Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
KenjiKang
New Contributor III

Created on ‎09-17-2025 09:25 PM

Processing logic for return traffic in stateful inspection

Hi teams

I am using a FortiGate firewall with stateful inspection enabled, and we'd like to understand the packet processing logic for return traffic.
Could you please share any information you have on this?


Specifically, I am looking for an explanation of return traffic similar to the one provided in the following URL: https://docs.fortinet.com/document/fortigate/6.0.0/parallel-path-processing-life-of-a-packet/478386/...


I am currently considering whether to address return traffic by adding a policy route or by adding a less-preferred static route. Our main question is whether the routing table is consulted at all for stateful return traffic.

Thank you 
Kenji

Labels:
198
0 Kudos
5 Solutions
AEK
SuperUser
SuperUser

Created on ‎09-19-2025 04:19 AM

Hi Kenji

The firewall checks the routing table for both request and return path. No need for policy route.

Check this tech tip and you should understand more the logic.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reverse-Path-Forwarding-RPF-implementation...

AEK

View solution in original post

AEK
172
ebrlima
Staff
Staff

Created on ‎09-19-2025 01:18 PM

Yes,  routing table is check at the first packet starting the session and the first reply packet. 

If there's a routing change during the session ttl, the routing table is checked again to confirm if the change affects the session.

Eudes Lima

View solution in original post

160
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-19-2025 01:59 PM

You need to drop/forget your obsession "need to use policy routes". Unless you're using like a 25+ year old device or from the last century. Most of modern NGFWs handle all traffic as "sessions" or "flows", which includes initiation, returning, termination/time out. 

Unless you want/need to "initiate" a session toward a specific outgoing interface while multiple outgoing interfaces/routes for the traffic are available, you never need policy routes.
I feel like you're trying to do what those NGFWs are already taking care of at least for last 25 years or so.

 

Toshi

 

View solution in original post

157
ebrlima
Staff
Staff
In response to KenjiKang

Created on ‎09-23-2025 05:23 PM

@KenjiKang I understand what you are looking for, but I don't think such document exists, because return traffic will be handled differently, based on setting. You have the default behavior, the behavior with asymmetric routing enable, with auxiliary sessions enabled, with FGSP over FGCP. For the default behavior, I believe we made it clear here how it works. For other topologies and settings, you gonna have to check other docs, and if possible, I recommend execute lab testing.

Eudes Lima

View solution in original post

104
AEK
SuperUser
SuperUser
In response to KenjiKang

Created on ‎09-24-2025 06:52 AM

You may check this doc explaining routing concepts on FGT.

https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/139692/routing-concepts

Hope it helps.

AEK

View solution in original post

AEK
83
8 REPLIES 8
AEK
SuperUser
SuperUser

Created on ‎09-19-2025 04:19 AM

Hi Kenji

The firewall checks the routing table for both request and return path. No need for policy route.

Check this tech tip and you should understand more the logic.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Reverse-Path-Forwarding-RPF-implementation...

AEK
AEK
173
ebrlima
Staff
Staff

Created on ‎09-19-2025 01:18 PM

Yes,  routing table is check at the first packet starting the session and the first reply packet. 

If there's a routing change during the session ttl, the routing table is checked again to confirm if the change affects the session.

Eudes Lima
161
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-19-2025 01:59 PM

You need to drop/forget your obsession "need to use policy routes". Unless you're using like a 25+ year old device or from the last century. Most of modern NGFWs handle all traffic as "sessions" or "flows", which includes initiation, returning, termination/time out. 

Unless you want/need to "initiate" a session toward a specific outgoing interface while multiple outgoing interfaces/routes for the traffic are available, you never need policy routes.
I feel like you're trying to do what those NGFWs are already taking care of at least for last 25 years or so.

 

Toshi

 

158
KenjiKang
New Contributor III

Created on ‎09-20-2025 10:55 PM

Thank you all for the kind advice.
You have greatly accelerated my understanding.


I have one last request. Could you please let me know if you know of any packet flow documents for return traffic?


I'm looking for a return traffic version of the packet flow explained in the following URL:

https://docs.fortinet.com/document/fortigate/6.0.0/parallel-path-processing-life-of-a-packet/478386/...

Thank you
Kenji



132
0 Kudos
ebrlima
Staff
Staff
In response to KenjiKang

Created on ‎09-23-2025 05:23 PM

@KenjiKang I understand what you are looking for, but I don't think such document exists, because return traffic will be handled differently, based on setting. You have the default behavior, the behavior with asymmetric routing enable, with auxiliary sessions enabled, with FGSP over FGCP. For the default behavior, I believe we made it clear here how it works. For other topologies and settings, you gonna have to check other docs, and if possible, I recommend execute lab testing.

Eudes Lima
105
AEK
SuperUser
SuperUser
In response to KenjiKang

Created on ‎09-24-2025 06:52 AM

You may check this doc explaining routing concepts on FGT.

https://docs.fortinet.com/document/fortigate/7.6.4/administration-guide/139692/routing-concepts

Hope it helps.

AEK
AEK
84
granelbo1
New Contributor

Created on ‎09-24-2025 07:10 AM

Would the constant ping still be the same session? Maybe that isn't the best example. The main thing I am trying to figure out is how firewall changes are applied to existing sessions. Or in other words how existing sessions are blocked when the policy that allowed them to exist in the first place is removed.

75
0 Kudos
ebrlima
Staff
Staff
In response to granelbo1

Created on ‎09-24-2025 10:51 AM

Take a look at this documentation regarding the "dirty" flag.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Dirty-session/ta-p/197748

Eudes Lima
61
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.