Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KenjiKang
New Contributor II

Created on ‎09-09-2025 04:56 AM

Operation to enable asymroute because policy-based routing can't be worked.

Hi,

I need to configure policy-based routing and I'm testing it, but it doesn't work even though the configuration is correct.

According to a veteran's advice, I temporarily enabled asymroute, and when I immediately disabled it, the routing started working.

I'm reluctant to use this method. Is this a well-known workaround?
Do you have any advice on a better way to handle this?

 

Hardware: FortiGate 120G OS: 7.4.8


Thanks,
Kenji

Labels:
83
0 Kudos
3 REPLIES 3
AEK
SuperUser
SuperUser

Created on ‎09-09-2025 07:30 AM

Hi Kenji

Asymmetric routing is a workaround not so good for security. It was a good technique in ancient world network but it should not be use anymore if you want a good network security.

The right solution is either redesign your network architecture to avoid the need for asym routing, or you can also use auxiliary sessions instead, which is secure (may also need some redesign).

Have a look here:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-the-FortiGate-behaves-when-asymmetric-...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Differences-between-asymmetric-routing-and...

Hope it helps.

AEK
AEK
68
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-09-2025 08:32 AM

Until you share the topology, hopefully with a diagram, around the policy route you intended to steer traffic to a specific direction including the policy route itself, we can't comment why it's not working.

Toshi

63
KenjiKang
New Contributor II
In response to Toshi_Esumi

Created on ‎09-10-2025 10:16 PM

Toshi-san

Here is a simple topology diagram.

This is a test configuration, so it differs slightly from the production environment, but I believe it is sufficient for verifying the behavior of the policy-based route.

My personal hypothesis is that the issue might be caused by using Destination NAT in conjunction with the policy-based route, or by setting the destination of the policy-based route to the default route when one already exists.

Any additional advice would be greatly appreciated.

 

topology .jpg

 








 

 

 

 

 

Thank you

Kenji

17
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.