Maximum Segment Size (MSS)
The maximum transmission unit (MTU) is a value indicating the largest number of bytes that can be transmitted in a single TCP packet. The MTU includes the length of headers, so the MTU minus the number of bytes in the headers equals the maximum segment size (MSS), which is the maximum number of data bytes that can be transmitted in a single packet.
A configurable MSS adjustment size (shown below) allows your firewall to pass traffic that has longer headers than the default setting allows. Encapsulation adds length to headers, so you would increase the MSS adjustment size to allow bytes, for example, to accommodate an MPLS header or tunneled traffic that has a VLAN tag.
If the DF (don’t fragment) bit is set for a packet, it is especially helpful to have a larger MSS adjustment size and smaller MSS so that longer headers do not result in a packet length that exceeds the allowed MTU. If the DF bit were set and the MTU were exceeded, the larger packets would be dropped.
The firewall supports a configurable MSS adjustment size for IPv4 and IPv6 addresses on the following Layer 3 interface types: Ethernet, subinterfaces, Aggregated Ethernet (AE), VLAN, and loopback. The IPv6 MSS adjustment size applies only if IPv6 is enabled on the interface.
If IPv4 and IPv6 are enabled on an interface and the MSS Adjustment Size differs between the two IP address formats, the proper MSS value corresponding to the IP type is used for TCP traffic.
For IPv4 and IPv6 addresses, the firewall accommodates larger-than-expected TCP header lengths. In the case where a TCP packet has a larger header length than you planned for, the firewall chooses as the MSS adjustment size the larger of the following two values:
- The configured MSS adjustment size
- The sum of the length of the TCP header (20) + the length of IP headers in the TCP SYN
This behavior means that the firewall overrides the configured MSS adjustment size if necessary. For example, if you configure an MSS adjustment size of 42, you expect the MSS to equal 1458 (the default MTU size minus the adjustment size [1500 - 42]). However, the TCP packet has 4 extra bytes of IP options in the header, so the MSS adjustment size (20+20+4) equals 44, which is larger than the configured MSS adjustment size of 42. The resulting MSS is 1500-44=1456 bytes, smaller than you expected.
To configure the MSS adjustment size, in Configure Session Settings, see Tune the Maximum Segment Size (MSS) adjustment size settings for a Layer 3 interface.
Network > Interfaces > Loopback
Network > Interfaces > Loopback Use the following fields to configure a loopback interface: Loopback Interface Settings Configure In Description Interface Name Loopback Interface The ...
Network > Interfaces > VLAN
Network > Interfaces > VLAN A VLAN interface can provide routing into a Layer 3 network (IPv4 and IPv6). You can add one or more ...
Layer 3 Subinterface
Layer 3 Subinterface Network > Interfaces > Ethernet For each Ethernet port configured as a physical Layer 3 interface, you can define additional logical Layer ...
PA-7000 Series Layer 3 Interface
PA-7000 Series Layer 3 Interface Network > Interfaces > Ethernet To configure a Layer 3 interface, click the name of an Interface (ethernet1/1, for example) ...
Configure Session Settings
Configure Session Settings This topic describes various settings for sessions other than timeouts values. Perform these tasks if you need to change the default settings. ...
Enable Large Receive Offload
Enable Large Receive Offload Large receive offload (LRO) is a technique for increasing the inbound throughput on high-bandwidth network connections by decreasing CPU overhead. Without ...
Session Settings The following table describes session settings. Session Settings Description Rematch Sessions Click Edit and select Rematch Sessions to cause the firewall to apply ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...