Asymmetric routing
You might discover unexpectedly that hosts on some networks are unable to reach certain other networks. This occurs when request and response packets follow different paths. If a FortiGate recognizes the response packets, but not the requests, it blocks the packets as invalid. Also, if a FortiGate recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack.
This is asymmetric routing. By default, a FortiGate blocks packets or drops the session when this happens. You can configure the FortiGate to permit asymmetric routing by using the following CLI commands:
config system settings
set asymroute enable
end
If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the problem as follows:
config vdom
edit <vdom_name>
config system settings
set asymroute enable
end
end
If this solves your blocked traffic issue, you know that asymmetric routing is the cause. But allowing asymmetric routing is not the best solution, because it reduces the security of your network.
For a long-term solution, it is better to change your routing configuration or change how the FortiGate connects to your network.
If you enable asymmetric routing, antivirus and intrusion prevention systems won't be effective. The FortiGate won't be aware of connections and will treat each packet individually. It will become a stateless firewall.
Configuring IPv4 and IPv6 ICMP traffic inspection
In order for the inspection of asymmetric ICMP traffic not to affect TCP and UDP traffic, you can enable or disable ICMP traffic inspection for traffic being routed asymmetrically for both IPv4 and IPv6.
To configure ICMP traffic inspection, use the following CLI commands:
- IPv4:
config system settings
set asymroute-icmp
end
- IPv6:
config system settings
set asymroute6-icmp
end