The set tcp-mss-sender and set tcp-mss-receiver commands in a FortiGate firewall policy are used to implement TCP Maximum Segment Size (MSS) clamping. The MSS value, exchanged during the TCP three-way handshake, defines the largest TCP payload size that an endpoint can receive in a single segment. By configuring these values, the FortiGate intercepts TCP SYN packets and, if necessary, lowers the advertised MSS. This ensures that the resulting IP packets (TCP payload + TCP/IP headers) do not exceed the Path Maximum Transmission Unit (PMTU), thereby preventing IP fragmentation, which is a common issue in networks with tunnels like IPsec VPNs.

A. MSS clamping is a traffic modification mechanism that alters TCP parameters to prevent fragmentation; it does not act as a security filter to allow or deny packets based on their size.

C. The administrator calculates the appropriate MSS value based on the path's MTU, not the other way around. The goal is to control the payload size to fit within the MTU.

D. The FortiGate modifies the MSS value in the TCP SYN packet only if the packet's original MSS is greater than the value configured, in order to reduce it.

---

1. Fortinet FortiOS 7.0.0 CLI Reference:

Document: FortiOS 7.0.0 CLI Reference

Section: config firewall policy

Page: 1018

Content: The reference defines tcp-mss-sender and tcp-mss-receiver as commands to configure the "TCP maximum segment size in bytes." It states

"When set to a non-zero value

the FortiGate unit will replace the MSS value in the TCP SYN packet with the value you specify if the original MSS is larger." This confirms the mechanism modifies the maximum payload size.

2. Fortinet FortiOS 7.0.0 Networking Guide:

Document: FortiOS 7.0.0 Networking Guide

Section: Packet fragmentation

Page: 338

Content: "The FortiGate can also perform TCP MSS clamping to reduce the MSS of TCP packets to prevent them from being fragmented... The MSS is the size of the data portion of a TCP packet." This directly supports that the commands determine the largest payload (data portion) of a TCP segment.

3. Fortinet FortiOS 7.0.0 Administration Guide:

Document: FortiOS 7.0.0 Administration Guide

Section: IPsec VPN advanced settings

Page: 518

Content: The guide explains the need for MSS clamping in VPNs: "If the TCP MSS is not set correctly

the TCP packets may need to be fragmented after being encrypted. The FortiGate unit can reduce the MSS in the TCP SYN packet to avoid this." This highlights the function of controlling segment size to prevent fragmentation.