Set DF Bit for IPSec

The Don't Fragment (DF) bit is a flag in the header of a packet. You can select Copy, Set, or Clear to control whether the Firebox uses the original DF bit setting in the packet header.

DF bit settings for IPSec on an external network interface
The DF bit setting in Fireware Web UI

DF Bit Settings for IPSec on an External interface
The DF bit setting in Policy Manager


Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a frame does not have the DF bits set, the Firebox does not set the DF bits and fragments the packet if needed. If a frame is set to not be fragmented, the Firebox encapsulates the entire frame and sets the DF bits of the encrypted packet to match the original frame.


Select Set if you do not want your Firebox to fragment the frame regardless of the original bit setting. If a user must make IPSec connections to a Firebox from behind a different Firebox, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can make IPSec connections to their network with IPSec. For your local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.


Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.

In Fireware v12.2.1 or higher, you can specify a DF Bit option in the gateway endpoint settings in BOVPN and BOVPN virtual interface configurations. The DF Bit setting specified for a gateway endpoint overrides the DF Bit setting specified for the external interface.

For more information about the DF Bit setting for gateway endpoints, see Define Gateway Endpoints for a BOVPN Gateway and Define Gateway Endpoints for a BOVPN Virtual Interface.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search