IP Fragmentation Tests Fail

IP Fragmentation Tests Fail

0
Created On 09/26/18 13:49 PM - Last Modified 07/20/22 15:19 PM


Resolution


Details

When testing fragmentation using large ICMP packets a failure due to security settings may happen, as shown below:

Note: To test IP fragmentation run a ping with an adjusted ICMP packet size as follows "Ping 4.2.2.2 -l 2048".

pingblur.png

 

The failure is due to advance security settings using "Zone Protection Profile":

  1. To see this configuration go to Network > Zone Protection
  2. Click Zone Protection Profile then navigate to Packet Based Attack Protection
    As shown in the screenshot below, it is possible to block large ICMP packets and take other measure to secure ICMP in an environment:
    ZPPUpdate2.PNG
    As shown in the following screenshot, when removing those settings, fragmentation tests using ICMP will work:
    Pingworksblur.png

owner: jperry
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClrZCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail