Skip to main content
Oscar_Wee
Staff
Oscar_Wee
Staff
May 14, 2025

Technical Tip: Configuring the firewall policy to enable the asymmetric routing

  • May 14, 2025
  • 0 replies
  • 638 views
Description

This article describes how the deny Policy is observed in the forward log, even though:

 

  1. Asymmetric routing is enabled on the VDOM level.

 

config vdom

    edit <vdom_name>
        config system settings
            set asymroute enable
        end

 

  1. tcp-session-without-syn is enabled on the config system setting level.

config system settings
    set tcp-session-without-syn enable 
end
Scope FortiGate.
Solution

Note that this is not a bug. The set tcp-session-without-syn has to be enabled on the firewall policy level as well. Upon enabling tcp-session-without-syn on the firewall policy. Subsequently, the packets are permitted.

 

Enter the following command in the CLI: 

 

config firewall policy
    edit <policyid>
        set tcp-session-without-syn all
end

 

Verify that packets are allowed by the relevant firewall policy in the forward traffic log.

 

asym.jpg

 

Related article:

Technical Tip: Use case of TCP-session-without-syn in firewall policies
    Terms & ConditionsAccessibility statement