FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rk1
Staff
Staff

Description
This article explains about reply traffic which is not matching any of the configured policy routes or SD-WAN rules.

Solution
When initiate a traffic from Internet to the LAN segment is initiate (behind FGT), the traffic enters through one interface and it is possible to observe the reply traffic going out of a different interface than the original incoming interface (if there are multiple routes to reach the actual source), even though a specific policy route or SD-WAN rule for the return traffic are configured.

From firmware 6.4.0 GA, the reply traffic not matching the configured policy routes or SD-WAN rules is expected due to a behavior change.
It should not affect the firmware 6.2.x. Verify the below configuration on FortiGate to mitigate this issue:


1) Verify if there are multiple routes pointed to the actual source, either through multiple static routes or a single route pointed to SD-WAN.

2) Check if asymmetric routing is enabled. If there is VDOM configured, check inside the respective VDOM configuration.

# show full system settings | grep asymroute
    set asymroute disable
    set asymroute-icmp disable
    set asymroute6 disable
    set asymroute6-icmp disable

3) Check if auxiliary session is enabled or disabled. If there is VDOM configured, check inside the respective VDOM configuration.

# show full system settings | grep aux
    set auxiliary-session disable

Use case 1.
If asymmetric routing is enabled, whether the auxiliary session is enabled or disabled, the reply traffic would go out of any of the configured interface as per the routing table.
It is not necessary for the reply traffic to go out of the original incoming interface.

Because, with asymmetric routing enabled, traffic always looks for the best route in both directions.

Use case 2.
If asymmetric routing is disabled, even though there are multiple routes to reach the actual source, it is possible to force the reply traffic to go out of the original incoming interface by disabling the auxiliary session.

Note.
In any situation, the reply traffic does not search policy routes or SD-WAN rules in firmware 6.4.x.
The behavior of checking policy routes is retained in firmware 7.0.1, where the reply traffic will look for proute match.

Related document.
https://docs.fortinet.com/document/fortigate/6.4.4/administration-guide/014295/controlling-return-pa...


Contributors