Troubleshooting Tip: Websites with allowed categories blocked due to Web Filter and Fragmentation settings - Error: 'Destination unreachable (Fragmentation needed)' is returned on packet capture

This issue is observed for a specific website or a specific set of websites regardless of their category, even when the category is allowed.

Context:

1. The Firewall Policy is in Flow mode.
2. The Web Filter profile is in Flow mode.
3. The Category related to the website is allowed.
4. Packet capture either on the endpoint or on the FortiGate interface shows 'Destination unreachable (Fragmentation needed)'.

5. Disabling the Web Filter profile from the firewall policy allows the access to the website.

Solution:

This issue occurs because the source device is generating IP packets with the 'Don’t fragment Set' (DF) bit set to 1. This means that the packet should be dropped if it exceeds the MTU size of the network.

There are 2 solutions to resolve this issue:

1. Set the DF bit to 0 to allow upstream devices to fragment the packets if needed.
2. Adjust the Maximum Segment Size (MSS) on the FortiGate firewall policy to ensure packets do not exceed the MTU size.

Solution 2 can be implemented using the following commands:

config firewall policy 

    edit 1    <This is the policy that applies to the affected traffic>

        set tcp-mss-sender <value> 

        set tcp-mss-receiver <value>

    end

Adjust tcp-mss-sender and tcp-mss-receiver values up to 1460 byte, considering an MTU value of 1500 byte including TCP and IP header values.

Refer to How to tune TCP maximum segment size in explicit proxy FortiGate to adjust MSS value on interface level.