Set DF Bit for IPSec

When you configure the external interface, select one of the three options to determine the setting for the Don’t Fragment (DF) bit for IPSec section.

DF bit settings for IPSec on an external network interface


Select Copy to apply the DF bit setting of the original frame to the IPSec encrypted packet. If a frame does not have the DF bits set, Fireware XTM does not set the DF bits and fragments the packet if needed. If a frame is set to not be fragmented, Fireware XTM encapsulates the entire frame and sets the DF bits of the encrypted packet to match the original frame.


Select Set if you do not want your XTM device to fragment the frame regardless of the original bit setting. If a user must make IPSec connections to a XTM device from behind a different XTM device, you must clear this check box to enable the IPSec pass-through feature. For example, if mobile employees are at a customer location that has a XTM device, they can make IPSec connections to their network with IPSec. For your local XTM device to correctly allow the outgoing IPSec connection, you must also add an IPSec policy.


Select Clear to break the frame into pieces that can fit in an IPSec packet with the ESP or AH header, regardless of the original bit setting.

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base