Technical Tip: SD-WAN member Gateway IPs should not overlap with Firewall IP pool ranges

When an SD-WAN member’s gateway overlaps with the IP range of a firewall IP pool, installing routes into the Kernel can cause unexpected behavior, potentially resulting in connectivity issues.

Sample config:

config firewall ippool
    edit "1"
        set startip 172.16.100.20
        set endip 172.16.100.30
    next
end

config system interface
    edit "port1"
        set vdom "root"
        set ip 172.16.100.1 255.255.255.0
        set type physical
        set snmp-index 3
    next
end

config sys sdwan
    config members
        edit 3
            set interface port1
            set gateway 172.16.100.22 <----- This IP is in ippool range.
        end
    end

Starting from v8.0.0(scheduled to be released in February 2026), the error 'Gateway IP can not overlap with firewall ippool's IP range.' will be reported by FortiGate when an SD-WAN member’s gateway IP overlaps with the IP range of a firewall IP pool.

These timelines for firmware release are estimates and may be subject to change.

config sys sdwan
    config members
        edit 3
            set interface port1
                set gateway 172.16.100.22
            end
Gateway IP can not overlap with firewall ippool's IP range.
object set operator error, -5 discard the setting
Command fail. Return code -5