Firewall is dropping fragmented packets when zone protection is enabled
Symptom
- Firewall drops the packets and global counter “flow_dos_pf_ipfrag” increments.
Global counters:
Elapsed time since last sampling: 3.917 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_dos_pf_ipfrag 2 0 drop flow dos Packets dropped: Zone protection option 'discard-ip-frag'
- Please refer the below document which explains how to check the global counter for a specific traffic:
Environment
-
Zone protection configured with “discard-ip-frag” enabled
Cause
- Firewall will drop all the received fragmented packets if the receiving zone has a zone protection configured with “Fragmented traffic” option enabled.
- You can run the below command in CLI to check if the setting is configured
> show zone-protection zone <ingress zone name>
------------------------------------------------------------------------------------------
Number of zones with protection profile: 1
------------------------------------------------------------------------------------------
Zone L3-Trust, vsys vsys1, profile Sample
------------------------------------------------------------------------------------------
IPv(4/6) Filter:
discard-ip-frag: enabled: yes, packet dropped: 10 ---> The option is enabled here
tcp-reject-non-syn: enabled: yes, (global), packet dropped: 0
discard-tcp-syn-with-data: enabled: yes, packet dropped: 0
discard-tcp-synack-with-data: enabled: yes, packet dropped: 0
IPv4 packet filter:
IPv6 packet filter:
------------------------------------------------------------------------------------------
Resolution
- If this is a legitimate traffic you wish to allow then you can disable the option to allow the fragmented traffic.
Note: Disabling the “Fragmented traffic drop” may have a security risk. If you do not wish to change this option then you need to check the upstream device to see why firewall is receiving fragmented packets.
From GUI:- Select Network --> Network Profiles --> Zone protection
- Click on the name of the zone protection
- Select tab “Packet Based Attack Protection” and subtab IP Drop
- Uncheck the option “Fragmented traffic” and click on OK