Fortinet black logo

CLI Reference

system virtual-wire-pair

system virtual-wire-pair

Use this command to create virtual wire pairs in NAT mode or Transparent mode. When two physical interfaces are setup as a Virtual Wire Pair, they will have no IP addressing and are treated similar to a transparent mode VDOM. All packets accepted by one of the interfaces in a virtual wire pair can only exit the FortiGate through the other interface in the virtual wire pair and only if allowed by a virtual wire pair firewall policy. Packets arriving on other interfaces cannot be routed to the interfaces in a virtual wire pair. A FortiGate can have multiple virtual wire pairs.

You cannot add VLANs to virtual wire pairs. However, you can enable wildcard VLANs for a virtual wire pair. This means that all VLAN-tagged traffic can pass through the virtual wire pair if allowed by virtual wire pair firewall policies.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set vlan-filter <vlan-ranges>

Set VLAN filters if you don't want a virtual wire pair policy to allow all VLAN traffic. VLAN filters allow only the VLANs in the filter and drops traffic with other VLAN tags. VLAN filters don't affect traffic that isn't VLAN-tagged. Enter the filter ranges in the following example format: 1-10,20,30-40.

You can also add a VLAN filter to a virtual wire pair firewall policy to apply more specific VLAN filtering only to the traffic that the policy accepts (see vlan-filter under config firewall policy for more information).

Note that this entry is only available when wildcard-vlan is set to enable.

config system virtual-wire-pair
    edit {name}
    # Configure virtual wire pairs.
        set name {string}   Virtual-wire-pair name. Must be a unique interface name. size[11]
        config member
            edit {interface-name}
            # Interfaces belong to the virtual-wire-pair.
                set interface-name {string}   Interface name. size[64] - datasource(s): system.interface.name
            next
        set wildcard-vlan {enable | disable}   Enable/disable wildcard VLAN.
        set vlan-filter {string}   Set VLAN filters.
    next
end

system virtual-wire-pair

Use this command to create virtual wire pairs in NAT mode or Transparent mode. When two physical interfaces are setup as a Virtual Wire Pair, they will have no IP addressing and are treated similar to a transparent mode VDOM. All packets accepted by one of the interfaces in a virtual wire pair can only exit the FortiGate through the other interface in the virtual wire pair and only if allowed by a virtual wire pair firewall policy. Packets arriving on other interfaces cannot be routed to the interfaces in a virtual wire pair. A FortiGate can have multiple virtual wire pairs.

You cannot add VLANs to virtual wire pairs. However, you can enable wildcard VLANs for a virtual wire pair. This means that all VLAN-tagged traffic can pass through the virtual wire pair if allowed by virtual wire pair firewall policies.

History

The following table shows all newly added, changed, or removed entries as of FortiOS 6.0.

Command Description

set vlan-filter <vlan-ranges>

Set VLAN filters if you don't want a virtual wire pair policy to allow all VLAN traffic. VLAN filters allow only the VLANs in the filter and drops traffic with other VLAN tags. VLAN filters don't affect traffic that isn't VLAN-tagged. Enter the filter ranges in the following example format: 1-10,20,30-40.

You can also add a VLAN filter to a virtual wire pair firewall policy to apply more specific VLAN filtering only to the traffic that the policy accepts (see vlan-filter under config firewall policy for more information).

Note that this entry is only available when wildcard-vlan is set to enable.

config system virtual-wire-pair
    edit {name}
    # Configure virtual wire pairs.
        set name {string}   Virtual-wire-pair name. Must be a unique interface name. size[11]
        config member
            edit {interface-name}
            # Interfaces belong to the virtual-wire-pair.
                set interface-name {string}   Interface name. size[64] - datasource(s): system.interface.name
            next
        set wildcard-vlan {enable | disable}   Enable/disable wildcard VLAN.
        set vlan-filter {string}   Set VLAN filters.
    next
end