https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216418#M35982 <P>To fix a drop? Not sure, maybe worth TAC case.</P> <P>&nbsp;</P> <P>Andy</P> Tue, 04 Jun 2024 17:25:40 GMT the_rock 2024-06-04T17:25:40Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216275#M35928 <P>is there any way or command on checkpoint firewall gateway to ignore the DF bit flag and assemble traffic as normal.</P><P>thanks</P> Mon, 03 Jun 2024 18:42:10 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216275#M35928 knassif 2024-06-03T18:42:10Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216279#M35932 <P>and this is for regular traffic not for vpn traffic is there a way to ignore that DF bit flag on the firewall with a command ?</P> Mon, 03 Jun 2024 18:57:32 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216279#M35932 knassif 2024-06-03T18:57:32Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216284#M35935 <P>Not sure about regular traffic, but this is best I can find.</P> <P>Andy</P> <P><A href="https://support.checkpoint.com/results/sk/sk39270" target="_blank">https://support.checkpoint.com/results/sk/sk39270</A></P> Mon, 03 Jun 2024 19:26:14 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216284#M35935 the_rock 2024-06-03T19:26:14Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216290#M35937 <P>This SK is mostly relevant for VPN.<BR />In Linux, at least according to <A href="https://stackoverflow.com/questions/63791960/clear-dont-fragment-bit-on-linux" target="_self">here</A>, the way you would do this would be something like:</P> <UL> <LI>ip route add 192.168.1.0/24 dev eth0 mtu lock 1500</LI> </UL> <P>You can try this in expert mode and see if it works.<BR />Replace 192.168.1.0/24 with the subnet that requires DF be cleared.<BR />However, I cannot say if this command will work on Gaia or not.<BR />Even if it does, it probably won't persist across reboots or even certain configuration changes in clish/WebUI.</P> Mon, 03 Jun 2024 20:07:20 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216290#M35937 PhoneBoy 2024-06-03T20:07:20Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216298#M35938 <P>You got it, thats it</P> <P>from my lab:</P> <P>[Expert@CP-gw:0]# ip route add 192.50.50.0/24 dev eth1 mtu lock 1500<BR />[Expert@CP-gw:0]#</P> <P>Best,</P> <P>Andy</P> Tue, 04 Jun 2024 00:27:58 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216298#M35938 the_rock 2024-06-04T00:27:58Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216414#M35978 <P>is there anything can be done to fix a fragment drop? as you can see in screenshot below/attached</P> Tue, 04 Jun 2024 15:37:47 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216414#M35978 knassif 2024-06-04T15:37:47Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216415#M35979 <P>also can you explain to me what that output means and if there is a way to fix it on the firewall</P> Tue, 04 Jun 2024 15:55:54 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216415#M35979 knassif 2024-06-04T15:55:54Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216417#M35981 <P>we use VSX so not sure how we can add the lock for a route, as far as I know we shouldnt add routes from cli for VSX and I dont see that as an option in Smartconsole</P> Tue, 04 Jun 2024 16:06:15 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216417#M35981 knassif 2024-06-04T16:06:15Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216418#M35982 <P>To fix a drop? Not sure, maybe worth TAC case.</P> <P>&nbsp;</P> <P>Andy</P> Tue, 04 Jun 2024 17:25:40 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216418#M35982 the_rock 2024-06-04T17:25:40Z https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216601#M36040 <P>If it's not an option from SmartConsole (where you have to define routes for a VS with VSX), then it's probably not supported.<BR />A few TAC cases I reviewed suggest this isn't supported as well, but best to check with them to confirm: <A href="https://help.checkpoint.com" target="_blank">https://help.checkpoint.com</A>&nbsp;</P> Wed, 05 Jun 2024 23:02:41 GMT https://community.checkpoint.com/t5/General-Topics/DF-bit/m-p/216601#M36040 PhoneBoy 2024-06-05T23:02:41Z