Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
GeorgeZhong
Staff
Staff

Created on ‎04-18-2025 12:26 AM Edited on ‎04-18-2025 12:31 AM

Article Id 388168

Technical Tip: Workaround for vulnerability FG-IR-23-407

Description This article provides further explanation on the workaround for the vulnerability FG-IR-23-407.
Scope All FortiOS versions affected by FG-IR-23-407.
Solution

All FortiOS versions lower than v7.4.2 (including all v7.2, v7.0, and v6.x) are affected. Details can be found in the link: IPsec dynamic assignation IP spoofing.

 

This vulnerability applies to the scenario of an IPsec dial-up VPN with multiple spokes connected. The workaround is to have the 'net-device' option enabled in the phase 1 setting of the Hub. By default, this option is disabled.

 

Actions of the net-device.

  • When the net-device is disabled, all dial-up tunnels from spokes share the same VPN interface on the Hub. This is the default behaviour in standard ADVPN configurations. As a result, traffic from all spokes is coming out from the same interface on the Hub.

 

  • When net-device is enabled, the Hub creates a dedicated sub-tunnel for each spoke. Traffic from a given spoke will exit through its corresponding sub-tunnel.

 

Note:

Enabling net-device in large environments (for example, with thousands of spokes) may cause performance degradation, as each spoke results in a separate sub-tunnel on the Hub. This is the performance concern highlighted in the PSIRT advisory.

 

For FortiOS versions affected by this vulnerability:

The purpose of enabling 'net-device' is to ensure that the source IP of each packet is validated against the IPsec selector of its specific sub-tunnel. If this option is disabled and all sub-tunnels are sharing one tunnel interface on the hub, there could be a potential vulnerability that a malicious spoke (for example, Spoke A) could spoof the source IP of another spoke (for example, Spoke B), and the Hub may incorrectly accept the traffic.

 

If this option is enabled on the hub, each spoke will have its sub-tunnel on the hub, so the packet from Spoke A will be dropped if it uses a spoofed source IP since it doesn't match the phase 2 selector of its corresponding sub-tunnel on the hub.

 

This vulnerability has been patched in the FortiOS from v7.4.2 on so enabling the 'net-device' option is no longer necessary for security purposes after that.

 

Related documents:

IPsec dynamic assignation IP spoofing

Technical Tip: Understanding the net-device feature in FortiGate ADVPN Implementation
1030
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.