate

You are leaving our website