Fortinet black logo

Handbook

Virtual wire pair

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:827113
Download PDF

Virtual wire pair

A virtual wire pair consists of two interfaces that have no IP addresses and all traffic received by one interface in the pair can only be forwarded out the other; as controlled by firewall policies. Since the interfaces do not have IP addresses, you can insert a virtual wire pair into a network without having to make any changes to the network. A virtual wire pair can include redundant and 802.3ad aggregate (LACP) interfaces.

note icon Interfaces used in a virtual wire pair cannot be used for admin access to the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.
  1. Go to Network > Interfaces and select Create New > Virtual Wire Pair. Add two ports to the virtual wire pair. These ports cannot be part of a switch, such as the default internal/lan interface.
  2. Go to Policy & Objects > IPv4 Virtual Wire Pair Policy and create a policy will allow traffic to flow between the two ports. Give the policy an appropriate Name. Select the direction that traffic is allowed to flow. Configure the other firewall options as needed.
  3. If necessary, create a second virtual wire pair policy allowing traffic to flow between the ports in the opposite direction.

Traffic can now flow between the two ports. Go to FortiView > All Segments > Policies to see traffic flowing through both policies.

Virtual wire pair

A virtual wire pair consists of two interfaces that have no IP addresses and all traffic received by one interface in the pair can only be forwarded out the other; as controlled by firewall policies. Since the interfaces do not have IP addresses, you can insert a virtual wire pair into a network without having to make any changes to the network. A virtual wire pair can include redundant and 802.3ad aggregate (LACP) interfaces.

note icon Interfaces used in a virtual wire pair cannot be used for admin access to the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.
  1. Go to Network > Interfaces and select Create New > Virtual Wire Pair. Add two ports to the virtual wire pair. These ports cannot be part of a switch, such as the default internal/lan interface.
  2. Go to Policy & Objects > IPv4 Virtual Wire Pair Policy and create a policy will allow traffic to flow between the two ports. Give the policy an appropriate Name. Select the direction that traffic is allowed to flow. Configure the other firewall options as needed.
  3. If necessary, create a second virtual wire pair policy allowing traffic to flow between the ports in the opposite direction.

Traffic can now flow between the two ports. Go to FortiView > All Segments > Policies to see traffic flowing through both policies.