It's generally considered "anti-spoofing = block asymmetric routing". And statefull is any firewall that inspects the state of connections between a particular set of source and desition, i.e. session in FortiGate case. Layer3 is always state-less. So unless you disabled this base feature of FortiGate under global config (enabled asymmetric routing), you can check it off from the audit list.