Only incoming fragmented IP-Datagrams should be blocked

Attack detection settings / Miscellaneous / Block fragmented IP-Datagrams
is enabled by default. But this might break outgoing communication if udp-packets are too big (eg ISAKMP) for the Interface mtu.
At least it should be possible to allow certain applications outgoing fragmented packets.
Fragmentation is sometimes necessary and should not be blocked. A firewall can reassemble packets for inspection if necessary.