Fortinet black logo

Handbook

Virtual wire pairs

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:768211
Download PDF

Virtual wire pairs

A virtual wire pair logically binds two physical interfaces on a FortiGate, usually an internal and an external interface, together so that all traffic that one of the interfaces in a virtual wire pair accepts can exit the FortiGate only through the other interface in the virtual wire pair, and only if allowed by a virtual wire pair firewall policy. Traffic that arrives on other interfaces can’t be routed to interfaces in a virtual wire pair.

The interfaces in a virtual wire pair don’t have IP addresses, which means you can configure a virtual wire pair in your network without making any network changes. You can create more than one virtual wire pair on a FortiGate.

You can configure virtual wire pairs on a FortiGate that's running in either transparent or NAT modes. A virtual wire pair supports transparent mode between two interfaces without requiring you to change the FortiGate from NAT to Transparent mode.

If a physical interface is used by an EMAC VLAN interface, you can’t use it in a virtual wire pair.

To configure a virtual wire pair - GUI:

Interfaces that you use for administrative access can’t be used in a virtual wire pair. If you want to use an interface that you use for administrative access in a virtual wire pair, make sure you configure a different interface to allow administrative access before you create the virtual wire pair.

If the interfaces you want to use in a virtual wire pair are part of a switch, such as the default lan interface, you need to remove them from the switch before they can be added to the virtual wire pair.

A virtual wire pair can include redundant and 802.3ad aggregate (LACP) interfaces.

  1. Go to Network > Interfaces and select Create New > Virtual Wire Pair.
  2. In the Name field, type a name for the virtual wire pair.
  3. In the Interface Members field, select the interfaces that you want to add to the virtual wire pair.
  4. If you want to enable wildcard VLANs for the virtual wire pair, enable Wildcard VLAN.
  5. Select OK.
To configure a virtual wire pair policy - GUI:
  1. Go Policy & Objects > IPv4 Virtual Wire Pair Policy.
  2. Select a virtual wire pair in the upper right-hand corner of the screen, and select Create New.
  3. In the Name field, type a name for the virtual wire pair policy.
  4. In the Virtual Wire Pair field, select the direction that traffic is allowed to flow.
  5. Configure other firewall options, as needed.
  6. Select OK.
  7. If necessary, create a second virtual wire pair policy to allow traffic to flow in the opposite direction.

Traffic can now flow through the FortiGate using the virtual wire pair. You can go to FortiView > Policies to see traffic flowing through both policies.

The IPv4 Virtual Wire Pair Policy menu item in the GUI appears only when you have created at least one virtual wire pair.

Wildcard VLANs for virtual wire pairs

Although you can’t add virtual local area networks (VLANs) to virtual wire pairs, you can enable wildcard VLANs for a virtual wire pair. Doing this allows all VLAN-tagged traffic to pass through a virtual wire pair if a virtual wire pair firewall policy allows the traffic.

To enable wildcard VLANs for a virtual wire pair, enable the Wildcard VLAN option when you create a virtual wire pair.

VLAN filters for virtual wire pairs

After you enable wildcard VLANs, if you don't want a virtual wire pair policy to allow all VLAN traffic, you can specify VLAN filters. A VLAN filter allows only the VLANs in the filter and drops traffic with other VLAN tags. VLAN filters don't affect traffic that isn't VLAN-tagged. You configure VLAN filters using the CLI.

You can add a VLAN filter to a virtual wire pair to apply the filter to all traffic that the virtual wire pair accepts. You can also add a VLAN filter to a virtual wire pair firewall policy to apply more specific VLAN filtering only to the traffic that the policy accepts.

To configure VLAN filters for wildcard VLANs - CLI:

config system virtual-wire-pair

edit <vwp-name>

set member <vwp-interface1-name> <vwp-interface2-name>

set wildcard-vlan enable

set vlan-filter <VLAN-range-list>

next

end

config firewall policy

edit <policy-ID>

set vlan-filter <VLAN-range-list>

next

end

The vlan-filter option is only available for policies on virtual wire pairs that have the wildcard VLAN option enabled.

