FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 252177
Description This article describes the behavior of FortiOS when auxiliary sessions or asymmetric routing co-exist with policy based routing  in certain environments.
Scope FortiGate v6.4.10, v7.0.1, v7.2.0 and v7.4.0.

The main purpose of auxiliary sessions is to control the return traffic path.


More information regarding this setting can be found in the following public documentation:


There are certain environments where network administrators need to enable auxiliary sessions with a combination of policy-based routing.


Policy-based routing behaves differently when auxiliary session settings is switched on and there are two possible states which could occur: 


1) When the 'auxiliary-session' is set as disabled the return traffic always follows the originating interface. If PBR uses a different interface, it will ignore the PBR.


2) When the 'auxiliary-session' is set to 'enabled', the return traffic will always respect PBR.


A similar behavior can be also noticed with the combination of asymmetric routing in conjunction with policy based routing.


More information regarding asymmetric routing feature can be found in the following article:


3) When asymmetric routing is enabled, the return traffic will always respect PBR.


4) When asymmetric routing is disabled, the behavior is the same as in 1.