Visitor III

Solved

Why does this work without asymmetric routing?

Forum|Forum|1 year ago
December 17, 2024
2 replies
1948 views

Hi,

we have two /29 IP blocks from our ISP. IPs from the first block are used for SNAT and a few VIPs. There are two default routes, one for each gateway because both subnets have different gateways. We didn't want ECMP, so we increased the distance for the default route to the gateway of block 2.

We also run VIPs on IPs of the second block. I was wondering why this is even working because the default route for block 2 is not installed in the routing table because of the higher distance. Therefore, return traffic for VIPs of block 2 must flow through the gateway of block 1. Asymmetric routing is disabled, I checked it.

We are also using port forwarding on the VIPs, so it shouldn't automatically use the VIP's public IP for return traffic.

Edit: I checked the session table and it looks like Fortigate SNATs the reply traffic. But I don't know why, the documentation says that it sould only be doing this when One-to-One NAT is applied without port-forwarding. Or does this rule only apply to traffic originating from the server behind the VIP and not reply traffic?

FortiGate

Best answer by Dhruvin_patel

Greetings!

FortiGate is a stateful firewall.

When FortiGate receives the traffic, it creates a session, and the return traffic is sent based on that created session.

When the packet enters the FortiGate, it will follow the flow defined in this document, https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading and create the session.

The traffic below to the same session will be sent out using the session info.

As a result, in your case, the traffic received on another block will create a session and then return the allowed/routed based on the created session.

Best Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

Dhruvin_patelAnswer

Staff

Greetings!

FortiGate is a stateful firewall.

When FortiGate receives the traffic, it creates a session, and the return traffic is sent based on that created session.

When the packet enters the FortiGate, it will follow the flow defined in this document, https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/86811/packet-flow-ingress-and-egress-fortigates-without-network-processor-offloading and create the session.

The traffic below to the same session will be sent out using the session info.

As a result, in your case, the traffic received on another block will create a session and then return the allowed/routed based on the created session.

Best Regards!

If you have found a solution, please like and accept it to make it easily accessible for others.

smxkoAuthor

Visitor III

Thanks, so is the routing table is negelcted for lookups for reply traffic and always following the initial session? I've had scenarios where I forgot to add a static route back to the source and reply traffic didn't work.

dingjerry_FTNT

Staff

FGT will always run the Reverse Path Check for ingress traffic if asymmetric routing is NOT enabled. Please check this KB for more information about RPC check:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Details-about-FortiOS-RPF-Reverse-Path-Forwarding/ta-p/190100

Again, your information and description are ambiguous. For further assistance, it's better to provide relevant configurations and your network diagram.

dingjerry_FTNT

Staff

Hi @smxko ,

Your description is ambiguous.

It's better you share relevant configurations for better understanding. And if you can provide with a network diagram, it would be much better.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded