https://live.paloaltonetworks.com/t5/next-generation-firewall/panorama-fragmentation/m-p/542158#M1269 <P>Hi,<BR />If the checkbox for Fragmented traffic is uncheck, does that mean that the fw will not discard fragmented traffic?&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Richard_M_3-1684146287887.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50170iC66B450A6B3BB677/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Richard_M_3-1684146287887.png" alt="Richard_M_3-1684146287887.png" /></span></P> <P>&nbsp;</P> <P>I have a case where someone says "10.154.74.0/23: We can not send from, or send to,&nbsp; packages bigger than 1472. All ports are defined to 9216 bits. 10.154.74.17 and 10.154.74.34 can be pinged with big packages."<BR /><BR />I checked the interface and it has an MTU size off 1500</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Richard_M_2-1684146274804.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50169i9174081DCED343AD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Richard_M_2-1684146274804.png" alt="Richard_M_2-1684146274804.png" /></span></P> <P>&nbsp;</P> <P>With the setup shown, will it mean that the fw allows fragmentation, and will it do so in both directions?&nbsp;<BR />If it only allows it in one direction, is it possible to allow it in both direction? and if so, how do I do that?&nbsp;<BR /><BR /></P> Mon, 15 May 2023 10:49:54 GMT Richard_M 2023-05-15T10:49:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/panorama-fragmentation/m-p/542158#M1269 <P>Hi,<BR />If the checkbox for Fragmented traffic is uncheck, does that mean that the fw will not discard fragmented traffic?&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Richard_M_3-1684146287887.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50170iC66B450A6B3BB677/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Richard_M_3-1684146287887.png" alt="Richard_M_3-1684146287887.png" /></span></P> <P>&nbsp;</P> <P>I have a case where someone says "10.154.74.0/23: We can not send from, or send to,&nbsp; packages bigger than 1472. All ports are defined to 9216 bits. 10.154.74.17 and 10.154.74.34 can be pinged with big packages."<BR /><BR />I checked the interface and it has an MTU size off 1500</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Richard_M_2-1684146274804.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50169i9174081DCED343AD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Richard_M_2-1684146274804.png" alt="Richard_M_2-1684146274804.png" /></span></P> <P>&nbsp;</P> <P>With the setup shown, will it mean that the fw allows fragmentation, and will it do so in both directions?&nbsp;<BR />If it only allows it in one direction, is it possible to allow it in both direction? and if so, how do I do that?&nbsp;<BR /><BR /></P> Mon, 15 May 2023 10:49:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panorama-fragmentation/m-p/542158#M1269 Richard_M 2023-05-15T10:49:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/panorama-fragmentation/m-p/542292#M1273 <P>If it's checked then you will drop all fragmented traffic, so you are correct.</P> <P>&nbsp;</P> <P>Perhaps you need to enable jumboframes if you haven't done so already?</P> Tue, 16 May 2023 10:12:16 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panorama-fragmentation/m-p/542292#M1273 kat3xx 2023-05-16T10:12:16Z https://live.paloaltonetworks.com/t5/next-generation-firewall/panorama-fragmentation/m-p/542541#M1276 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/289206">@kat3xx</a>&nbsp;<BR />Thank you for your answer. I checked the jumboframe and it was already enabled.&nbsp;<BR /><BR />I got some more info.<BR />There are two situations. One where it works and one where it don`t work:<BR />The source is the same but the destionation address is different and is in two differente DC. There exists opening for both secenarios.<BR /><BR />Situation 1:<BR />The src and dst address is in the same DC and the traffic only need to go through one zone and one fw. In this case, everything works as intended.<BR /><BR />Situation 2:<BR />The src and dst address is in two different DC`s and the traffic goes through three zones. In this case the fragmentet traffic is not received at the dst.<BR /><BR />From what I can see from the traffic log, the traffic is allowed in both situations, but is there someway to see if fragmented traffic is going through in some way or is it enough to see that the traffic is allowed in the traffic log?&nbsp;<BR /><BR />They also did some ping where should have issued a ping with up to 1472 packets (if you can say it like that) and it went through, but if they issued a ping from 1473 and above it didn`t work. Does this give any sense?&nbsp;<BR /><BR />Is there something else I should check?<BR />I am not sure if this is a fw issue or not.</P> Wed, 17 May 2023 20:21:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/panorama-fragmentation/m-p/542541#M1276 Richard_M 2023-05-17T20:21:30Z