Set DF Bit for IPSec

When you configure the external interface, select one of the three options to determine the setting for the Don’t Fragment (DF) bit for IPSec section.

DF bit settings for IPSec on an external network interface
The DF bit setting in Fireware Web UI

DF Bit Settings for IPSec on an External interface
The DF bit setting in Policy Manager

Copy

Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a frame does not have the DF bits set, Fireware XTM does not set the DF bits and fragments the packet if needed. If a frame is set to not be fragmented, Fireware XTM encapsulates the entire frame and sets the DF bits of the encrypted packet to match the original frame.

Set

Select Set if you do not want your Firebox to fragment the frame regardless of the original bit setting. If a user must make IPSec connections to a Firebox from behind a different Firebox, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can make IPSec connections to their network with IPSec. For your local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.

Clear

Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.

Give Us Feedback     Get Support     All Product Documentation     Technical Search