Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Asymmetric Routing on Different Interfaces on Same...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Asymmetric Routing on Different Interfaces on Same Zone
Hi all,
I'm an experienced network guy with 28 years of experience, but it's all Cisco. I'm new to Fortinet.
Here's my question: I'm working on a design for a customer with multiple satellite offices that connect back to two datacenters (primary and DR). They are all interconnected with two layer-2 ELAN WAN meshes. I want to centralize all of my routing onto the Fortigate firewalls at each location. But because the WAN links are from two separate vendors each Fortigate is going to have two physical handoffs, one to each vendor's network.
My plan is to create a WAN zone on each Fortigate and then put both physical interfaces in that same zone. (I don't need any filtering/firewalling between those interfaces.) I'm trying to find out if I am going to run into any asymmetric routing issues. The WAN circuits will be load balanced so I can't promise that packets from a particular session that go out on one vendor's circuit won't return on the other vendor's circuit. I could see this breaking stateful firewalling since the return packets will be on a different physical interface. But I could also see it working because the session's return packets will still be in the same zone.
Does anyone know if I'll run into issues here? In sum I'm looking to find out if the session based stateful firewalling references the physical interface like an ASA would, or whether it's by zone and doesn't care about the physical interface.
Thanks,
Ben
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
3 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Weber
It is by interface.
You may also check this link if it can help.. You can keep good security level if you use auxiliary sessions instead of enabling asymmetric routing.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zone(s) in Fortinet world doesnt really have any routing benefits, more for grouping of interfaces and least amount firewall rules needed to be configured.
you should look into sdwan, cuz in your case it would benefit you
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I mean it is by interface, not by zone, when replying to your question:
In sum I'm looking to find out if the session based stateful firewalling references the physical interface like an ASA would, or whether it's by zone and doesn't care about the physical interface.
On the other hand, enabling asymmetric routing is done globally on the FGT.
And as told above, try use auxiliary sessions instead of asym routing, in order to preserve security.
Asym routing was a very good technique in ancient world but it is not anymore with today's security challenges.
AEK
AEK
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Weber
It is by interface.
You may also check this link if it can help.. You can keep good security level if you use auxiliary sessions instead of enabling asymmetric routing.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That might be an option. But from that article it doesn't look like asymmetric routing can be enabled on just one interface or zone? These firewalls also handle the internet edge so I wouldn't be able to jeopardize antivirus or ID functionality.
I wonder if I could do one physical interface with a secondary IP for one of the WAN networks. That would put it all on one zone . . .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I mean it is by interface, not by zone, when replying to your question:
In sum I'm looking to find out if the session based stateful firewalling references the physical interface like an ASA would, or whether it's by zone and doesn't care about the physical interface.
On the other hand, enabling asymmetric routing is done globally on the FGT.
And as told above, try use auxiliary sessions instead of asym routing, in order to preserve security.
Asym routing was a very good technique in ancient world but it is not anymore with today's security challenges.
AEK
AEK
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, it sounds like asymmetric routing is a no go. I'll look more into the auxiliary routing. I'm thinking too that if I use different interfaces on all Fortigates they shouldn't respond on the wrong circuit for the same issues with asymmetry on both ends. I'll have to map that out more. But basically if all Fortigates have an A and a B WAN connection then wouldn't a firewall at the satellite site know already that a session established on connection A needs to use connection A for return traffic.
To answer some of those questions I'm going to need to learn more about what the customer is looking for.
B
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
zone(s) in Fortinet world doesnt really have any routing benefits, more for grouping of interfaces and least amount firewall rules needed to be configured.
you should look into sdwan, cuz in your case it would benefit you
"jack of all trades, master of none"
"jack of all trades, master of none"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SD WAN is a future hope for this network, but not one they are ready for yet. And I'm never going to get to the point where all of the satellite nodes are Fortigate so I'm still going to have to accommodate some that may be Cisco or Aruba unfortunately.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all. Getting back to this. It looks like you can set up asymmetric routing if it's in its own VDOM. So that's what we're going to try. We don't need much by way of filtering across the WAN so we figure peeling off a dedicated VDOM will allow us to use the FGT more like a WAN router.
