Some attacks from the Internet try to outsmart the firewall with fragmented packets (packets split into several small units). One of the key features of stateful inspection is the ability to reassemble fragmented packets and then inspect the entire IP packet.
The desired behavior of the firewall can be set centrally. The following options are available:
- Filter: The fragmented packets are immediately dropped by the firewall.
- Route: Fragmented packets are passed through by the firewall without further checks, provided that the valid filter settings permit this.
- Re-assemble: The fragmented packets are cached and reassembled into a complete IP packet. The reassembled packet is then inspected with the valid filter settings and handled accordingly.
