Set DF Bit for IPSec
When you configure the external interface, select one of the three options to determine the setting for the Don’t Fragment (DF) bit for IPSec section.
The DF bit setting in Fireware Web UI
The DF bit setting in Policy Manager
Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a frame does not have the DF bits set, Fireware XTM does not set the DF bits and fragments the packet if needed. If a frame is set to not be fragmented, Fireware XTM encapsulates the entire frame and sets the DF bits of the encrypted packet to match the original frame.
Select Set if you do not want your Firebox to fragment the frame regardless of the original bit setting. If a user must make IPSec connections to a Firebox from behind a different Firebox, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can make IPSec connections to their network with IPSec. For your local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.
Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.