Fortinet black logo

New Features

Allow multiple virtual wire pairs in a virtual wire pair policy

Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:144614
Download PDF

Allow multiple virtual wire pairs in a virtual wire pair policy

This enhancement allows users to create a virtual wire pair policy that includes different virtual wire pairs (VWPs). This reduces overhead to create multiple similar policies for each VWP. This feature is supported in NGFW profile and policy mode. In NGFW policy mode, multiple VWPs can be configured in a Security Virtual Wire Pair Policy, and Virtual Wire Pair SSL Inspection & Authentication policy.

The VWP settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the VWP members must be entered in srcintf and dstintf as pairs.

On the Firewall Virtual Wire Pair Policy, Security Virtual Wire Pair Policy, and Virtual Wire Pair SSL Inspection & Authentication pages, there is a dropdown option to view policies with an individual VWP or all VWPs.

If All VWPs is selected, the Interface Pair View is disabled. The list displays all policies with an individual VWP or multiple VWPs.

If an individual VWP is selected, the Interface Pair View is disabled if at least one policy has other VWP members. The list displays all policies with the selected VWP (the policy may have members of other VWPs).

To configure multiple VWPs in a policy in the GUI:
  1. Configure the VWPs:
    1. Go to Network > Interfaces and click Create New > Virtual Wire Pair.
    2. Create a pair with the following settings:

      Name

      test-vwp-1

      Interface members

      wan1, wan2

      Wildcard VLAN

      Enable

    3. Click OK.
    4. Click Create New > Virtual Wire Pair and create another pair with the following settings:

      Name

      test-vwp-2

      Interface members

      port19, port20

      Wildcard VLAN

      Enable

    5. Click OK.
  2. Configure the policy:
    1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.
    2. In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Arrow buttons appear below the entries to set the direction for each of the selected virtual wire pairs.

    3. Configure the other settings as needed.
    4. Click OK.
To configure multiple VWPs in a policy in the CLI:
  1. Configure the VWPs:
    config system virtual-wire-pair
        edit "test-vwp-1"
            set member "wan1" "wan2"
            set wildcard-vlan enable
        next
        edit "test-vwp-2"
            set member "port19" "port20"
            set wildcard-vlan enable
        next
    end
  2. Configure the policy:
    config firewall policy
        edit 1
            set name "vwp1&2-policy"
            set srcintf "port19" "wan1"
            set dstintf "port20" "wan2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end

Allow multiple virtual wire pairs in a virtual wire pair policy

This enhancement allows users to create a virtual wire pair policy that includes different virtual wire pairs (VWPs). This reduces overhead to create multiple similar policies for each VWP. This feature is supported in NGFW profile and policy mode. In NGFW policy mode, multiple VWPs can be configured in a Security Virtual Wire Pair Policy, and Virtual Wire Pair SSL Inspection & Authentication policy.

The VWP settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the VWP members must be entered in srcintf and dstintf as pairs.

On the Firewall Virtual Wire Pair Policy, Security Virtual Wire Pair Policy, and Virtual Wire Pair SSL Inspection & Authentication pages, there is a dropdown option to view policies with an individual VWP or all VWPs.

If All VWPs is selected, the Interface Pair View is disabled. The list displays all policies with an individual VWP or multiple VWPs.

If an individual VWP is selected, the Interface Pair View is disabled if at least one policy has other VWP members. The list displays all policies with the selected VWP (the policy may have members of other VWPs).

To configure multiple VWPs in a policy in the GUI:
  1. Configure the VWPs:
    1. Go to Network > Interfaces and click Create New > Virtual Wire Pair.
    2. Create a pair with the following settings:

      Name

      test-vwp-1

      Interface members

      wan1, wan2

      Wildcard VLAN

      Enable

    3. Click OK.
    4. Click Create New > Virtual Wire Pair and create another pair with the following settings:

      Name

      test-vwp-2

      Interface members

      port19, port20

      Wildcard VLAN

      Enable

    5. Click OK.
  2. Configure the policy:
    1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.
    2. In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Arrow buttons appear below the entries to set the direction for each of the selected virtual wire pairs.

    3. Configure the other settings as needed.
    4. Click OK.
To configure multiple VWPs in a policy in the CLI:
  1. Configure the VWPs:
    config system virtual-wire-pair
        edit "test-vwp-1"
            set member "wan1" "wan2"
            set wildcard-vlan enable
        next
        edit "test-vwp-2"
            set member "port19" "port20"
            set wildcard-vlan enable
        next
    end
  2. Configure the policy:
    config firewall policy
        edit 1
            set name "vwp1&2-policy"
            set srcintf "port19" "wan1"
            set dstintf "port20" "wan2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end