asymmetric routes/security concerns/Fortinet

Tarig Ahmed tariq198487 at
Sat Jan 8 13:01:00 CST 2011

Tarig Yassin Ahmed

On Jan 7, 2011, at 10:45 PM, Anthony Pardini <tony at> wrote:

> You can allow asymmetric traffic on the Fortinet, but you lose some
> functionality.   Firewalls aren't routers and pretty much all of them
> behave in the similar manner.


I think u can solve this issue only by adding router between the  
firewall and the Internet.

in multihoming metwork, Internet connections should be connect to  
routers then afterthat come the the firewall to avoid such problems.


> On Fri, Jan 7, 2011 at 11:40 AM, Greg Whynott  
> <Greg.Whynott at> wrote:
>> Hello,
>> we have multiple internet connections of which one is a research  
>> network where many medical institutions and universities are also  
>> connected to threw out the country.  This research network (ORION)  
>> also has internet access but is not meant to be used as a primary  
>> path to the internet by its customers.     Connected to the ORION  
>> network are many sites we exchange email with daily who also have  
>> multiple internet connections.   One of these sites is not  
>> reachable by us.   After investigating,  it was discovered this  
>> site is dropping our connections as the path back to use would use  
>> a different interface on the firewall ( a Fortinet device) than  
>> that which it arrived upon.
>> The admins at this university claim this is by design and for  
>> security reasons..   My response was the entire internet is  
>> asymmetrical and while this may of been a legitimate concern in the  
>> 90's,  I don't think its a real concern anymore if things are set  
>> up correctly.  They suggested we add static routes to our equipment  
>> to address this…  This seems like a bad idea and I am not comforta 
>> ble adjusting my routing table to address one site's issues on the 
>>  internet due to their (not ours) routing/security policies.
>> am I correct here?  any comments on this would be greatly  
>> appreciated as I'll be called into a meeting to discuss this  
>> further (they are digging in their heals in on this,  and higher  
>> ups are getting involved now).  I'd like to arm myself with a few  
>> perspectives.
>> thanks very much for your time again,
>> greg
>> --
>> This message and any attachments may contain confidential and/or  
>> privileged information for the sole use of the intended recipient.  
>> Any review or distribution by anyone other than the person for whom  
>> it was originally intended is strictly prohibited. If you have  
>> received this message in error, please contact the sender and  
>> delete all copies. Opinions, conclusions or other information  
>> contained in this message may not be that of the organization.

More information about the NANOG mailing list