FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oarslan
Staff
Staff
Article Id 194518

Description

 

This article describes how to set the TCP MSS value. The Maximum Segment Size (MSS) is a parameter in the OPTIONS field of the TCP header that states the largest amount of payload (in bytes) that a communication device can handle in a single, unfragmented TCP segment. 
 
For optimum communication, the number of bytes in the data segment and the header must add up to less than the number of bytes in the Maximum Transmission Unit (MTU).
 
By default it will be 40 bytes less than MTU. So if a PC's MTU has by default 1500 bytes it will send a MSS of 1460 bytes.
 
If the communication network has a lower MTU value, but the client PC is not aware of it, it will send its MSS value of 1460 bytes to the server. The server will therefore think that the client can receive 1500 bytes (1460 MSS layer4 +20 ip header +20 TCP header) and will send a packet with a size of 1500 bytes. Now if the MTU is lower somewhere in the path, then the packet can be fragmented. If the DF (don't fragment) bit is set then the packet can be dropped, which can cause delays or slowness in the network.
 
Scope
 
FortiGate.


Solution

 

To avoid such scenarios, the TCP MSS value can be changed. By doing this, the firewall will modify the TCP MSS sent by client/server in the TCP syn/syn-ack packets so the remote end receives a smaller MSS and sends smaller packets.
 
To change the tcp-mss on FortiGate:
 
config firewall policy
    edit <policy id>
         set tcp-mss-sender <mss value>
         set tcp-mss-receiver <mss value>
 
tcp-mss-sender : value of the sender's TCP MSS, will modify the TCP MSS field in the TCP syn packet
tcp-mss-receiver : value of the receiver's TCP MSS, will modify the TCP MSS field in the TCP syn packet
 
Note:
if the firewall receives a packet with a segment size that is lower than the one configured in the policy, it will not modify the TCP MSS field. For example, if the firewall policy is configured to set MSS of 1440 and the packet arrives with MSS 1200, the value will not be modified and the packet will be forwarded with MSS 1200.

When NGFW in settings under system is set to Policy-Based:

TCP-MSS can be adjusted in the 'SSL Inspection & Authentication' policy (Under policy and objects) and not in Security policies.
Create a 'SSL Inspection & Authentication' policy (From GUI under policy & Objects) or From CLI, create (Or edit) using the command 'Config firewall policy' and set the tcp-mss using below commands :

config firewall policy
    edit <policy id>
         set tcp-mss-sender <mss value>
         set tcp-mss-receiver <mss value>
 
THE PING TEST:
 
To find the optimum MSS/MTU value of the network, do the 'ping test' to find the MTU and then reduce 40 from that value and set that as tcp-mss in the firewall policy.
 
For MS Windows OS client enter:
 
ping -f -l 1472 <server ip>
 
For Apple MAC OS client enter:
 
ping -D -s <size> <server_ip> 
 
For 1500 bytes MTU, 1500-28 (20 bytes=IP header and 8 bytes=ICMP header) = 1472
 
If the packet needs to be fragmented but the DF bit set, it means that the MTU is less than 1500 bytes.
Suppose it is possible to ping with a size of 1400 but not with a size of 1401, this means that the MTU value is 1400+28=1428 bytes.
The solution is either to fix the MTU in the network device or to set the TCP MSS in the firewall policy to 1428-40=1388 bytes.