| Description |
This article describes that FortiGate permits traffic under certain asymmetric routing conditions, and the forward traffic log is generated matching policy ID 0.
Asymroute is enabled under system settings:
config sys settings set asymroute enable end |
| Scope |
Log entry showing action 'accept', matching policy ID 0:
FortiGate TCP handling behavior with asymmetric routing enabled:
When FortiGate receives non-'TCP SYN' traffic in the absence of an existing session, the packet is forwarded based on the routing table. In such scenarios, no policy lookup is conducted and FortiGate functions as a straightforward router. Due to the absence of a policy lookup, the associated log entries exhibit Policy ID 0. |
| Solution |
To prevent this behavior, asymroute must be disabled:
config sys settings set asymroute disable end
It is important to be aware of the constraints when the asymroute feature is enabled (no policy lookup and no UTM inspection).
Related article: Technical-Note-How-the-FortiGate-behaves-when-asymmetric-routing |
