Fortinet black logo

Cookbook

Virtual Wire Pair

Copy Link
Copy Doc ID fed12558-14f5-11e9-b86b-00505692583a:166804
Download PDF

Virtual Wire Pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.

Note

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.

To add a virtual wire pair using the CLI:
config system virtual-wire-pair
    edit "VWP-name"
        set member "port3" "port4"
        set wildcard-vlan disable
    next
end
To add a virtual wire pair using the GUI:
  1. Go to Network > Interfaces.
  2. Click Create New > Virtual Wire Pair.
  3. Select the Interface Members to add to the virtual wire pair.

    These interfaces cannot be part of a switch, such as the default LAN/internal interface.

  4. If required, enable Wildcard VLAN and set the VLAN Filter..
  5. Click OK.
To create a virtual wire pair policy using the CLI:
config firewall policy
    edit 1
        set name "VWP-Policy"
        set srcintf "port3" "port4"
        set dstintf "port3" "port4"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
    next
end
To create a virtual wire pair policy using the GUI:
  1. Go to Policy & Objects > IPv4 Virtual Wire Pair Policy.
  2. Click Create New.
  3. Select the direction that traffic is allowed to flow.
  4. Configure the other fields.
  5. Click OK.

Virtual Wire Pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.

Note

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.

To add a virtual wire pair using the CLI:
config system virtual-wire-pair
    edit "VWP-name"
        set member "port3" "port4"
        set wildcard-vlan disable
    next
end
To add a virtual wire pair using the GUI:
  1. Go to Network > Interfaces.
  2. Click Create New > Virtual Wire Pair.
  3. Select the Interface Members to add to the virtual wire pair.

    These interfaces cannot be part of a switch, such as the default LAN/internal interface.

  4. If required, enable Wildcard VLAN and set the VLAN Filter..
  5. Click OK.
To create a virtual wire pair policy using the CLI:
config firewall policy
    edit 1
        set name "VWP-Policy"
        set srcintf "port3" "port4"
        set dstintf "port3" "port4"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
    next
end
To create a virtual wire pair policy using the GUI:
  1. Go to Policy & Objects > IPv4 Virtual Wire Pair Policy.
  2. Click Create New.
  3. Select the direction that traffic is allowed to flow.
  4. Configure the other fields.
  5. Click OK.