Ensure packet fragments are restricted for untrusted interfaces


Sets the security appliance to drop fragmented packets received on the untrusted interface.


Attackers use fragmentation to evade security systems such as firewalls or IPS because the checks are usually performed on the first fragment. They can then put malicious payload in the other fragments to perform DoS against internal systems. Disabling the fragmentation on the security appliance implies changing its default behavior from accepting up to 24 fragments in a packet to accepting only 1 fragment in a packet. In other words, it implies accepting only non fragmented packets.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.


Configure Fragment settings with Firepower Management Center:

Step 1 - Select Devices > Device Management and click the edit icon () for your FTD device. The Interfaces tab is selected by default.

Step 2 - Click the edit icon () for the interface you want to edit.

Step 3 - Click the Advanced tab, and then click the Security Configuration tab.

Step 4 - To enable Unicast Reverse Path Forwarding, check the Anti-Spoofing check box.

Step 5 - To enable full fragment reassembly, check the Full Fragment Reassembly check box.

Step 6 - To change the number of fragments allowed per packet, check the Override Default Fragment Setting check box

See Also


Item Details


References: 800-53|SC-7(11)

Plugin: Cisco_Firepower

Control ID: 0f50b99f4e9dd564c7459a41d7e54e80a8d863fd4cac0d3a1b5391bb71645b10