When does a FortiGate perform a routing table lookup for TCP traffic in NAT/Route mode?

In NAT/Route mode, a FortiGate performs a routing table lookup specifically when the TCP connection is established, which occurs during the initial SYN packet from the client and the subsequent SYN/ACK packet from the server. When the client initiates a TCP connection, it sends a SYN packet, and the FortiGate uses this packet to determine the appropriate route for the connection based on its routing table.

Upon receiving the SYN from the client, the FortiGate checks the destination address and evaluates the routing table to find the next hop or egress interface for the outgoing traffic. Upon sending the SYN/ACK back, the same routing lookup happens for the return traffic. This initial routing table lookup is crucial for ensuring that packets are correctly directed through the network to establish the connection effectively.

Conversely, subsequent packets, such as ACKs or data packets exchanged between the client and server after the connection is established, do not typically trigger a new routing table lookup. Instead, the FortiGate relies on the existing session entry created during the initial handshake to route these packets accordingly. Thus, the routing table lookup primarily occurs during the connection establishment phase with the SYN and SYN/ACK packets.