|Description||This article describes the enhancements done to the policy route look up for reply traffic.|
From the release notes of v6.4.x.
Traffic will be routed based on the regular route table lookup regardless of the auxiliary-session setting.
Reply traffic may egress on a different interface post this route look up.
Evaluate the risks and disable asymmetric routing or have a route with longest matching prefix pointing to the original incoming interface in a maintenance window to avoid traffic being routed on a different interface.
The above behavior is changed from FortiOS 7.0.1.
FortiGate does the egress interface lookup in the following order:
1) Policy-route lookup.