Virtual Wire Pair
A virtual wire pair consists of two interfaces that do not have IP addressing and are treated like a transparent mode VDOM. All traffic received by one interface in the virtual wire pair can only be forwarded to the other interface, provided a virtual wire pair firewall policy allows this traffic. Traffic from other interfaces cannot be routed to the interfaces in a virtual wire pair.
Virtual wire pairs are useful for a typical topology where MAC addresses do not behave normally. For example, port pairing can be used in a Direct Server Return (DSR) topology where the response MAC address pair may not match the request’s MAC address pair.
In this example, a virtual wire pair (port3 and port4) makes it easier to protect a web server that is behind a FortiGate operating as an Internal Segmentation Firewall (ISFW). Users on the internal network access the web server through the ISFW over the virtual wire pair.
To add a virtual wire pair using the GUI:
- Go to Network > Interfaces.
- Click Create New > Virtual Wire Pair.
- Select the Interface Members to add to the virtual wire pair.
These interfaces cannot be part of a switch, such as the default LAN/internal interface.
- If desired, enable Wildcard VLAN.
To add a virtual wire pair using the CLI:
config system virtual-wire-pair edit “VWP-name”
set member “port3” “port4” set wildcard-vlan enable/disable
To create a virtual wire pair policy using the GUI:
- Go to Policy & Objects > IPv4 Virtual Wire PairPolicy.
- Click Create New.
- Select the direction that traffic is allowed to flow.
- Configure the other fields.
- Click OK.
To create a virtual wire pair policy using the CLI:
config firewall policy edit 1 set name “VWP-Policy” set srcintf “port3” “port4” set dstintf “port3” “port4” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL” set utm-status enable set fsso disable
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU