Thursday, May 17, 2018

Forcepoint NGFW tcp.mss clamping be aware

Testing some  tcp-mss adjustments in the Forcepoint NGFW, I found a strange and awkward behavior. If you set the tcp.mss enforce to a range that outside of the  physical MTU interface on the NGFW , the firewall will drop these tcp packets and will not provide any log_browser output. Here's any example of a    byte range 1461-1461 for a 1500 byte ethernet  LAN segment



Juniper SRX and Fortigate will ignore any  value outside of the range of the MTU. One cool point on the  Force NGFW, it will honor any tcp.mss value even to 1byte. Other vendors will disregards settings that load. FortiOS default to  48 bytes regards of what value  you  set for tcp-sender that's fall below 48 bytes. I believe this is due to the internet   RFC has a minimum  size value for TCP

1P+TCP.HDR+PAYLOAD







So if you  set tcp mss values out of the range for the ethernet segment for the firewall be aware the Forcepoint NGFW can drop these packets & with no warning.







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \





No comments:

Post a Comment