Knowledge Search


[ScreenOS] What is the firewall default setting for TCP-MSS?

  [KB4586] Show Article Properties


This article lists the TCP maximum segment size (TCP MSS) default settings.

  • set flow tcp-mss
  • set flow all-tcp-mss PPPoE

For NS-5GT, SSG-5, and SSG-20 devices, the command set flow tcp-mss is enabled by default to 1350. 

On all other Juniper firewall devices, the command set flow tcp-mss is disabled; meaning, it is not set by default in the configuration.

Enter the command get flow | inc mss to see the current values.   For example, look for the following fields:

flow change tcp mss option for all packets is not set
flow change tcp mss option for vpn packets = 1350

Enter the command  get config | inc mss to see the configured settings.

For more information on the difference between the two MSS options, refer to KB6346 - What does set flow all-tcp-mss and set flow tcp-mss do.

Note:  If PPPoE is enabled and bound to an interface, the command set flow all-tcp-mss 1304 will be added if there was no previous set flow all-tcp-mss command configured.

Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.
Related Links: