Virtual wire pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.

Note

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.

To add a virtual wire pair using the GUI:
  1. Go to Network > Interfaces.
  2. Click Create New > Virtual Wire Pair.
  3. Enter a name for the virtual wire pair.
  4. Select the Interface Members to add to the virtual wire pair (port3 and port 4).

    These interfaces cannot be part of a switch, such as the default LAN/internal interface.

  5. If required, enable Wildcard VLAN and set the VLAN Filter.
  6. Click OK.
To add a virtual wire pair using the CLI:
config system virtual-wire-pair
    edit "VWP-name"
        set member "port3" "port4"
        set wildcard-vlan disable
    next
end
To create a virtual wire pair policy using the GUI:
  1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy.
  2. Click Create New.
  3. In the Virtual Wire Pair field, click the + to add the virtual wire pair.
  4. Select the direction (arrows) that traffic is allowed to flow.