FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Serxhio
Staff
Staff
Article Id 338652
Description This article describes FortiGate's routing decision for outgoing and reply traffic.
Scope FortiGate, routing.
Solution

By design and by default, FortiGate performs two routing lookups:

  • One on the first packet sent by the originator.
  • Another one on the first reply packet coming from the responder.

Refer to the chart on: Technical Tip: Routing in FortiGate (route-lookup-process)

 

Note:

After v6.4/v6.2.3, policy-routes are no longer checked if the dst-ip belongs to a directly connected subnet.

 

Reply direction:

  • For v7.0.1 policy-route lookup for reply direction is restored. policy-route lookup is done for both directions of a new/dirty session.
  • For v6.4 policy-route lookup is no longer done for the reply direction of a new/dirty session policy-route lookup is only done for the original direction of a new/dirty session

 

Default settings { asymmetric routing disabled; auxiliary sessions disabled (per VDOM specific) }

 

Behavior in v6.4.x:

  • With default settings, reply traffic honors the original ingress interface(route-lookup) – regardless of whether policy routes/sd-wan rules are set up.
  • With Asymmetric routing enabled (default=disabled), reply traffic does a route-table lookup and picks an interface – regardless of policy routes/sd-wan rules.
  • With Auxiliary Sessions enabled (default=disabled), reply traffic does a route-table lookup and picks an interface – regardless of policy routes/sd-wan rules.

Behavior in v7.0.1 onwards:

  • With default settings, reply traffic honors the original ingress interface (route-lookup) – regardless of whether policy routes/sd-wan rules are set up.
  • With Asymmetric routing enabled (default=disabled), reply traffic does a policy-route lookup, sd-wan rule match, and then route-table.
  • With Auxiliary Sessions enabled (default=disabled), reply traffic does a policy-route lookup, sd-wan rule match, and then route-table. Auxiliary-session will trigger every packet to be re-routed for best path.

 

Find an explanation example of SD-WAN auxiliary sessions: Technical Tip: SD-WAN/Auxiliary Sessions

Contributors