Rerference

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Details-about-FortiOS-RPF-Reverse-Path-Forwarding/ta-p/190100

Situation

# 檢查回程的DST IP有沒有在路由表裡面 > 沒有就drop
Perform a routing table lookup for the return Destination IP; 
drop the traffic on a miss.

Solution

# FGT收到封包，建立Session時會先確認回程的路由是否存在於RIB
FortiGate performs a reverse path lookup in the RIB during the initial session creation phase.

# 如果存在，就寫入Session table
If it exists, the session is written to the session table.

Example

[1]
# AD值相同但metric不同

> 同時存在兩條0.0.0.0/0的路由在RIB裡面
> 回程檢查路由有在RIB(ISP2的0.0.0.0/0路由)
> 會通

[2]
# AD值不同且ISP1優先

> 目前只有一條0.0.0.0/0往ISP1
> 回程檢查路由失敗(沒有ISP2的0.0.0.0/0路由)
> 不通