Secondary IP addresses to an interface

Secondary IP addresses to an interface

If an interface is configured with a manual or static IP address, you can also add secondary static IP addresses to the interface. Adding secondary IP addresses effectively adds multiple IP addresses to the interface. Secondary IP addresses cannot be assigned using DCHP or PPPoE.

All of the IP addresses added to an interface are associated with the single MAC address of the physical interface and all secondary IP addresses are in the same VDOM as the interface that are added to. You configure interface status detection for gateway load balancing separately for each secondary IP addresses. As with all other interface IP addresses, secondary IP addresses cannot be on the same subnet as any other primary or secondary IP address assigned to a FortiGate interface unless they are in separate VDOMs.

To configure a secondary IP, go to System > Network > Interface, select Edit or Create New and select the Secondary IP Address check box.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

3 thoughts on “Secondary IP addresses to an interface

  1. Hi,
    I have a customer with one wan interface with a /30.
    the isp is delivering a /28 to the customer via this /30 as a routable ip allocation.
    I know with cisco this isn’t a problem, with fortigate it seems to be a problem, if if add a vip that is part of the /28 it doesn’t work.
    Fortigate support have given me two different answers,
    1. it should work
    2. it wont work as the vip has to be associated with a subnet that is assigned to a physical interface.
    I thought about secondary ip but don’t really want to do that as isp router may not like it.
    can anyone shed any light??

    • ISP’s here do that all the time. Should definitely work. Every instance I have deployed situations like this I have just setup a VIP using the IP’s from the /28 etc that is being routed to the /30.

      My guess would be to verify that ISP properly routed the /28 to the /30 or to IP the Gate has on the WAN interface. If that is proper things should flow just fine as long as proper policy exists. You don’t want to do a secondary IP in this situation. It’s a waste of a good IP for ya!

  2. Usually when you configure an VIP on an interface you’d get two options.

    1. The router sending in will be forwarding traffic to the Fortigate anyway which will then respond saying it owns the VIP you have configured.

    2. An ARP might get sent for the VIP you configured at which point the fortigate would respond.

    Fortinet are right, that should be working. Firmware up to date and the Fortigates not in conserve mode or anything?

Leave a Reply

Name *
Email *

This site uses Akismet to reduce spam. Learn how your comment data is processed.