Virtual wire pairs

A virtual wire pair logically binds two physical interfaces on a FortiGate, usually an internal and an external interface, together so that all traffic that one of the interfaces in a virtual wire pair accepts can exit the FortiGate only through the other interface in the virtual wire pair, and only if allowed by a virtual wire pair firewall policy. Traffic that arrives on other interfaces can’t be routed to interfaces in a virtual wire pair.

The interfaces in a virtual wire pair don’t have IP addresses, which means you can configure a virtual wire pair in your network without making any network changes. You can create more than one virtual wire pair on a FortiGate.

You can configure virtual wire pairs on a FortiGate that's running in either transparent or NAT modes. A virtual wire pair supports transparent mode between two interfaces without requiring you to change the FortiGate from NAT to Transparent mode.

If a physical interface is used by an EMAC VLAN interface, you can’t use it in a virtual wire pair.

To configure a virtual wire pair - GUI:

Interfaces that you use for administrative access can’t be used in a virtual wire pair. If you want to use an interface that you use for administrative access in a virtual wire pair, make sure you configure a different interface to allow administrative access before you create the virtual wire pair.

If the interfaces you want to use in a virtual wire pair are part of a switch, such as the default lan interface, you need to remove them from the switch before they can be added to the virtual wire pair.

A virtual wire pair can include redundant and 802.3ad aggregate (LACP) interfaces.

  1. Go to Network > Interfaces and select Create New > Virtual Wire Pair.
  2. In the Name field, type a name for the virtual wire pair.
  3. In the Interface Members field, select the interfaces that you want to add to the virtual wire pair.
  4. If you want to enable wildcard VLANs for the virtual wire pair, enable Wildcard VLAN.
  5. Select OK.
To configure a virtual wire pair policy - GUI:
  1. Go Policy & Objects > IPv4 Virtual Wire Pair Policy.
  2. Select a virtual wire pair in the upper right-hand corner of the screen, and select Create New.
  3. In the Name field, type a name for the virtual wire pair policy.
  4. In the Virtual Wire Pair field, select the direction that traffic is allowed to flow.
  5. Configure other firewall options, as needed.
  6. Select OK.
  7. If necessary, create a second virtual wire pair policy to allow traffic to flow in the opposite direction.

Traffic can now flow through the FortiGate using the virtual wire pair. You can go to FortiView > Policies to see traffic flowing through both policies.

The IPv4 Virtual Wire Pair Policy menu item in the GUI appears only when you have created at least one virtual wire pair.

Wildcard VLANs for virtual wire pairs

Although you can’t add virtual local area networks (VLANs) to virtual wire pairs, you can enable wildcard VLANs for a virtual wire pair. Doing this allows all VLAN-tagged traffic to pass through a virtual wire pair if a virtual wire pair firewall policy allows the traffic.

To enable wildcard VLANs for a virtual wire pair, enable the Wildcard VLAN option when you create a virtual wire pair.

VLAN filters for virtual wire pairs

After you enable wildcard VLANs, if you don't want a virtual wire pair policy to allow all VLAN traffic, you can specify VLAN filters. A VLAN filter allows only the VLANs in the filter and drops traffic with other VLAN tags. VLAN filters don't affect traffic that isn't VLAN-tagged. You configure VLAN filters using the CLI.

You can add a VLAN filter to a virtual wire pair to apply the filter to all traffic that the virtual wire pair accepts. You can also add a VLAN filter to a virtual wire pair firewall policy to apply more specific VLAN filtering only to the traffic that the policy accepts.

To configure VLAN filters for wildcard VLANs - CLI:

config system virtual-wire-pair

edit <vwp-name>

set member <vwp-interface1-name> <vwp-interface2-name>

set wildcard-vlan enable

set vlan-filter <VLAN-range-list>

next

end

config firewall policy

edit <policy-ID>

set vlan-filter <VLAN-range-list>

next

end

The vlan-filter option is only available for policies on virtual wire pairs that have the wildcard VLAN option enabled.