Technical Tip: How to assign different IP pools for tunnel and edge devices

Tunnel and edge devices are assigned with an IP from the default 100.65.0.0/16 range.

To change the IP pools, perform the steps below.

Navigate to Network -> IP management -> IPAM. The default pool will be configured as follows:

The following subnets can be used.

100.65.0.0/16 (default)
10.0.0.0/8
100.64.0.0/10
172.16.0.0/12
192.168.0.0/16

Additional information is available in the FortiSASE documentation: Remote VPN and edge device user identification.

After changing IP pools, users will be assigned an IP from the selected range:

IPAM:

Note: If a subnet within the LAN network (for example, 10.10.2.0/24) is already in use within the environment and FortiSASE IPAM assigns an IP address to an endpoint from the same subnet range, an IP address conflict may occur.

To prevent such conflicts, it is recommended that the subnet 10.10.2.0/24 be added to the Excluded Subnets list. This configuration ensures that FortiSASE IPAM does not allocate IP addresses to endpoints from the specified excluded subnet range.

FortiClient:

User connection and endpoint under Monitoring -> Status will show the newly assigned IPs to the user client.