Fortinet Exam FCSS_EFW_AD-7.4 Topic 5 Question 3 Discussion

Actual exam question for Fortinet's FCSS_EFW_AD-7.4 exam

Question #: 3
Topic #: 5

Refer to the exhibits.

The configuration of a user's Windows PC, which has a default MTU of 1500 bytes, along with FortiGate interfaces set to an MTU of 1000 bytes, and the results of PC1 pinging server 172.16.0.254 are shown.

Why is the user in Windows PC1 unable to ping server 172.16.0.254 and is seeing the message: Packet needs to be fragmented but DF set?

AOption ip.flags.mf must be set to enable on FortiGate. The user has to adjust the ping MTU to 1000 to succeed.

BFragmented packets must be encrypted. To connect any application successfully, the user must install the Fortinet_CA certificate in the Microsoft Management Console.

CFortiGate honors the do not fragment bit and the packets are dropped. The user has to adjust the ping MTU to 972 to succeed.

DThe user must trigger different traffic because path MTU discovery techniques do not recognize ICMP payloads.

Show Suggested Answer

Suggested Answer: C

The issue occurs because FortiGate enforces the 'do not fragment' (DF) bit in the packet, and the packet size exceeds the MTU of the network path. When the Windows PC1 (with an MTU of 1500 bytes) attempts to send a 1400-byte packet, the FortiGate interface (with an MTU of 1000 bytes) needs to fragment it. However, since the DF bit is set, FortiGate drops the packet instead of fragmenting it.

To resolve this, the user should adjust the ping packet size to fit within the path MTU. In this case, reducing the packet size to 972 bytes (1000 bytes MTU minus 28 bytes for the IP and ICMP headers) should allow successful transmission.

by Germaine at Apr 04, 2025, 11:03 PM

Limited Time Offer

25%

Off

Get Premium FCSS_EFW_AD-7.4 Questions as Interactive Web-Based Practice Test or PDF