Fortinet white logo
Fortinet white logo

FortiGate-7000 Release Notes

Fragmented ICMP packet handling improvements

Fragmented ICMP packet handling improvements

Previous versions of FortiOS would handle fragmented ICMP packets in the following way:

  1. The FortiGate-6000 DP3 processor and the FortiGate-7000 DP2 processor would broadcast all non-header fragmented ICMP packets to all FPCs or FPMs.
  2. FPCs or FPMs that also received the header fragments of these packets would re-assemble the packets correctly.
  3. FPCs or FPMs that did not receive the header fragments would discard the non-header fragments.

FortiOS 6.0.6 supports the following more efficient load balancing of fragmented ICMP packets:

  1. When the DPx processor receives a header fragment packet, if a matching session is found, the DPx processor creates an additional fragment session matching the source-ip, destination-ip, and IP identifier (IPID) of the header fragment packet.
  2. Subsequent non-header fragments will match this fragment session and be forwarded to the same FPC or FPM as the header fragment.

You can use the following command to enable or disable this method of handling fragmented ICMP packets. The option is enabled by default.

config load-balance setting

set dp-fragment-session {disable | enable}

end

The age of the fragment session can be controlled using the following command:

config system global

set dp-fragment-timer <timer>

end

The default <timer> value is 120 seconds.

Fragmented ICMP packet handling improvements

Fragmented ICMP packet handling improvements

Previous versions of FortiOS would handle fragmented ICMP packets in the following way:

  1. The FortiGate-6000 DP3 processor and the FortiGate-7000 DP2 processor would broadcast all non-header fragmented ICMP packets to all FPCs or FPMs.
  2. FPCs or FPMs that also received the header fragments of these packets would re-assemble the packets correctly.
  3. FPCs or FPMs that did not receive the header fragments would discard the non-header fragments.

FortiOS 6.0.6 supports the following more efficient load balancing of fragmented ICMP packets:

  1. When the DPx processor receives a header fragment packet, if a matching session is found, the DPx processor creates an additional fragment session matching the source-ip, destination-ip, and IP identifier (IPID) of the header fragment packet.
  2. Subsequent non-header fragments will match this fragment session and be forwarded to the same FPC or FPM as the header fragment.

You can use the following command to enable or disable this method of handling fragmented ICMP packets. The option is enabled by default.

config load-balance setting

set dp-fragment-session {disable | enable}

end

The age of the fragment session can be controlled using the following command:

config system global

set dp-fragment-timer <timer>

end

The default <timer> value is 120 seconds.