Labels
-
FortiGate
10,530 -
FortiClient
2,141 -
FortiManager
886 -
5.2
687 -
FortiAnalyzer
675 -
5.4
638 -
FortiSwitch
581 -
FortiAP
558 -
FortiClient EMS
553 -
6.0
416 -
IPsec
414 -
SSL-VPN
373 -
FortiMail
371 -
5.6
362 -
FortiNAC
278 -
FortiWeb
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SD-WAN
191 -
FortiAuthenticator
169 -
FortiGuard
159 -
5.0
152 -
Firewall policy
142 -
6.4
128 -
FortiGate-VM
127 -
FortiCloud Products
116 -
FortiSIEM
112 -
FortiGateCloud
112 -
FortiToken
111 -
Wireless Controller
95 -
Customer Service
88 -
High Availability
83 -
FortiProxy
77 -
ZTNA
75 -
Routing
74 -
SAML
71 -
DNS
71 -
VLAN
70 -
Fortivoice
69 -
FortiEDR
68 -
FortiADC
67 -
BGP
67 -
Authentication
66 -
Certificate
64 -
RADIUS
59 -
LDAP
58 -
SSO
54 -
fortilink
54 -
FortiSandbox
53 -
NAT
52 -
FortiExtender
51 -
4.0MR3
49 -
VDOM
44 -
Application control
44 -
FortiDNS
43 -
Interface
43 -
Logging
40 -
Virtual IP
39 -
FortiGate v5.4
38 -
FortiSwitch v6.4
38 -
FortiPAM
35 -
SSL SSH inspection
35 -
Web profile
35 -
FortiConnect
34 -
Automation
32 -
FortiWAN
31 -
FortiConverter
30 -
FortiGate v5.2
27 -
Traffic shaping
26 -
SNMP
25 -
SSID
25 -
Static route
25 -
API
24 -
FortiSwitch v6.2
23 -
FortiPortal
23 -
FortiGate Cloud
23 -
System settings
22 -
OSPF
20 -
WAN optimization
20 -
FortiMonitor
19 -
Security profile
19 -
Web application firewall profile
18 -
IP address management - IPAM
18 -
FortiSoar
17 -
Web rating
17 -
FortiGate v5.0
16 -
FortiDDoS
16 -
FortiAP profile
16 -
Explicit proxy
15 -
Admin
15 -
Proxy policy
15 -
FortiCASB
14 -
IPS signature
14 -
Intrusion prevention
14 -
FortiManager v4.0
13 -
DNS filter
13 -
FortiManager v5.0
12 -
NAC policy
12 -
Users
12 -
Traffic shaping policy
12 -
Fabric connector
12 -
Port policy
12 -
FortiRecorder
11 -
FortiDeceptor
10 -
FortiAnalyzer v5.0
10 -
FortiWeb v5.0
10 -
FortiBridge
10 -
Trunk
10 -
Traffic shaping profile
10 -
Authentication rule and scheme
10 -
Fortinet Engage Partner Program
10 -
FortiGate v4.0 MR3
9 -
RMA Information and Announcements
9 -
Antivirus profile
9 -
FortiCache
8 -
FortiToken Cloud
8 -
4.0
7 -
4.0MR2
7 -
Packet capture
7 -
Application signature
7 -
VoIP profile
7 -
Vulnerability Management
7 -
FortiScan
6 -
FortiCarrier
5 -
FortiNDR
5 -
FortiTester
5 -
DLP profile
5 -
DLP sensor
5 -
DoS policy
5 -
Email filter profile
5 -
Protocol option
5 -
Cloud Management Security
5 -
3.6
4 -
FortiDirector
4 -
Internet service database
4 -
DLP Dictionary
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
SDN connector
4 -
Service
4 -
Multicast routing
4 -
FortiDB
3 -
FortiHypervisor
3 -
Kerberos
3 -
File filter
3 -
Multicast policy
3 -
FortiInsight
2 -
FortiAI
2 -
Video Filter
2 -
Schedule
2 -
ICAP profile
2 -
Zone
2 -
lacework
2 -
FortiEdge Cloud
2 -
FortiGuest
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
FortiSASE
1 -
Virtual wire pair
1 -
FortiEdge
1 -
FortiAIOps
1
Top Kudoed Authors
| User | Count |
|---|---|
| 2559 | |
| 1357 | |
| 795 | |
| 650 | |
| 455 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.