Refer to the exhibit, which shows a network topology and a partial routing table. FortiGate has already been configured with a firewall policy that allows all ICMP traffic to flow from port1 to port3. Which changes must the administrator perform to ensure the server at 10.4.0.1/24 receives the echo reply from the laptop at 10.1.0.1/24?. (Choose one answer)

A. Change the configuration from strict RPF check mode to feasible RPF check mode.
B. Modify the default gateway on the laptop from 10.1.0.2 to 10.2.0.2.
C. Enable asymmetric routing under config system settings.
D. A firewall policy that allows all ICMP traffic from port3 to port1.

Correct Answer: C

Brave-Dump Clients Votes

C 100%

Comments

Brave-Dumps Admin 2025-05-13 15:03:35

Selected Answers: C

Enabling asymmetric routing on FortiGate allows the return ICMP echo reply to be forwarded using the FIB even without a matching session, which resolves the issue caused by asymmetric traffic flow in the network topology.

Brave-Dumps Admin 2025-05-15 12:44:36

Selected Answers: C

As per Study Guide, page 377:
To allow asymmetric routing, use the following commands:

config system settings
set asymroute enable
end

How asymmetric routing behaves:

(1) The server’s ICMP request bypasses the FortiGate and reaches the PC directly.
(2) The PC sends an echo reply, which returns through the FortiGate. Since there's no matching session, the packet is not dropped — instead, it is passed to the FortiGate’s CPU and forwarded using the Forwarding Information Base (FIB).
(3) All subsequent echo replies are treated the same way: forwarded by the CPU without a session match.
(4) FortiGate behaves like a basic router in this mode — no security inspection is applied.

Note: If you enable asymmetric routing for troubleshooting, be sure to disable it after resolving the issue.