PAN-OS 7.1 Enhancements to TCP MSS

Prior to PAN-OS 7.1, the option to adjust TCP MSS was configured as a toggle (on/off). This setting would reduce the maximum segment size by 40 bytes lower than the interface MTU.

With PAN-OS 7.1, this value is now configurable for IPv4 and IPv6 independently to allow for custom applications that require greater overhead.

This option is supported on all L3 interface types that support the “Adjust TCP MSS” option.

• Physical interfaces, sub-interfaces, aggregate interfaces, VLAN, tunnel, and Loopback interfaces

A new field is added for both IPv4 and IPv6 types, and can be independently configured for either.

• The IPv6 configuration takes effect only if IPv6 is enabled on the interface.
• Valid IPv4 values range from 40-300 bytes.
• Valid IPv6 values range from 60-300 bytes.

The setting can also be applied to an interface via the CLI command:

> configure

# set network interface ethernet ethernet1/2 layer3 adjust-tcp-mss enable yes ipv4-mss-adjustment
<value> <40-300> IPv4 MSS adjustment size (in bytes)
# set network interface ethernet ethernet1/2 layer3 adjust-tcp-mss enable yes ipv6-mss-adjustment
<value> <60-300> IPv6 MSS adjustment size (in bytes)

# commit

High Availability

• The MSS Adjust setting and both IPv4 & IPv6 settings will be synchronized between HA peers (both A/A and A/P).

Panorama

• Supported by Panorama templates. If the template value is removed, the adjustment size will retain a known, valid value.
• The size values will be pruned when pushing the template to a device not supporting this feature (pre-PAN-OS 7.1 devices). The checkbox enabling the Adjust MSS feature will still be selected for those devices.

Upgrade

• If the Adjust TCP MSS feature on 7.0 is enabled, the default value of 40 is used for IPv4 and default value of 60 is used for IPv6.

Downgrade

• If enabled, the feature will remain enabled when downgrading, but the size will be removed.