Allow multiple virtual wire pairs in a virtual wire pair policy
This enhancement allows users to create a virtual wire pair policy that includes different virtual wire pairs (VWPs). This reduces overhead to create multiple similar policies for each VWP. This feature is supported in NGFW profile and policy mode. In NGFW policy mode, multiple VWPs can be configured in a Security Virtual Wire Pair Policy, and Virtual Wire Pair SSL Inspection & Authentication policy.
The VWP settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the VWP members must be entered in srcintf
and dstintf
as pairs.
On the Firewall Virtual Wire Pair Policy, Security Virtual Wire Pair Policy, and Virtual Wire Pair SSL Inspection & Authentication pages, there is a dropdown option to view policies with an individual VWP or all VWPs.
If All VWPs is selected, the Interface Pair View is disabled. The list displays all policies with an individual VWP or multiple VWPs.
If an individual VWP is selected, the Interface Pair View is disabled if at least one policy has other VWP members. The list displays all policies with the selected VWP (the policy may have members of other VWPs).
To configure multiple VWPs in a policy in the GUI:
- Configure the VWPs:
- Go to Network > Interfaces and click Create New > Virtual Wire Pair.
- Create a pair with the following settings:
Name
test-vwp-1
Interface members
wan1, wan2
Wildcard VLAN
Enable
- Click OK.
- Click Create New > Virtual Wire Pair and create another pair with the following settings:
Name
test-vwp-2
Interface members
port19, port20
Wildcard VLAN
Enable
- Click OK.
- Configure the policy:
- Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.
- In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Arrow buttons appear below the entries to set the direction for each of the selected virtual wire pairs.
- Configure the other settings as needed.
- Click OK.
To configure multiple VWPs in a policy in the CLI:
- Configure the VWPs:
config system virtual-wire-pair edit "test-vwp-1" set member "wan1" "wan2" set wildcard-vlan enable next edit "test-vwp-2" set member "port19" "port20" set wildcard-vlan enable next end
- Configure the policy:
config firewall policy edit 1 set name "vwp1&2-policy" set srcintf "port19" "wan1" set dstintf "port20" "wan2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all next end