Fortinet Exam FCSS_EFW_AD-7.4 Topic 5 Question 3 Discussion

Actual exam question for Fortinet's FCSS_EFW_AD-7.4 exam

Question #: 3
Topic #: 5

Refer to the exhibits.

The configuration of a user's Windows PC, which has a default MTU of 1500 bytes, along with FortiGate interfaces set to an MTU of 1000 bytes, and the results of PC1 pinging server 172.16.0.254 are shown.

Why is the user in Windows PC1 unable to ping server 172.16.0.254 and is seeing the message: Packet needs to be fragmented but DF set?

AOption ip.flags.mf must be set to enable on FortiGate. The user has to adjust the ping MTU to 1000 to succeed.

BFragmented packets must be encrypted. To connect any application successfully, the user must install the Fortinet_CA certificate in the Microsoft Management Console.

CFortiGate honors the do not fragment bit and the packets are dropped. The user has to adjust the ping MTU to 972 to succeed.

DThe user must trigger different traffic because path MTU discovery techniques do not recognize ICMP payloads.

Show Suggested Answer

Suggested Answer: C

The issue occurs because FortiGate enforces the 'do not fragment' (DF) bit in the packet, and the packet size exceeds the MTU of the network path. When the Windows PC1 (with an MTU of 1500 bytes) attempts to send a 1400-byte packet, the FortiGate interface (with an MTU of 1000 bytes) needs to fragment it. However, since the DF bit is set, FortiGate drops the packet instead of fragmenting it.

To resolve this, the user should adjust the ping packet size to fit within the path MTU. In this case, reducing the packet size to 972 bytes (1000 bytes MTU minus 28 bytes for the IP and ICMP headers) should allow successful transmission.

by Germaine at Apr 04, 2025, 11:03 PM

Limited Time Offer

25%

Off

Get Premium FCSS_EFW_AD-7.4 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Sherly

1 months ago

I wonder if the user tried turning it off and on again. That usually fixes everything, right? Oh, wait, that's just for IT support calls.

upvoted 0 times

Madonna

4 days ago

User1: That makes sense, FortiGate honors the do not fragment bit.

upvoted 0 times

...

Bo

6 days ago

User2: Yeah, the user might need to adjust the ping MTU to 972 to succeed.

upvoted 0 times

...

Tomoko

18 days ago

User1: Maybe the issue is with the MTU settings on the FortiGate.

upvoted 0 times

...

Leota

2 months ago

I bet the exam writers thought this one would really stump the candidates. Good thing the FortiGate's behavior is well-documented.

upvoted 0 times

Rory

2 days ago

D) The user must trigger different traffic because path MTU discovery techniques do not recognize ICMP payloads.

upvoted 0 times

...

Johnson

8 days ago

C) FortiGate honors the do not fragment bit and the packets are dropped. The user has to adjust the ping MTU to 972 to succeed.

upvoted 0 times

...

Page

20 days ago

A) Option ip.flags.mf must be set to enable on FortiGate. The user has to adjust the ping MTU to 1000 to succeed.

upvoted 0 times

...

Shannon

2 months ago

The user must have a keen eye for detail to spot the MTU discrepancy. Option C is the winner here.

upvoted 0 times

Luann

1 months ago

That makes sense, the user must have missed that detail.

upvoted 0 times

...

Rebecka

1 months ago

Yes, FortiGate honors the do not fragment bit and the packets are dropped.

upvoted 0 times

...

Sommer

1 months ago

I think the user needs to adjust the ping MTU to 972 to succeed.

upvoted 0 times

...

Janine

2 months ago

Hmm, the 'Packet needs to be fragmented but DF set' message is a dead giveaway. C is the way to go.

upvoted 0 times

Nikita

26 days ago

No, because the FortiGate interfaces are set to an MTU of 1000 bytes. Adjusting the ping MTU to 972 is the correct solution.

upvoted 0 times

...

Veronika

27 days ago

But wouldn't adjusting the ping MTU to 1000 also work?

upvoted 0 times

...

Nikita

2 months ago

C) FortiGate honors the do not fragment bit and the packets are dropped. The user has to adjust the ping MTU to 972 to succeed.

upvoted 0 times

...

Kris

2 months ago

Adjusting the ping MTU to 972 is a clever solution. I wouldn't have thought of that.

upvoted 0 times

Curt

14 days ago

User1: I agree, adjusting the ping MTU to match the FortiGate interface MTU is key.

upvoted 0 times

...

Celestina

25 days ago

User3: Option C seems to be the correct answer based on the scenario.

upvoted 0 times

...

Tawny

2 months ago

User2: Yes, it's important to understand how MTU affects connectivity.

upvoted 0 times

...

Cherri

2 months ago

User1: Adjusting the ping MTU to 972 is a clever solution.

upvoted 0 times

...

Gilberto

2 months ago

The issue is clearly related to the MTU mismatch between the user's PC and the FortiGate. Option C seems like the correct answer.

upvoted 0 times

...

Hui

2 months ago

Hmm, that makes sense too. Maybe we should review the exhibit again to confirm.

upvoted 0 times

...

Cherry

3 months ago

I disagree, I believe the answer is A. The user needs to adjust the ping MTU to 1000 to succeed.

upvoted 0 times

...

Hui

3 months ago

I think the answer is C. FortiGate drops packets when the do not fragment bit is honored.

upvoted 0 times

...