Fortinet white logo
Fortinet white logo

Administration Guide

Virtual wire pair

Virtual wire pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Note

When creating a new virtual wire pair, the Interface members field displays interfaces without assigned addresses. Interfaces with assigned addresses are not displayed.

Therefore, you cannot add to a virtual wire pair an interface with Addressing mode set to DHCP. If you change the interface settings to Manual with IP/Netmask set to 0.0.0.0/0.0.0.0, you can add the interface to a virtual wire pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.

Note

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.

To add a virtual wire pair using the GUI:
  1. Go to Network > Interfaces.

  2. Click Create New > Virtual Wire Pair.

  3. Enter a name for the virtual wire pair.

  4. Select the Interface Members to add to the virtual wire pair (port3 and port 4).

    These interfaces cannot be part of a switch, such as the default LAN/internal interface.

  5. If required, enable Wildcard VLAN and set the VLAN Filter.

  6. Click OK.

To add a virtual wire pair using the CLI:
config system virtual-wire-pair
    edit "VWP-name"
        set member "port3" "port4"
        set wildcard-vlan disable
    next
end
To create a virtual wire pair policy using the GUI:
  1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy.

  2. Click Create New.

  3. In the Virtual Wire Pair field, click the + to add the virtual wire pair.

  4. Select the direction (arrows) that traffic is allowed to flow.

  5. Configure the other settings as needed.

  6. Click OK.

To create a virtual wire pair policy using the CLI:
config firewall policy
    edit 1
        set name "VWP-Policy"
        set srcintf "port3" "port4"
        set dstintf "port3" "port4"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
    next
end

Configuring multiple virtual wire pairs in a virtual wire pair policy

You can create a virtual wire pair policy that includes different virtual wire pairs in NGFW profile and policy mode. This reduces overhead to create multiple similar policies for each VWP. In NGFW policy mode, multiple virtual wire pairs can be configured in a Security Virtual Wire Pair Policy and Virtual Wire Pair SSL Inspection & Authentication policy.

The virtual wire pair settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the virtual wire pair members must be entered in srcintf and dstintf as pairs.

To configure multiple virtual wire pairs in a policy in the GUI:
  1. Configure the virtual wire pairs:

    1. Go to Network > Interfaces and click Create New > Virtual Wire Pair.

    2. Create a pair with the following settings:

      Name

      test-vwp-1

      Interface members

      wan1, wan2

      Wildcard VLAN

      Enable

    3. Click OK.

    4. Click Create New > Virtual Wire Pair and create another pair with the following settings:

      Name

      test-vwp-2

      Interface members

      port19, port20

      Wildcard VLAN

      Enable

    5. Click OK.

  2. Configure the policy:

    1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.

    2. In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Select the direction for each of the selected virtual wire pairs.

    3. Configure the other settings as needed.

    4. Click OK.

To configure multiple virtual wire pairs in a policy in the CLI:
  1. Configure the virtual wire pairs:

    config system virtual-wire-pair
        edit "test-vwp-1"
            set member "wan1" "wan2"
            set wildcard-vlan enable
        next
        edit "test-vwp-2"
            set member "port19" "port20"
            set wildcard-vlan enable
        next
    end
  2. Configure the policy:

    config firewall policy
        edit 1
            set name "vwp1&2-policy"
            set srcintf "port19" "wan1"
            set dstintf "port20" "wan2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end

Virtual wire pair

Virtual wire pair

A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair. Redundant and 802.3ad aggregate (LACP) interfaces can be included in a virtual wire pair.

Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.

Note

When creating a new virtual wire pair, the Interface members field displays interfaces without assigned addresses. Interfaces with assigned addresses are not displayed.

Therefore, you cannot add to a virtual wire pair an interface with Addressing mode set to DHCP. If you change the interface settings to Manual with IP/Netmask set to 0.0.0.0/0.0.0.0, you can add the interface to a virtual wire pair.

Example

In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.

Note

Interfaces used in a virtual wire pair cannot be used to access the ISFW FortiGate. Before creating a virtual wire pair, make sure you have a different port configured to allow admin access using your preferred protocol.

To add a virtual wire pair using the GUI:
  1. Go to Network > Interfaces.

  2. Click Create New > Virtual Wire Pair.

  3. Enter a name for the virtual wire pair.

  4. Select the Interface Members to add to the virtual wire pair (port3 and port 4).

    These interfaces cannot be part of a switch, such as the default LAN/internal interface.

  5. If required, enable Wildcard VLAN and set the VLAN Filter.

  6. Click OK.

To add a virtual wire pair using the CLI:
config system virtual-wire-pair
    edit "VWP-name"
        set member "port3" "port4"
        set wildcard-vlan disable
    next
end
To create a virtual wire pair policy using the GUI:
  1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy.

  2. Click Create New.

  3. In the Virtual Wire Pair field, click the + to add the virtual wire pair.

  4. Select the direction (arrows) that traffic is allowed to flow.

  5. Configure the other settings as needed.

  6. Click OK.

To create a virtual wire pair policy using the CLI:
config firewall policy
    edit 1
        set name "VWP-Policy"
        set srcintf "port3" "port4"
        set dstintf "port3" "port4"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set fsso disable
    next
end

Configuring multiple virtual wire pairs in a virtual wire pair policy

You can create a virtual wire pair policy that includes different virtual wire pairs in NGFW profile and policy mode. This reduces overhead to create multiple similar policies for each VWP. In NGFW policy mode, multiple virtual wire pairs can be configured in a Security Virtual Wire Pair Policy and Virtual Wire Pair SSL Inspection & Authentication policy.

The virtual wire pair settings must have wildcard VLAN enabled. When configuring a policy in the CLI, the virtual wire pair members must be entered in srcintf and dstintf as pairs.

To configure multiple virtual wire pairs in a policy in the GUI:
  1. Configure the virtual wire pairs:

    1. Go to Network > Interfaces and click Create New > Virtual Wire Pair.

    2. Create a pair with the following settings:

      Name

      test-vwp-1

      Interface members

      wan1, wan2

      Wildcard VLAN

      Enable

    3. Click OK.

    4. Click Create New > Virtual Wire Pair and create another pair with the following settings:

      Name

      test-vwp-2

      Interface members

      port19, port20

      Wildcard VLAN

      Enable

    5. Click OK.

  2. Configure the policy:

    1. Go to Policy & Objects > Firewall Virtual Wire Pair Policy and click Create New.

    2. In the Virtual Wire Pair field, click the + to add test-vwp-1 and test-vwp-2. Select the direction for each of the selected virtual wire pairs.

    3. Configure the other settings as needed.

    4. Click OK.

To configure multiple virtual wire pairs in a policy in the CLI:
  1. Configure the virtual wire pairs:

    config system virtual-wire-pair
        edit "test-vwp-1"
            set member "wan1" "wan2"
            set wildcard-vlan enable
        next
        edit "test-vwp-2"
            set member "port19" "port20"
            set wildcard-vlan enable
        next
    end
  2. Configure the policy:

    config firewall policy
        edit 1
            set name "vwp1&2-policy"
            set srcintf "port19" "wan1"
            set dstintf "port20" "wan2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
        next
    end