FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to configure a FortiGate network interface so that the secondary IP addresses belongs to the same subnet, as the already configured primary IP address.
However, by default, when trying to set a secondary IP overlapping with the primary, the FortiGate will give the following error messages, CLI or GUI :
Subnets overlap between 'port6' with primary IP of 'port5' node_check_object fail! for ip X.X.X.X 255.255.255.0
value parse error before '255.255.255.0' Command fail. Return code -54
'Conflict with ‘portx’ subnet.'
Solution FortiGate gives the option to enable overlapping subnets, by using the following CLI command and no option on GUI:
(If the VDOM is enabled on the configurations, make sure to enter the correct VDOM before).
# config vdom edit <VDOM>) # config system settings set allow-subnet-overlap [enable/disable] end
Notes: By design, subnets should not overlap. In real networks, if two interfaces have overlapping subnets, the FortiGate may forward the packet to the wrong interface when it needs to send a packet to an IP address inside that range of overlapped addresses.
Using subnet overlapping is not recommended, as it might cause issues with routing in the network. Best recommendation is using 'variable-length subnet masking' (VLSM) so it possible to assign different subnets to each interface used in the environment.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.