Information
Sets the security appliance to drop fragmented packets received on the untrusted interface.
Rationale:
Attackers use fragmentation to evade security systems such as firewalls or IPS because the checks are usually performed on the first fragment. They can then put malicious payload in the other fragments to perform DoS against internal systems. Disabling the fragmentation on the security appliance implies changing its default behavior from accepting up to 24 fragments in a packet to accepting only 1 fragment in a packet. In other words, it implies accepting only non fragmented packets.
Solution
Step 1: Acquire the name of the untrusted interface <interface_name>
Step 2: Run the following command to deny fragments on the interface.
hostname(config)#fragment chain 1 <interface_name>
Default Value:
The default value for the fragment chain is 24.