Set the DF Bit for IPSec
The Don't Fragment (DF) bit is a flag in the header of a packet. You can select Copy, Set, or Clear to control whether the Firebox uses the original DF bit setting in the packet header.
The DF bit setting in Policy Manager
Copy
Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a frame does not have the DF bits set, the Firebox does not set the DF bits and fragments the packet if needed. If a frame is set to not be fragmented, the Firebox encapsulates the entire frame and sets the DF bits of the encrypted packet to match the original frame.
Set
Select Set if you do not want your Firebox to fragment the frame regardless of the original bit setting. If a user must make IPSec connections to a Firebox from behind a different Firebox, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a Firebox, they can make IPSec connections to their network with IPSec. For your local Firebox to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.
Clear
Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.
Set the DF Bit for BOVPN
In Fireware v12.2.1 or higher, you can specify a DF Bit option in the gateway endpoint settings in BOVPN and BOVPN virtual interface configurations. The DF Bit setting specified for a gateway endpoint overrides the DF Bit setting specified for the external interface.
For more information about the DF Bit setting for gateway endpoints, go to Define Gateway Endpoints for a BOVPN Gateway and Define Gateway Endpoints for a BOVPN Virtual Interface.
Set the DF Bit for Mobile VPN with IKEv2
In Fireware v12.8 or higher, you can specify a CLI command to set the DF bit for Mobile VPN with IKEv2 connections. For more information, go to Edit the Mobile VPN with IKEv2 Configuration.