Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Oscar_Wee
Staff
Staff

Created on ‎05-14-2025 02:08 AM Edited on ‎08-20-2025 08:20 AM By Community Manager

Article Id 391791

Technical Tip: Configuring the firewall policy to enable the asymmetric routing

Description

This article describes how the deny Policy is observed in the forward log, even though:

 

  1. Asymmetric routing is enabled on the VDOM level.

 

config vdom

    edit <vdom_name>
        config system settings
            set asymroute enable
        end

 

  1. tcp-session-without-syn is enabled on the config system setting level.

config system settings
    set tcp-session-without-syn enable 
end
Scope FortiGate.
Solution

Note that this is not a bug. The set tcp-session-without-syn has to be enabled on the firewall policy level as well. Upon enabling tcp-session-without-syn on the firewall policy. Subsequently, the packets are permitted.

 

Enter the following command in the CLI: 

 

config firewall policy
    edit <policyid>
        set tcp-session-without-syn all
end

 

Verify that packets are allowed by the relevant firewall policy in the forward traffic log.

 

asym.jpg

 

Related article:

Technical Tip: Use case of TCP-session-without-syn in firewall policies
406
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.