Technical Tip: SNAT behavior using 'Use Outgoing Interface Address' with a primary and secondary IP address that are on the same subnet

When primary or secondary interface IP addresses have different subnets, FortiOS uses the address that has the same subnet as the gateway found on the route lookup for SNAT.

In the example below, The interface has a Primary IP of 10.47.1.37/20 and Secondary IP of 10.47.1.22/20:

Firewall Policy using 'Use Outgoing Interface Address' for SNAT (port1 is part of 'virtual-wan-link'):

Checking the IP addresses using the CLI command 'diag ip address list', the Primary IP precedes the Secondary IP. 

FortiOS will use the IP address that is on top of the list for SNAT. 

Confirmation using debug flow:

Session table:

If there are changes on the Primary IP address on the interface (such as changing the IP address to another network subnet), this is the time when the secondary IP address will be on the top of the list.

Aside from being on top of the list, the secondary IP(10.47.1.22) will now be used for SNAT since it matches the gateway found on the route lookup.

In this example, even after changing back the IP address of the primary unit, the secondary IP is still on top of the list:

 

It will now be used for SNAT using the 'Outgoing Interface Address' on the Firewall Policy. FortiOS uses the list shown above.

Related article:

Technical Note: SNAT and primary versus secondary IP address.