FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff
Staff
Description This article describes the enhancements done to the policy route look up for reply traffic.
Scope  
Solution

From the release notes of v6.4.x.

When reply traffic enters the FortiGate, and a policy route or SD-WAN rule is configured, the egress interface is chosen as follows.

With auxiliary-session enabled in config system settings:
Starting in 6.4.0, the reply traffic will not match any policy routes or SD-WAN rules to determine the egress interface and next hop.

Prior to this change, the reply traffic will match policy routes or SD-WAN rules in order to determine the egress interface and next hop.

With auxiliary-session disabled in config system settings:
The reply traffic will egress on the original incoming interface.

Note:
When asymmetric routing is enabled, policy route lookup will not be performed for the reply traffic.

Traffic will be routed based on the regular route table lookup regardless of the auxiliary-session setting. 

Reply traffic may egress on a different interface post this route look up. 

Evaluate the risks and disable asymmetric routing or have a route with longest matching prefix pointing to the original incoming interface in a maintenance window to avoid traffic being routed on a different interface.

The above behavior is changed from FortiOS 7.0.1.

FortiGate does the egress interface lookup in the following order:

1) Policy-route lookup.
2) SD-wan rule match.
3) Routing-table lookup.

From FortiOS v7.0.1.

Case 1:
With default settings on FortiGate i.e. (Asymmetric routing and Auxiliary sessions disabled), Reply traffic honors the original incoming interface despite of having a policy route in the configuration.

Example:
If traffic has originally arrived on port2 and if there are two policy routes to route the reply traffic over port1 or port2 then in the reply direction, FortiGate performs the policy route lookup but will choose port2 to honor the original incoming interface.

Case 2:
With Asymmetric routing enabled (default=disabled), FortiGate does a policy-route lookup for the reply traffic followed by SD-wan rules and routing-table entries if any.

Case 3:
With Auxiliary Sessions enabled (default=disabled), FortiGate does a policy-route lookup for the reply traffic followed by SD-wan rules and routing-table entries if any.

Contributors