SD-WAN adjust MSS - PAN-OS

peter.vandereijk — Mon, 30 Oct 2023 13:57:52 GMT

I'd like to understand if Palo Alto SD-WAN automatically changes (or can change) the MSS value in the TCP 3 way handshake.

SD-WAN checks the underlaying tunnel interfaces on their MTU and applies the minimum MTU to the related SD-WAN interface.

When checking an SD-WAN interface you can check the Interface MTU (in the example 1423).

The "Adjust TCP MSS" is set to no.

Is it possible to set the Adjust TCP MSS to yes so this value is automatically set to the SD-WAN interface MTU - 40?

Or tis this already applied by the SD-WAN functionality. (For Prisma SD-WAN this was introduced in 5.4.1)

Name: sdwan.949, ID: 245
Operation mode: layer3
Virtual router vr1
Interface MTU 1423
Interface management profile: N/A
Service configured:
Zone: zone-to-branch, virtual system: vsys1
Adjust TCP MSS: no
Ignore IPv4 DF: no
Policing: no
SD-WAN interface members: tunnel.xx,tunnel.xx

Re: SD-WAN adjust MSS - PAN-OS

WtrN06 — Wed, 07 Feb 2024 14:49:45 GMT

I have a followup question for this one..

I've read https://live.paloaltonetworks.com/t5/community-blogs/tcp-mss-adjustments-updated-february-2023/ba-p/156881 together with all the extra included KB articles.

But it's still unclear to me how I can manualy manipulate the MSS-value of tunnels set up by the SD-WAN pluging.

The KB states that the MSS is automaticly adjusted by the FW itself, but in my case these are still too high.

According the KB articles I can change these values in the tunnel-interface. But all these examples are based on IPSec tunnels set up manualy.

If I change these values of the tunnels generated by the SDWAN-plugin, will I break this feature? Is it overwritten with a next policy push?

It would be great to change these values in Panorama and push them, but I know the SDWAN pluging doesn't work that way.

topic SD-WAN adjust MSS - PAN-OS in Prisma SD-WAN Discussions

SD-WAN adjust MSS - PAN-OS

Re: SD-WAN adjust MSS - PAN-OS