Configure TCP MTU Probing for a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

This document applies to Fireboxes you manage in WatchGuard Cloud. For information that applies to Fireboxes managed in Fireware Web UI or WatchGuard System Manager, go to: Define Firebox Global Settings.

Overview

When you enable the TCP MTU Probing feature in the Networking settings for a cloud-managed Firebox, the Firebox can automatically change the size of its data packets to make sure that PMTU discovery is successful.

Path Maximum Transmission Unit (PTMU) discovery is used to determine the maximum transmission unit (MTU) size that is appropriate for a network path between two devices. If a packet is larger than the MTU for the path, the packet becomes fragmented during transmission, which can cause performance issues.

To make sure that PMTU discovery succeeds and to avoid reduced performance caused by fragmentation, you can configure TCP MTU Probing in the networking settings for a cloud-managed Firebox. When you enable this option, the Firebox can automatically change the size of its data packets as necessary.

For example, you might enable TCP MTU Probing in these cases:

  • You have a slow PPPoE connection and require smaller packets to optimize performance.
  • You want to make sure that client devices on your network can access the Internet through a zero-route BOVPN tunnel on this Firebox even if the PMTU discovery process cannot complete. For example, if a remote router drops a packet but does not send an ICMP Destination Unreachable or ICMP Fragmentation Needed response to the Firebox, an ICMP black hole occurs and the PMTU process cannot complete. If you enable TCP MTU probing, an ICMP black hole does not affect traffic through the zero-route BOVPN.

TCP MTU Probing is disabled by default. When you enable the feature, you can choose one of these options:

  • Always Enabled — The Firebox can always change the size of its data packets as necessary.
  • Enable Only When ICMP Network Issues Are Detected — This setting automatically enables TCP MTU Probing only when an ICMP error message is dropped and the PMTU discovery process cannot complete. TCP MTU Probing remains enabled for the current connection. For new connections, TCP MTU Probing is disabled by default unless a network issue is detected for the new connection.

You can configure TCP MTU probing in an individual Firebox configuration or in a Firebox template. If a Firebox subscribes to a template with TCP MTU Probing configured, a lock icon shows next to the TCP MTU Probing feature toggle in the Firebox configuration, and you cannot configure it in the Firebox configuration for that device. To view the name of the template where TCP MTU Probing is configured, hover over the lock icon. For more information about Firebox templates, go to About Firebox Templates.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Devices permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

Configure TCP MTU Probing

To configure the TCP MTU Probing in the networking settings for a cloud-managed Firebox: 

  1. In WatchGuard Cloud, select a cloud-managed Firebox.
  2. Click Device Configuration.
  3. Click the Device Settings widget.
    The Device Settings page opens.

    Screen shot of the Device Settings page

  1. Select the Networking tab.
    The Networking settings page opens.
  2. If you want the Firebox to automatically change the size of its data packets as necessary, enable TCP MTU Probing and select one of these options:
    • Always Enabled
    • Enable Only When ICMP Network Issues Are Detected

    Screenshot of the device settings for a cloud-managed Firebox with TCP MTU Probing enabled

  1. To save configuration updates to the cloud, click Save.

Related Topics

Add a Cloud-Managed Firebox to WatchGuard Cloud

Add a Cloud-Managed FireCluster