Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff

Created on ‎10-06-2020 10:36 AM Edited on ‎02-02-2024 04:16 AM By Moderator

Article Id 194040

Technical Tip: Differences between asymmetric routing and auxiliary sessions

Description

 

This article describes the differences between asymmetric routing and auxiliary sessions.

 

Scope

 

FortiGate.


Solution

 

Asymmetric Routing.

If hosts on one network are unable to reach hosts on other networks, there is a possibility that request and response packets follow different paths.
If a FortiGate recognizes the response packets, but not the requests, it blocks the packets as invalid.
Also, if a FortiGate recognizes the same packets repeated on multiple interfaces, it blocks the session as a potential attack.

This is asymmetric routing. By default, a FortiGate blocks packets or drops the session when this happens.
FortiGate can be configured to permit asymmetric routing by using the following CLI commands.

 

config system settings
    set asymroute enable
end

 

If VDOMs are enabled, this command needs to be enabled per VDOM. This is not a global setting.

 

config vdom
   edit <vdom_name>

config system settings
    set asymroute enable
end

end

 

If this solves the blocked traffic issue, asymmetric routing is the cause.
However, allowing asymmetric routing is not an ideal solution because it reduces the security of the network.
For a long-term or permanent solution, it is recommended to change the routing configuration or change how the FortiGate connects to the network.

Note that if asymmetric routing is enabled, antivirus and intrusion prevention systems will not be effective.
The FortiGate will not detect connections and will treat each packet individually with the CPU.
FortiGate will consequently become a stateless firewall, meaning offloading will not be possible.

Auxiliary Session.

When ECMP is enabled, TCP traffic for the same session can exit and enter the FortiGate on different interfaces.
To allow this traffic to pass through, FortiOS creates auxiliary sessions.
Allow the creation of auxiliary sessions with the following command:

 

config system settings
    set auxiliary-sessions {disable | enable}
end

 

By default, the auxiliary-session option is disabled.

This can block some TCP traffic when ECMP is enabled.

If this occurs, enabling auxiliary-session solves the problem.

Related articles:

46199
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.