Configure fragment settings

Configure fragment settings to manage the handling of fragmented IP packets on your Firewall Threat Defense device. These settings help prevent Denial of Service (DoS) attacks and ensure applications that require packet fragmentation operate properly.

  • Set limits for the number of fragments per packet and for fragments awaiting reassembly.

  • Set the timeout for fragment reassembly.

  • Allow fragments only if your network applications require them.

By default, the Firewall Threat Defense device allows up to 24 fragments per IP packet. It also allows up to 200 fragments awaiting reassembly. Applications such as NFS over UDP may require fragmented packets, but attackers often use fragmented packets in Denial of Service (DoS) attacks.

These settings establish the defaults for devices assigned this policy. You can override these settings for specific interfaces on a device by selecting Override Default Fragment Setting in the interface configuration. When you edit an interface, you can find the option on Advanced > Security Configuration. Select Devices > Device Management, edit a Firewall Threat Defense device, and select Interfaces to edit interface properties.

  • Allow fragments only if required by your network applications.

  • Override the default settings for specific interfaces when your configuration requires it.

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the Firewall Threat Defense policy.

Step 2

Select Fragment Settings.

Step 3

Configure the available options. To use the default settings, click Reset to Defaults.

  • Size (Block)—The maximum number of packet fragments from all connections collectively that can be waiting for reassembly. The default value is 200 fragments. (One fragment equals one packet segment.)
  • Chain (Fragment)—The maximum number of packets into which a full IP packet can be fragmented. The default is 24 packets. Set this option to one to disallow fragments.
  • Timeout (Sec)—The maximum number of seconds to wait for an entire fragmented packet to arrive. The default is five seconds. If all fragments are not received within this time, all fragments are discarded.

Step 4

Click Save.

You can now go to Deploy > Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

What to do next

Deploy the policy to activate the new fragment settings on assigned devices. Monitor device performance and change fragment settings as needed.