Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Fortinet Exam FCSS_EFW_AD-7.4 Topic 5 Question 3 Discussion

Actual exam question for Fortinet's FCSS_EFW_AD-7.4 exam
Question #: 3
Topic #: 5
[All FCSS_EFW_AD-7.4 Questions]

Refer to the exhibits.

The configuration of a user's Windows PC, which has a default MTU of 1500 bytes, along with FortiGate interfaces set to an MTU of 1000 bytes, and the results of PC1 pinging server 172.16.0.254 are shown.

Why is the user in Windows PC1 unable to ping server 172.16.0.254 and is seeing the message: Packet needs to be fragmented but DF set?

Show Suggested Answer Hide Answer
Suggested Answer: C

The issue occurs because FortiGate enforces the 'do not fragment' (DF) bit in the packet, and the packet size exceeds the MTU of the network path. When the Windows PC1 (with an MTU of 1500 bytes) attempts to send a 1400-byte packet, the FortiGate interface (with an MTU of 1000 bytes) needs to fragment it. However, since the DF bit is set, FortiGate drops the packet instead of fragmenting it.

To resolve this, the user should adjust the ping packet size to fit within the path MTU. In this case, reducing the packet size to 972 bytes (1000 bytes MTU minus 28 bytes for the IP and ICMP headers) should allow successful transmission.


by Germaine at Apr 04, 2025, 11:03 PM

Limited Time Offer

25%

Off

Get Premium FCSS_EFW_AD-7.4 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Sherly
24 days ago
I wonder if the user tried turning it off and on again. That usually fixes everything, right? Oh, wait, that's just for IT support calls.
upvoted 0 times
Tomoko
5 days ago
User1: Maybe the issue is with the MTU settings on the FortiGate.
upvoted 0 times
...
...
Leota
1 months ago
I bet the exam writers thought this one would really stump the candidates. Good thing the FortiGate's behavior is well-documented.
upvoted 0 times
Page
7 days ago
A) Option ip.flags.mf must be set to enable on FortiGate. The user has to adjust the ping MTU to 1000 to succeed.
upvoted 0 times
...
...
Shannon
1 months ago
The user must have a keen eye for detail to spot the MTU discrepancy. Option C is the winner here.
upvoted 0 times
Luann
22 days ago
That makes sense, the user must have missed that detail.
upvoted 0 times
...
Rebecka
23 days ago
Yes, FortiGate honors the do not fragment bit and the packets are dropped.
upvoted 0 times
...
Sommer
30 days ago
I think the user needs to adjust the ping MTU to 972 to succeed.
upvoted 0 times
...
...
Janine
2 months ago
Hmm, the 'Packet needs to be fragmented but DF set' message is a dead giveaway. C is the way to go.
upvoted 0 times
Nikita
13 days ago
No, because the FortiGate interfaces are set to an MTU of 1000 bytes. Adjusting the ping MTU to 972 is the correct solution.
upvoted 0 times
...
Veronika
14 days ago
But wouldn't adjusting the ping MTU to 1000 also work?
upvoted 0 times
...
Nikita
1 months ago
C) FortiGate honors the do not fragment bit and the packets are dropped. The user has to adjust the ping MTU to 972 to succeed.
upvoted 0 times
...
...
Kris
2 months ago
Adjusting the ping MTU to 972 is a clever solution. I wouldn't have thought of that.
upvoted 0 times
Curt
22 hours ago
User1: I agree, adjusting the ping MTU to match the FortiGate interface MTU is key.
upvoted 0 times
...
Celestina
12 days ago
User3: Option C seems to be the correct answer based on the scenario.
upvoted 0 times
...
Tawny
1 months ago
User2: Yes, it's important to understand how MTU affects connectivity.
upvoted 0 times
...
Cherri
2 months ago
User1: Adjusting the ping MTU to 972 is a clever solution.
upvoted 0 times
...
...
Gilberto
2 months ago
The issue is clearly related to the MTU mismatch between the user's PC and the FortiGate. Option C seems like the correct answer.
upvoted 0 times
...
Hui
2 months ago
Hmm, that makes sense too. Maybe we should review the exhibit again to confirm.
upvoted 0 times
...
Cherry
2 months ago
I disagree, I believe the answer is A. The user needs to adjust the ping MTU to 1000 to succeed.
upvoted 0 times
...
Hui
3 months ago
I think the answer is C. FortiGate drops packets when the do not fragment bit is honored.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77