This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Leon_Noble
Participant
a month ago

MSS Clamping on SYN/ACK

I am looking to implement MSS clamping on one of our clusters and I would like to clarify my interpretation of sk61221 and sk101219 despite what the AI tools are telling me.

From my interpretation when applying the MSS clamping this is done on the outbound interface i.e. the interface the SYN packet leaves the appliance for the next hop.

In the scenario we are looking at, we would like to apply the MSS clamping on our external (internet) facing interface only. Now this should work with no issue for outbound internet traffic, but for services that access internal services, would this also apply to the return SYN/ACK packet?

So external source (MTU 1500) -> ExtFWIF (MTU 1320) -> IntFWIF (MTU 1500) -> Server (MTU 1500).

Would the resultant SYN/ACK to the external source be updated to 1320 or does this only apply to externally bound SYN packets?

0 Kudos
1 Reply
HeikoAnkenbrand
MVP Diamond
MVP Diamond
a month ago

Yes, it can also affect the SYN/ACK. The SYN/ACK packet contains no data, so it will be smaller than 1320 bytes anyway.
During the TCP handshake, both the client and the server advertise MSS values in the SYN and SYN/ACK packets to inform the peer of the maximum segment size (MSS) they are able to accept. To avoid packet fragmentation, the MSS value must not exceed the MTU on the communication path.

Example if your MTU is set to 1320:

1a) Client sends SYN with MSS 1460
1b) Firewall changes the (MTU 1320 - IP header - TCP header) to MSS size1280  
2a) Server replies with SYN/ACK MSS 1280 or 1460 (old stacks) 
2b) Firewall/povider router changes - it if necessary - here also to MSS size 1280

Handshake packets itself are normally not reduced in relevant way. The negotiated maximum segment size is reduced. This has then effect on the following data traffic. If the line can handle this only smaller in direction to the firewall, then maybe the router at provider side must/should do this and also set the MSS to 1280.

However, since this only applies to TCP, you can't use it with UDP or other protocols anyway, because fragmentation comes into play there.

Because you're dealing with the external interface, I think this refers to the connection to the provider. I would always try to set up a connection with an MTU of 1500 (1460 for data).  Otherwise, your internet connection will keep slowing down because of MSS (TCP) or fragmentation (UDP), which makes the connection slower and slower.

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events