When primary or secondary interface IP addresses have different subnets, FortiOS uses the address that has the same subnet as the gateway found on the route lookup for SNAT.

In the example below, the interface has a Primary IP of 10.47.1.37/20 and Secondary IP of 10.47.1.22/20:

Firewall Policy using 'Use Outgoing Interface Address' for SNAT (port1 is part of 'virtual-wan-link'):

Checking the IP addresses using the CLI command 'diag ip address list', the Primary IP precedes the Secondary IP. 

FortiOS will use the IP address that is at the top of the list for SNAT. 

Confirmation using debug flow:

Session table:

If there are changes to the Primary IP address on the interface (such as changing the IP address to another network subnet), this is the time when the secondary IP address will be at the top of the list.

Aside from being on top of the list, the secondary IP(10.47.1.22) will now be used for SNAT since it matches the gateway found on the route lookup.

In this example, even after changing back the IP address of the primary unit, the secondary IP is still on top of the list:

 
It will now be used for SNAT using the 'Outgoing Interface Address' on the Firewall Policy. FortiOS uses the list shown above.

In cloud environments like AWS, Azure, etc, where only the primary IP has an associated Elastic (public) IP and the secondary IP does not, the FortiGate can unexpectedly use the secondary IP for SNAT when using ‘Use Outgoing Interface Address’ is selected. When this happens, internet-bound traffic may fail because the chosen secondary IP lacks the required public address.

To resolve this and restore the expected SNAT behaviour (where the primary IP is used), remove the secondary IPs from the interface and reconfigure them. This ensures that the primary IP remains properly positioned in the SNAT selection sequence again.

Related article:

Technical Note: SNAT and primary versus secondary IP address.