Fragment handling can be affected by the following settings.
1. The Check Point firewall internally reassembles fragmented packets before it enforces the policy. The mechanism waits for the configured time period and then deletes the record if no other associated fragments arrive. Fragmented packets that cannot be reassembled within the configured time period are dropped. The default timeout is 1 second.
2. To protect system resources, the Check Point firewall limits the total number of fragmented packets allowed. The default number of fragmented packets allowed is 200.
To determine the current timeout and maximum number of fragmented packets allowed on your gateway, run the following command on the VAP:
-------- frag_table --------
dynamic, id 8184, attributes: expires 1, limit 200, hashsize 512, free function 963fe5a8 0