Thursday, July 3, 2008

Asymmetric Routing through Fortigate Stateful Firewalls

Sometimes it is necessary to forward traffic through Fortigates in an asymmetric fashion. Here is one example:

Host A: (internal firewall interface)
Syslog Host B: (dmz firewall interface)
Syslog Host C: (internal firewall interface)

Host A sends log information to syslog host B which resides behind the Fortinet on the DMZ interface. The firewall policy is configured to permit all traffic from the internal interface to the DMZ and vice versa. Syslog host B stores a copy of the syslog data it receives. For the purpose of redundancy or further analysis by another system it then sends a copy of the syslog packet to syslog host C.
For syslog host C to be able to correctly interpret the syslog data syslog host B "spoofs" the source IP address of the original sender when forwarding the data. In other words syslog host B sends the data to syslog host C with a source address of host A. This allows syslog host C to determine who the original sender was. The logical packet looks something like this:

Physical sender: Syslog Host B
Source IP: (spoofed)
Destination IP:
Syslog Data

The firewall will prevent this traffic from reaching the destination. It first saw the traffic from host A to syslog host B pass from the internal to the DMZ interface and created a corresponding entry in the session table. Now the firewall sees another packet purporting to be coming from host A to syslog host C but the source is now on the DMZ and the destination is on the internal network. This violates the firewall's state tables.

In order to work around this problem you can configure the firewall to support asymmetric routing. Please be aware that by doing this you are slightly reducing the effective security level of your firewall since spoofed packets can now more easily traverse the firewall. However in some cases you might require this option.
Asymmetric routing is configured on a per virtual domain (as of FortiOS 3.0 MR5). On the command line configure the following:

config system settings
set asymroute enable


Sean said...

OMG Thank you. I was at my wit's end trying to figure out why my 600b was blocking certain domains. Turns out that some stuff goes out our educational pipe but comes back in our commercial pipe. Who knew!?

wilson chua said...

Like what Sean said!! Thank you!!! I knew the problem was the asymmetrical routing. But couldnt figure out from the CLI manual how to do it!!!

Thanks Man!!!

Anonymous said...

Awesome! Totally saved my ass. Thanks!!

m00n said...

Asymetric routing fixed my connection issues. But UTM functions like: AV, AS, aplication filtering does not work. How can i fix that ? I have 2x1000C configured as standalone devices and placed between BGP border router and 2 Core switches with simple ospf configuration to redundancy and load balancing.