Skip to main content
BWeber67
BWeber67
Explorer
August 21, 2025
Solved

Asymmetric Routing on Different Interfaces on Same Zone

  • August 21, 2025
  • 3 replies
  • 3429 views

Hi all,

 

I'm an experienced network guy with 28 years of experience, but it's all Cisco. I'm new to Fortinet.

 

Here's my question: I'm working on a design for a customer with multiple satellite offices that connect back to two datacenters (primary and DR). They are all interconnected with two layer-2 ELAN WAN meshes.  I want to centralize all of my routing onto the Fortigate firewalls at each location. But because the WAN links are from two separate vendors each Fortigate is going to have two physical handoffs, one to each vendor's network.

 

My plan is to create a WAN zone on each Fortigate and then put both physical interfaces in that same zone. (I don't need any filtering/firewalling between those interfaces.) I'm trying to find out if I am going to run into any asymmetric routing issues. The WAN circuits will be load balanced so I can't promise that packets  from a particular session that go out on one vendor's circuit won't return on the other vendor's circuit. I could see this breaking stateful firewalling since the return packets will be on a different physical interface. But I could also see it working because the session's return packets will still be in the same zone.

 

Does anyone know if I'll run into issues here? In sum I'm looking to find out if the session based stateful firewalling references the physical interface like an ASA would, or whether it's by zone and doesn't care about the physical interface.

 

Thanks,

 

Ben

Best answer by funkylicious

zone(s) in Fortinet world doesnt really have any routing benefits, more for grouping of interfaces and least amount firewall rules needed to be configured.

you should look into sdwan, cuz in your case it would benefit you

3 replies

AEK
SuperUser
AEK
SuperUser
August 21, 2025

Hi Weber

It is by interface.

You may also check this link if it can help.. You can keep good security level if you use auxiliary sessions instead of enabling asymmetric routing.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Differences-between-asymmetric-routing-and/ta-p/194040

 

AEK
    BWeber67
    BWeber67Author
    Explorer
    August 21, 2025

    That might be an option. But from that article it doesn't look like asymmetric routing can be enabled on just one interface or zone? These firewalls also handle the internet edge so I wouldn't be able to jeopardize antivirus or ID functionality.

     

    I wonder if I could do one physical interface with a secondary IP for one of the WAN networks. That would put it all on one zone . . . 

    AEK
    SuperUser
    AEK
    SuperUser
    August 21, 2025

    I mean it is by interface, not by zone, when replying to your question:

    In sum I'm looking to find out if the session based stateful firewalling references the physical interface like an ASA would, or whether it's by zone and doesn't care about the physical interface.

    On the other hand, enabling asymmetric routing is done globally on the FGT.

    And as told above, try use auxiliary sessions instead of asym routing, in order to preserve security.

    Asym routing was a very good technique in ancient world but it is not anymore with today's security challenges.

    AEK
      funkylicious
      SuperUser
      funkyliciousAnswer
      SuperUser
      August 21, 2025

      zone(s) in Fortinet world doesnt really have any routing benefits, more for grouping of interfaces and least amount firewall rules needed to be configured.

      you should look into sdwan, cuz in your case it would benefit you

      "jack of all trades, master of none"
        BWeber67
        BWeber67Author
        Explorer
        August 21, 2025

        SD WAN is a future hope for this network, but not one they are ready for yet. And I'm never going to get to the point where all of the satellite nodes are Fortigate so I'm still going to have to accommodate some that may be Cisco or Aruba unfortunately.

        BWeber67
        BWeber67Author
        Explorer
        September 9, 2025

        Thanks all. Getting back to this. It looks like you can set up asymmetric routing if it's in its own VDOM. So that's what we're going to try. We don't need much by way of filtering across the WAN so we figure peeling off a dedicated VDOM will allow us to use the FGT more like a WAN router.

          Terms & ConditionsAccessibility statement