When primary or secondary interface IP addresses have different subnets, FortiOS uses the address that has the same subnet as the gateway found on the route lookup for SNAT.

In the example below, The interface has a Primary IP of 10.47.1.37/20 and Secondary IP of 10.47.1.22/20:

Firewall Policy using 'Use Outgoing Interface Address' for SNAT (port1 is part of 'virtual-wan-link'):

Checking the IP addresses using the CLI command 'diag ip address list', the Primary IP precedes the Secondary IP. 

FortiOS will use the IP address that is on top of the list for SNAT. 

Confirmation using debug flow:

Session table:

If there are changes to the Primary IP address on the interface (such as changing the IP address to another network subnet), this is the time when the secondary IP address will be on the top of the list.

Aside from being on top of the list, the secondary IP(10.47.1.22) will now be used for SNAT since it matches the gateway found on the route lookup.

In this example, even after changing back the IP address of the primary unit, the secondary IP is still on top of the list:

 
It will now be used for SNAT using the 'Outgoing Interface Address' on the Firewall Policy. FortiOS uses the list shown above.

This feature should be particularly aware of in the Cloud environment such as AWS when on the primary IP has the associated elastic IP (public IP) but the secondary IP does not. In that scenario, if the source IP is SNAT to the secondary IP as above, and the traffic will not be able to access the Internet anymore. 

To fix this and restore the original sequence of IP, all those secondary IP addresses need to be removed and reconfigured on FortiGate.

Related article:

Technical Note: SNAT and primary versus secondary IP address.