Fortinet black logo

Handbook

Asymmetric routing

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:58863
Download PDF

Asymmetric routing

You might discover unexpectedly that hosts on some networks are unable to reach certain other networks. This occurs when request and response packets follow different paths. If a FortiGate recognizes the response packets, but not the requests, it blocks the packets as invalid. Also, if a FortiGate recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack.

This is asymmetric routing. By default, a FortiGate blocks packets or drops the session when this happens. You can configure the FortiGate to permit asymmetric routing by using the following CLI commands:

config system settings

set asymroute enable

end

If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the problem as follows:

config vdom

edit <vdom_name>

config system settings

set asymroute enable

end

end

If this solves your blocked traffic issue, you know that asymmetric routing is the cause. But allowing asymmetric routing is not the best solution, because it reduces the security of your network.

For a long-term solution, it is better to change your routing configuration or change how the FortiGate connects to your network.

If you enable asymmetric routing, antivirus and intrusion prevention systems won't be effective. The FortiGate won't be aware of connections and will treat each packet individually. It will become a stateless firewall.

Configuring IPv4 and IPv6 ICMP traffic inspection

In order for the inspection of asymmetric ICMP traffic not to affect TCP and UDP traffic, you can enable or disable ICMP traffic inspection for traffic being routed asymmetrically for both IPv4 and IPv6.

To configure ICMP traffic inspection, use the following CLI commands:

  • IPv4:
  • config system settings

    set asymroute-icmp

    end

  • IPv6:
  • config system settings

    set asymroute6-icmp

    end

Asymmetric routing

You might discover unexpectedly that hosts on some networks are unable to reach certain other networks. This occurs when request and response packets follow different paths. If a FortiGate recognizes the response packets, but not the requests, it blocks the packets as invalid. Also, if a FortiGate recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack.

This is asymmetric routing. By default, a FortiGate blocks packets or drops the session when this happens. You can configure the FortiGate to permit asymmetric routing by using the following CLI commands:

config system settings

set asymroute enable

end

If VDOMs are enabled, this command is per VDOM. You must set it for each VDOM that has the problem as follows:

config vdom

edit <vdom_name>

config system settings

set asymroute enable

end

end

If this solves your blocked traffic issue, you know that asymmetric routing is the cause. But allowing asymmetric routing is not the best solution, because it reduces the security of your network.

For a long-term solution, it is better to change your routing configuration or change how the FortiGate connects to your network.

If you enable asymmetric routing, antivirus and intrusion prevention systems won't be effective. The FortiGate won't be aware of connections and will treat each packet individually. It will become a stateless firewall.

Configuring IPv4 and IPv6 ICMP traffic inspection

In order for the inspection of asymmetric ICMP traffic not to affect TCP and UDP traffic, you can enable or disable ICMP traffic inspection for traffic being routed asymmetrically for both IPv4 and IPv6.

To configure ICMP traffic inspection, use the following CLI commands:

  • IPv4:
  • config system settings

    set asymroute-icmp

    end

  • IPv6:
  • config system settings

    set asymroute6-icmp

    end