Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How does the Palo Alto Networks Firewall Manage Fragmented Traf... - Knowledge Base - Palo Alto Networks

How does the Palo Alto Networks Firewall Manage Fragmented Traffic?

86763
Created On 09/25/18 19:24 PM - Last Modified 11/20/24 21:57 PM


Question


How does the Palo Alto Networks Firewall Manage Fragmented Traffic?



Environment


  • Palo Alto Networks Firewall
  • Supported PAN-OS


Answer


This document explains how Palo Alto Networks firewalls manage fragmented traffic in two different scenarios.

basic.jpg

Scenario 1:  Host A is sending a 1500 bytes IP packet to Host B.

InterfaceMTU
ethA1500
eth1/11500
ethB1500
eth1/21400
  • Firewall interface eth1/2 is configured with 1400 MTU.
  • Due to this, the Firewall has to fragment traffic received on eth1/1 before egressing on eth1/2.
  • If the DF (Don't Fragment) bit is set in IP header,  Palo Alto Networks Firewall does not fragment the traffic. It discards the packet and sends ICMP: fragmentation needed to the sender with expected MTU.

Screen Shot 2014-08-11 at 08.45.28.png

  • In the Global counter (show counter global), the counter flow_fwd_ip_df,  displays the DF bit is set in the IP header:
flow_fwd_ip_df                    1        0 drop      flow      forward   Packets dropped: exceeded MTU but DF bit present
  • If the DF bit is not set in IP header, firewall fragments traffic according to the egress interface's MTU and forwards fragmented traffic to eth1/2.
  • The following appears in the global counters:
flow_fwd_mtu_exceeded            1        0 info      flow      forward   Packets lengths exceeded MTU
flow_ipfrag_frag                 2        0 info      flow      ipfrag    IP fragments transmitted

 

Scenario 2:  Host A is sending a 1500 bytes IP packet to Host B.

InterfaceMTU
ethA1400
eth1/11500
ethB1500
eth1/21500
  • Host A with MTU of 1400 has to fragment the IP packet to match with its interface ethA MTU.
  • The fragmented packets will arrive on eth1/1 of the Palo Alto Networks Firewall.
  • Fragmented traffic will be reassembled first for inspection, before being forwarded to egress interface eth1/2 according to egress MTU. Reassembly is performed strictly for inspection of content, not for traffic forwarding.  Note that fragments will be transmitted out in order, not necessarily the order in which they were received.
  • Global counters:
flow_ipfrag_recv                 4        1 info      flow      ipfrag    IP fragments received

flow_ipfrag_free                 2        0 info      flow      ipfrag    IP fragments freed after defragmentation
flow_ipfrag_merge                2        0 info      flow      ipfrag    IP defragmentation completed
flow_ipfrag_frag                 4        1 info      flow      ipfrag    IP fragments transmitted

The other scenarios of Host B sending packets to Host A also works the same way.



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXXCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language