Description

This article describes the process of adding or configuring multiple IP addresses on a FortiGate interface.

Scope

FortiGate; quick addition of secondary IP from the command line as well as the GUI.

Solution

To configure a secondary IP address (or multiple addresses), the feature must be enabled first:

In the CLI:

config system interface

    edit <name>

        set secondary-IP enable 

    end 

In the GUI:

• Navigate to Network -> Interfaces, select an interface to edit, then enable the Secondary IP address toggle.

Once the feature is enabled on the interface, Secondary IP address entries can then be added:

In the CLI:

• For each entry, specify an IP address and subnet mask, as well as the allowaccess settings (e.g. the administrative access services that can be accessed using this secondary IP, if any).

config system interface

    edit <name>

        config secondaryip
            edit 1
                set ip 10.106.107.108 255.255.255.0

                set allowaccess ping https http fgfm
            next

            edit 2

                set ip 10.106.107.109 255.255.255.0
            next

  end

Note:

allowaccess settings are independent and not hierarchical; allowaccess settings defined for a primary IP are not inherited by secondary IPs.

In the GUI:

• Select the Create New button, then specify the IP/Netmask and any allowed Administrative Access options.

Benefits of using a Secondary IP Address:

Secondary IPs are flexible tools that are useful for having the FortiGate be reachable/associated with multiple IP addresses. For example, if a device connected to the FortiGate is configured with the wrong default gateway address then it will not be able to reach the Internet via the FortiGate. If it is not possible to correct the default gateway on the device itself then an alternative workaround is to add that other gateway IP address to the FortiGate as a Secondary IP, which allows the FortiGate to respond to ARP requests and act as the default gateway for that particular device. At the same time, the FortiGate still retains its original assigned IP address, so any properly-configured devices on the network can reach it through that IP instead.

Another use case is for separating incoming services. For example, a Secondary IP could be used to listen for incoming VPN connections while still leaving the main IP address available for other uses. This can also affect routing, since routes may be created based on the main or Secondary IPs (e.g. setting the next-hop gateway address, or creating routes to the Secondary IPs specifically).

As a side note, secondary IPs configured on the same physical interface can replace the usage of multiple physical interfaces (i.e. each assigned with an IP address in the same subnet).

But there is one thing that needs to be aware of when configuring the Secondary IP which is in the same subnet as the primary IP and this interface is the outgoing interface for the SNAT, FortiGate could somehow NAT the source IP to the secondary IP instead of the primary.

Detail can be found in this KB article: Technical Tip: SNAT behavior using 'Use Outgoing Interface Address' with a primary and secondary IP ...

Limitations:

It is not possible to configure a Secondary IP address when an interface is configured to receive an address dynamically (e.g. using DHCP or PPPoE). Also, keep in mind that Secondary IPs are just additional addresses assigned to a network interface, so the total available bandwidth is still limited to that of the parent physical interface.