Fortigate same zone but different interface packet process logic

Forum|Forum|6 years ago
January 30, 2020
1 reply
11292 views

Hi All,

Sorry, my first post here, and forgive me if this has already been asked earlier.

What firewall will do if it receives SYN, ACK (half-open session) packet or subsequent packets for an already established session on a different interface (not the one where the packet was sent out)?

Thanks,

Myky

Best answer by Toshi_Esumi

Unlike Palo Alto's "zone", FGT's "zone" is not an necessary object, more like an alias. You can use it in policies but you don't have to. It still routes per interface and if packets come in one interface and go out another interface it's considered as "asymmetric" regardless if they are members of one zone.

emnoc

New Member

It would drop it unless asymmetricalrouting was enabled. Google statefull-inspection firewall which is what any fortigate does or any modern UTM/NGFW.

Ken Felix

mykyAuthor

New Member

Ok perfect, so similar logic that Palo does:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClReCAK

Cheers

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded