firewall fragment-forward enable

The device can cache, discard, or directly forward fragments.

By default, the direct forwarding of fragment packets and the discarding of fragment packets is disabled. That is, fragment packets are cached by default.

After you run the firewall fragment-discard enable command to enable the discarding of fragment packets, the device discards the received fragments.

After you run the firewall fragment-forward enable command to enable the direct forwarding of fragment packets, the device directly forwards the received fragments. If the first received fragment is the first fragment, the device enters the normal session process. If the first received fragment is a subsequent fragment, the device transparently transmits the fragment without entering the session process.

To cache fragmented packets, disable the direct forwarding of fragment packets and the discarding of fragment packets. You can run the firewall fragment-cache-maximum command to set the maximum number of the cached fragments of a packet. If the number of packet fragments exceeds the specified maximum, the device discards the packet.

• If the NAT, IPsec, or content security detection service is configured on the device and fragmented packets exist in the configured service, you are not advised to enable the direct forwarding of fragmented packets.
  • In NAT scenarios, fragmented packets must be reassembled before NAT is performed. After the direct forwarding of fragmented packets is enabled, fragmented packets are not reassembled, and the device cannot perform NAT on subsequent fragmented packets based on the first fragment.
  • When IPsec negotiation packets are fragmented and the direct forwarding of fragmented packets is enabled, fragmented negotiation packets cannot be reassembled and IKE negotiation cannot be performed. As a result, the IPSec tunnel fails to be established.
  • After content security detection is configured, the device sends the first fragmented packet and subsequent fragmented packets to the IAE for content security detection. After the direct forwarding of fragmented packets is enabled, subsequent fragmented packets are directly forwarded without being sent to the IAE. If the fragment reassembly function is enabled for the IAE, it takes a long time for the IAE to cache the first fragmented packet, affecting IAE processing efficiency. As such, to use direct forwarding of fragmented packets, run the undo fragment-reassemble enable command to disable the fragment reassembly for the IAE.
• For the same flow, the IDs in the IP headers of fragmented packets are the same. In this way, the fragments of the same flow can be identified during fragment reassembly. However, in fragment cache scenarios, fragmented packet IP headers with the same ID will be discarded.
• When fragmented packets pass through the device twice, traffic needs to be isolated through VLANs or virtual systems. Otherwise, fragmented packets may be discarded due to overlapping fragments.