FireWall-1 FAQ: What is Virtual Fragment Reassembly?
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
In order to determine whether or not a packet fragmented should be allowed or not, FireWall-1 holds all fragments it receives until it gets them all and assembles them in memory. If the assembled packet would normally pass, then it passes the packet, but it sends out the packet as it received it: fragmented (thus the term virtual defragmentation). If FireWall-1 doesn't receive all the fragments for the packet or the fragment table fills up, such as occurs with any fragmentation-based Denial of Service attacks that send malformed packet fragments, then FireWall-1 drops the fragments and does not forward them.