Fortinet black logo

Hyperscale Firewall Guide

Allowing packet fragments for NP7 NAT46 policies when the DF bit is set to 1

Allowing packet fragments for NP7 NAT46 policies when the DF bit is set to 1

The packet size increase that occurs when a NAT46 hyperscale firewall policy converts an IPv4 packet into an IPv6 packet can cause the packet to be dropped if the larger packet exceeds the outgoing interface MTU and the DF bit is set to 1 (do not fragment). You can use the following command to cause NP7 processors to override the DF setting and fragment and forward the packet instead of dropping it. This is a global setting that affects all NAT64 traffic offloaded by NP7 processors.

config system npu

set nat46-force-ipv4-packet-forwarding enable

end

When this option is disabled, packets with DF=1 that exceed the outgoing interface MTU are dropped and an ICMP error is returned to the sender.

Allowing packet fragments for NP7 NAT46 policies when the DF bit is set to 1

The packet size increase that occurs when a NAT46 hyperscale firewall policy converts an IPv4 packet into an IPv6 packet can cause the packet to be dropped if the larger packet exceeds the outgoing interface MTU and the DF bit is set to 1 (do not fragment). You can use the following command to cause NP7 processors to override the DF setting and fragment and forward the packet instead of dropping it. This is a global setting that affects all NAT64 traffic offloaded by NP7 processors.

config system npu

set nat46-force-ipv4-packet-forwarding enable

end

When this option is disabled, packets with DF=1 that exceed the outgoing interface MTU are dropped and an ICMP error is returned to the sender.