ok .. so this got me interested.
I sat a lab with two fortigates each one has different LAN , (version 6.2.0)
fortigate-1 is connected to a wan1-router and wan1-router is also connected fortigate-2
fortigate-1 is also connected to fortigate-2 through wan2 interfacehttps://ibb.co/42QfZv1
And I sat the traffic to flow this way , and it worked regardless that asymmetric route is disabled.
But guess what, I sat on FGT-2 that FGT-1 LAN learned the direct p2p connection and not through the mpls router. ANd when I tried to ping from FGT-1 LAN to FGT-2 LAN and enforced traffic to go through the mpls router , traffic got denied on FGT-2 . See log:
FGT-2 (settings) # id=20085 trace_id=41 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 10.2.0.1:48896->10.100.77.101:2048) from por
t5. type=8, code=0, id=48896, seq=0."
id=20085 trace_id=41 func=init_ip_session_common line=5666 msg="allocate a new session-00011302"
id=20085 trace_id=41 func=ip_route_input_slow line=2252 msg="reverse path check fail, drop"
id=20085 trace_id=41 func=ip_session_handle_no_dst line=5750 msg="trace"
id=20085 trace_id=42 func=print_pkt_detail line=5501 msg="vd-root:0 received a packet(proto=1, 10.2.0.1:48896->10.100.77.101:2048) from port5. type=8, code=0, id=48896,
After enabling asymmetric route on FGT-2 traffic got Permitted on FGT-2
FGT-2 (settings) # get | grep asym
asymroute : disable
asymroute-icmp : enable
asymroute6 : disable
asymroute6-icmp : disable
And then arrived successfully at FGT-1 without being denied.
FGT-1 # diagnose sniffer packet any 'host 10.100.77.101 and host 10.2.0.1' 4
filters=[host 10.100.77.101 and host 10.2.0.1]
3.770602 mpls out 10.2.0.1 -> 10.100.77.101: icmp: echo request
3.785696 wan2 in 10.100.77.101 -> 10.2.0.1: icmp: echo reply
4.770882 mpls out 10.2.0.1 -> 10.100.77.101: icmp: echo request
4.784904 wan2 in 10.100.77.101 -> 10.2.0.1: icmp: echo reply
(So I guess) this is default behavior to accept outgoing traffic that it returns from different WAN. And default behavior to deny incoming traffic that is coming of different interface other that what is mentined in the routing table (suspecetd spoofed traffic).
Its worth mentioning that this is not the same with SD-WAN while there you have the auxiliary-session command:https://docs.fortinet.com/document/fortigate/6.2.3/technical-tip-enabling-auxiliary-session-with-ecmp-or-sd-wan/19/fd47765