Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.
Before You Begin |
---|
For background information, read Understanding ICMP Fragment Protection. |
You can use either J-Web or the CLI configuration editor to block fragmented ICMP packets. The specified security zone is the one from which the fragments originated.
This topic covers:
To configure screens:
To configure zones:
- user@host# set security screen ids-option
icmp-fragment icmp fragment
- user@host# set security zones security-zone
zone screen icmp-fragment