Fragment filtering with ACLs
Traditional packet filtering matches only first fragments of packets, and allows all subsequent non-first fragments to pass through. Attackers can fabricate non-first fragments to attack networks.
To avoid risks, the ACL feature is designed as follows:
Filters all fragments by default, including non-first fragments.
Allows for matching criteria modification for efficiency. For example, you can configure the ACL to filter only non-first fragments.