Supporting MTU path discovery in ZIA

Path MTU discovery relies on ICMP messages indicating that fragmentation is needed on a hop between the sender and the receiver. This allows the endpoints to adjust automatically to the ideal byte transfer rate on a per packet basis.

The behavior of ZIA is slightly different depending on whether the session is being proxied (like HTTPS through the secure web gateway) or network address translated (like non-web traffic being NATed via the Advanced Cloud-Gen Firewall).

In the “proxy” (SWG) case, we fully support the dontFrag (DF) bit separately on the south (customer to ZEN) and north sides (ZEN to originally requested application service).

In the “NAT” (ACFW) case, we support DF bit on the full path. So when the ACFW gets an ICMP type 3, code 4 message on the north (internet) side of the communication then the system will map that back along the southbound so path to the endpoint so path discovery happens as expected.

1 Like