Hi @vijayduhan 

Thank you for posting your query.

When asymmetric routing is enabled, the firewall will globally behave as follows.

For TCP packets

1) If the packet is a SYN, the FortiGate creates the session, checks the firewall policies and applies the configuration of the matching policy (UTM inspection, NAT, Traffic shaping, etc.).
The subsequent packets of the session can be offloaded (exactly as when asymmetric routing is disabled).

2) If the packet is not a SYN but the session already exists on the firewall, then the FortiGate lets the traffic pass through (exactly as it would do when asymmetric routing is disabled).

3) If the packet is not a SYN and the session doesn't exist (asymmetric routing), then all packets are passed to the CPU and the FortiGate doesn't lookup for matching firewall policies.

Since no policy is matched, the packet is simply forwarded based on the routing table and the Firewall acts as a router which only makes routing decision.  No security inspection will be performed:

53.147018 wan in 1.1.1.2.80 -> 10.255.130.210.18929: syn 2874238539 ack 2874127433
53.147237 dmz out 1.1.1.2.80 -> 10.255.130.210.18929: syn 2874238539 ack 2874127433
id=20085 trace_id=6 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=6, 1.1.1.2:80->10.255.130.210:18929) from wan. flag [S.], seq 2874238539, ack 2874127433, win 32768"
id=20085 trace_id=6 func=vf_ip4_route_input line=1596 msg="find a route: flags=00000000 gw-10.255.130.210 via dmz"
53.155221 wan in 1.1.1.2.80 -> 10.255.130.210.18929: psh 2874238540 ack 2874127673
53.155364 dmz out 1.1.1.2.80 -> 10.255.130.210.18929: psh 2874238540 ack 2874127673

As FGT is only taking route decision SNAT in reply packet will not make sense here.

Please check the below link for your referece of assymmetric routing section:-
https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/139692/routing-concepts#Asym...

Regards
Priyanka

- Have you found a solution? Then give your helper a "Kudos" and mark the solution

Thanks for the replies

In the topology the black color is for syn  request packet and  orange color Syn+ack packet. From client the request is send to router over the internet and then GRE encapsulation is done on the router and then send the packet to the fortigate via GRE tunnel. The fortigate decapsulate the GRE packet and the send the packet to the application via LAN port. Now the response packet should be send directly from lan to wan over the internet with source NAT of WAN IP.

I have enabled the asymmetric routing due to which the response packet (syn+ack) is going from LAN to WAN by checking static route only but without any source nat of WAN port IP and its taking source as the application IP due to which its not going to the internet.

Hello

In my opinion you should correct a bit your architecture and disable asymmetric on FG.

Personally I don't see a way to do that with your FortiGate. The last chance you may have is to find a way to make your application server send the reply packets with you desired public IP as source address.