Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
269
Views
4
Helpful
8
Replies

FMC IP fragmentation to no fragmentation settings can couse outage?

d-kuruppu
Level 1
Level 1

‎04-23-2024 04:32 AM

Hello everyone,

I have the following issue:
The customer would like to disable FMC packet fragmentation globally.

According to the Cisco documentation it is quite straightforward.
Source chapter: Fragment Settings
Cisco Secure Firewall Management Center Device Configuration Guide, 7.2 - Platform Settings [Cisco Secure Firewall Management Center] - Cisco

The question now is:
1. If there is a requested fragmented traffic flow, how can I identify (the source of the traffic) on the FMC?
2. If this setting is changed (from fragmentation to no fragmentation) on the FMC, could there be a data flow hiccup or outage?

Thank you in advanced.
BR
Dushan

 

Preview file
63 KB
0 Helpful
8 Replies 8

tvotna
Spotlight
Spotlight

‎04-23-2024 09:23 AM

You cannot identify flows with fragmentation until you set "fragment chain 1" and firewall start dropping fragments. When fragment is dropped, the firewall will increment a counter ("show asp drop") and you can use "capture type asp-drop <code>" for corresponding drop code to capture traffic and analyze it. What you can do however is to evaluate the number of fragmented packets passing through the firewall: "show fragment".

In general, don't set "fragment chain 1". This doesn't disable virtual reassembly feature. This blocks fragments on the box, which can adversely affect your traffic.

 

MHM Cisco World
VIP
VIP

‎04-23-2024 11:30 AM

Dont do any capture' 

This fragment is for FMC box not for ftd control by FMC.

And note' keep defualt for fmc box as it dont modify it.

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎04-24-2024 02:07 AM

Can you confirm you want fragment for fmc or ftd?

MHM

0 Helpful

tvotna
Spotlight
Spotlight
In response to MHM Cisco World

‎04-24-2024 05:18 AM

@MHM Cisco World, this is a silly question.

 

0 Helpful

Aref Alsouqi
VIP
VIP

‎04-24-2024 02:00 AM

The platform settings in the FMC are related to the FTD managed devices by that FMC. If the requirement of disabling fragmentation on the FTD is from the security perspective then I think you can leave the fragmentation enabled and configure a defragmentation preprocessor policy that would help protecting against the attacks that would leverage IP fragments.

Firepower Management Center Configuration Guide, Version 6.5 - Transport & Network Layer Preprocessors [Cisco Secure Firewall Management Center] - Cisco

d-kuruppu
Level 1
Level 1
In response to Aref Alsouqi

‎04-24-2024 08:51 AM

@ all,
Thank you all for the interesting answers and I really appreciate it.

@ Aref Alsouqi
This is a very interesting alternative solution.
I will try to read and test this option on the infra lab (this week).
Next week I will try to get a traffic generator
The pentesting will take some time - but I will give you a feedback of the out come as soon as I get this done.

Cheers

0 Helpful

MHM Cisco World
VIP
VIP
In response to d-kuruppu

‎04-24-2024 08:58 AM

Sorry again' you ask about fragment of packet pass into fmc or fragments of traffic pass through ftd?

MHM

0 Helpful

Aref Alsouqi
VIP
VIP
In response to d-kuruppu

‎04-24-2024 09:17 AM

You're very welcome.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card