Description

This article describes the process of adding or configuring multiple IPs on a FortiGate interface.

Scope

Quick addition of secondary IP from the command line as well as GUI.

Solution

To configure another IP than the already defined one, enable this feature first:

In CLI:

config system interface

    edit <name>

      set secondary-IP enable 

  end 

In GUI: 

Then, one can set up the IP as follows:

In CLI:

config system interface

   edit <name>

     config secondaryip
        edit 1
          set ip 10.106.107.108 255.255.255.0
        next

        edit 2

          set ip 10.106.107.109 255.255.255.0
        next

  end

In GUI, access to these new IPs can be easily added:

Benefits of using Secondary WAN IP:

It depends on the destination network. For example, if anyone is trying to reach the subnet the same as the primary IP, then it will use the primary IP and if it wants to reach the subnet as a secondary IP, then it will use the secondary IP.  If the destination is part of the secondary IP or the gateway is a secondary IP subnet, then it will use a secondary IP, or else it will use a primary IP. For reaching secondary WAN IP from different subnets other than secondary WAN ip subnet, a valid return/default route may have to be additionally created.

Multiple secondary IP's can be configured on the same physical interface, thereby reducing the need for additional physical interfaces for connectivity.

It is possible to consider secondary IP as a separate virtual interface, functionality will be the same as a separate virtual interface.

The only difference is, that both traffic, will use the same physical interface.

Limitations:

It is not possible to configure a secondary IP address using a DHCP or PPPoE.
The total Bandwidth available for all the connections across primary and secondary IP(s) is however limited by the parent physical interface capacity.