I'm trying to limit packet fragmentation (TCP and UDP) for traffic originating from behind the FW and for the VPNs (SSL and IPSEC) logically connecting to it. I'm not sure whether its best to apply the TSP MSS size adjustment on the FW interfaces or Policies or both and whether lowering the WAN/VPN Tunnel interfaces to a lower MTU with PMTU discovery enabled on the FW.
So you need to determine why you are getting fragmentation in the first place and address it in the correct spot. If all traffic is fragmented you likely need a more global setting like on your WAN interface. If it's just VPN traffic then setting mtu and mss on the VPN interfaces would be ideal and all you need to do. Setting it at the policy level works but doesn't work when people forget to set it when creating new policies, for example. It also only works for mss and not mtu (so non-TCP traffic may still get fragmented).
The true area of concern is the IPSEC VPN. Do you recommend setting both TCP MSS to 1360 and MTU to 1400 at the virtual interface and the appropriate policies? This way all the tunnel and all UDP or TCP traffic within it are not fragmented? Leave the WAN interface at MTU 1500 and all other MSS as normal for all other traffic?
Indeed. If you are having issues with fragmentation over the IPSec VPN only then manually set the IPSec interface MTU to 1400 and TCP MSS to 1360 and that should be all you need to do. You do not need to edit the policies as the interface settings will take precedence.
That's a good question. Intuitively I will say no unless you are having issues with TCP/IP fragmentation out of your WAN interface. i.e. if regular HTTPS traffic is being fragmented then you probably need to set your MTU/MSS on your WAN interface as well.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.