FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 202217
Description

This article describes how to enable path MTU (PMTU) discovery on Fortigate self-originated traffic.

Scope

FortiGate.

Solution
  • On 5.6 and 6.0 FortiOS lines, by default, any self-originated traffic from FortiGate (including proxy) has the DF bit set.

So fragmentation is not allowed along the path to the server which automatically triggered path MTU discovery when the intermediate router's MTU is smaller and thus FortiGate adjusted the packet size.

 

  • FortiOS v6.2 onwards, DF bit is not set for self-originated traffic. Path MTU discovery can be configured as below:

 

config system global
    set pmtu-discovery enable | disable (Disabled by default)

    set send-pmtu-icmp enable | disable (Enabled by default)
end