Reg. blocks for database size in Frag guard of PIX

Unanswered Question
Nov 11th, 2008

Dear Team

I need to enable frag guard in PIX Firewall however i am not understanding the concept of database size in it

The following is mentioned in the Cisco pdf regarding the same however i have not understood the "block" concept

Setting the database-limit of the size option to a large value can make the PIX Firewall more vulnerable to a DoS attack by fragment flooding. Do not set the database-limit equal to or greater than the total number of blocks in the 1550 or 16384 pool

Also my current setting is default i.e 200.Please recommend if should lower this value or not


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sadbulali Mon, 11/17/2008 - 07:16

FragGuard and virtual reassembly is a feature that provides IP fragment protection. This feature performs full reassembly of all ICMP error messages and virtual reassembly of the remaining IP fragments that are routed through the PIX Firewall. Virtual reassembly is currently enabled by default. This feature uses syslog to log any fragment overlapping and small fragment offset anomalies, especially those caused by a teardrop attack.The sysopt commands let you tune various PIX Firewall security and configuration features. In addition, you can use this command to disable the PIX Firewall IP Frag Guard feature. It is fine to use the default setting on 200 and this will work fine.


This Discussion