Virtual Wire Pair
A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.
Example
In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.
Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol. |
To add a virtual wire pair using the CLI:
config system virtual-wire-pair edit "VWP-name" set member "port3" "port4" set wildcard-vlan disable next end
To add a virtual wire pair using the GUI:
- Go to Network > Interfaces.
- Click Create New > Virtual Wire Pair.
- Select the Interface Members to add to the virtual wire pair.
These interfaces cannot be part of a switch, such as the default LAN/internal interface.
- If required, enable Wildcard VLAN and set the VLAN Filter.
- Click OK.
To create a virtual wire pair policy using the CLI:
config firewall policy edit 1 set name "VWP-Policy" set srcintf "port3" "port4" set dstintf "port3" "port4" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set fsso disable next end
To create a virtual wire pair policy using the GUI:
- Go to Policy & Objects > Firewall Virtual Wire Pair Policy.
- Click Create New.
- Select the direction that traffic is allowed to flow.
- Configure the other fields.
- Click OK.